• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Hack Attempt ??

Status
Not open for further replies.

craigreilly

Free User
Joined
Feb 1, 2012
Messages
4,134
Reaction score
577
IP 66.xxx.xxx.105 is my public address for my Citrix Server
IP 66.xxx.xxx.104 is my public address for my Crystal Report Server
Is someone just fishing hoping to be able to make a call thru my system?
What is the [email protected]?
These are the only 2 entries since I left last night. So they gave up when the IP got blacklisted.

02:04:53.751 Requests rate from IP 80.172.241.131 is too high! Blacklisted for 334 seconds
02:04:53.384 [CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 80.172.241.131;branch=z9hG4bKjgwoymo7LCtY;rport=1391
Max-Forwards: 70
Contact: <sip:[email protected]>
To: <sip:[email protected]>
From: "unknown"<sip:[email protected]>;tag=17ozUFBRhv
Call-ID: [email protected]
CSeq: 101 INVITE
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: Dbz7KZrc8M7PicZaKBoz
Content-Length: 0

02:04:53.384 [CM302001]: Authorization system can not identify source of: SipReq: INVITE [email protected] tid=jgwoymo7LCtY cseq=INVITE [email protected] / 101 from(wire)
02:04:53.382 [CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 80.172.241.131;branch=z9hG4bKjgEvw84DLCwC;rport=5060
Max-Forwards: 70
Contact: <sip:[email protected]>
To: <sip:[email protected]>
From: "unknown"<sip:[email protected]>;tag=tn1zpJ6GLc
Call-ID: aJf95dd9438eL5pX4lo93RaBLnpDxD[email protected]
CSeq: 101 INVITE
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: 01YFheTGtbj9WuEIjOJ6
Content-Length: 0

02:04:53.382 [CM302001]: Authorization system can not identify source of: SipReq: INVITE [email protected] tid=jgEvw84DLCwC cseq=INVITE [email protected] / 101 from(wire)
 
They are attempting direct SIP calls. I see that once in a while. They will try different combinations of numbers...9011XXXX, 011XXXXX, 0XXXXX, etc. One in particular ties out a different range of UK numbers.

You can, and probably should increase your blacklist time to something above 334 seconds, I use 200,000. And you can include the IP range 80.172.0.0 (use a subnet mask of 255.255.0.0) in the IP blacklist, unless you expect someone from that range to contact you.

In some cases, they will come back around later using a slightly different IP, or you may never see that one again.
 
Thanks for the suggestions .
We are sticking with our pstn lines until our contract is up but will have 2 home users.
It would be nice to deny all except certain ips...
 
You mean something , like, oh, I don't know...an IP whitelist, maybe?

http://3cx.ideascale.com/a/dtd/Add-a-whitelisted-IP-list-next-to-blacklisted-IP-list/335122-9854
 
7 votes won't get this implemented very quickly.... ;)
 
Exactly...although, there are a number of similar suggestions.
 
You can, and probably should increase your blacklist time to something above 334 seconds, I use 200,000.

Is this the 3rd item in the Anti-Hacking Tab of Security? Mine is at 1800. I have no idea why 3cx responded with 334 seconds blacklist.
 
When i get a chance, I'll go though my settings. I know that when there is an unauthorized registration attempt, i get an email telling me they have been blacklisted for 200000 seconds. I then add the IP range to the permanent Blacklist, because, more often than not, they come back some later with a slightly different IP (last two fields)
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.