How to set the subnet mask for the IP blacklist?

Discussion in '3CX Phone System - General' started by gdurot, Sep 25, 2013.

Thread Status:
Not open for further replies.
  1. gdurot

    Joined:
    Sep 25, 2013
    Messages:
    5
    Likes Received:
    0
    Hello all,

    In previous versions of the 3CX Phone System, I was able to fully modify the subnet mask for the range of IP addresses I wanted to block (this is in the "Settings->Security->IP Blacklist" tab). This allowed me to block an entire network where multiple computers had tried to force their way into our PBX with too many failed authentications...
    Now, 3CX Phone System version 11 has a dropdown list for subnet masks with very limited possible values, so I can't keep the original offending IP address (the one that got auto-blacklisted by the system) and manually extend the subnet mask to that address entire registered network...

    Also, I noticed we can now have a list of Allowed Country Codes for numbers we can dial from our PBX. This is great! Is there any plan in implementing something similar for inbound extension registration requests? Basically, I'd like to be able to control the countries/regions of the globe where remote extensions can register from...

    Thanks,
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,586
    Likes Received:
    252
    The last time I put in an IP range to blacklist (because I had had several attempts from the same subnet). I believe I put in something like 123.123.0.0 with a subnet of 255.255.0.0. I'm also using version 11 9for the most part). Does that not work for you?
     
  3. gdurot

    Joined:
    Sep 25, 2013
    Messages:
    5
    Likes Received:
    0
    Thank you! The hint was when you said you typed in the address as xxx.xxx.0.0!

    So now, I have to change the IP address to indicate the beginning of the address range: then the mask dropdown list will give me more subnet mask options, including the correct one...

    This is new: it used to be that we could keep the offending IP address unchanged and simply type in the subnet mask... With any IP address in the range and the proper subnet mask, the entire IP address range is identified, so we shouldn't have to explicitly use the IP address of the beginning of the range, but I suppose that requirement came in when the dropdown lists where implemented...
     
  4. ian.watts

    ian.watts Active Member

    Joined:
    Apr 8, 2011
    Messages:
    532
    Likes Received:
    0
    Sadly, it is still not enough for me. I would prefer to block /8 networks for the non-ARIN IP4 allocations.. but /12 is too narrow to make it useful. (reference: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml)

    Fortunately, I have the PBX behind NAT and a firewall which I can just do there and sleep well.
     
Thread Status:
Not open for further replies.