Huge uptick in blocked IPs as of 9/11/2016

Discussion in '3CX Phone System - General' started by chris.moses, Sep 12, 2016.

Thread Status:
Not open for further replies.
  1. chris.moses

    Joined:
    Sep 13, 2015
    Messages:
    19
    Likes Received:
    0
    Anyone else see a large uptick in blocked IP addresses for "request rate too high"? They almost all seem to be coming from websites running either FreePBX or SugarCRM. We're seeing a new IP blocked every 10-15 minutes or so. Also, the system doesn't seem to be blocking for as long as I have it set in the seetings, usually 120-300 seconds, is there a max number of seconds that I can put in the settings?
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,842
    Likes Received:
    298
    I use 250,000 seconds. Anything that shows up more than once, gets blacklisted for a few years, either as individual IPs, or a range.

    Haven't seen anything out of the ordinary as of late.
     
  3. asmith3006

    Joined:
    Mar 5, 2014
    Messages:
    94
    Likes Received:
    5
    I allow 2 attempts and then block for 10 years. If it's genuine then I can unblock it pretty easily. I haven't seen an uptake in blocked IPs recently, if anything it's died down. Perhaps you've appeared on a list somewhere?
     
  4. chris.moses

    Joined:
    Sep 13, 2015
    Messages:
    19
    Likes Received:
    0
    Thanks for the responses, anyone else having trouble with the system actually applying the correct length to the blackout? My system seems to apply a random number between 140-500 seconds regardless of what number I put into the "Blacklist duration in seconds" field of the security page. Running 14 sp3. Are there any services that need to be restarted for changes to take effect?
     
  5. Shiggins88

    Joined:
    Sep 14, 2016
    Messages:
    1
    Likes Received:
    0
    Hey Chris,

    I have seen a huge uptick as well. Nothing has changed with my configuration and I haven't updated the 3CX v14 since June.
     
  6. eug

    eug

    Joined:
    Mar 2, 2010
    Messages:
    36
    Likes Received:
    0
    I've also noticed it, since the 11th. There have been over 200 attempts since then.
     
  7. Davidch

    Joined:
    Sep 14, 2016
    Messages:
    2
    Likes Received:
    0
    +1

    I have the same problem from the 11sept
     
  8. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    646
    Likes Received:
    1
    Hi there,
    Please open support tickets so that we can review your logs and help further on this.

    In the meantime, some prevention steps can be taken from your side
    - in the Settings / Security / Anti-Hacking / divide each values by two, except the blacklist time interval, and the security barrier (green). Set the blacklist time interval to a higher value such as 31536000 (1 year).
    - in your firewall, filter the SIP port to allow only trusted sources, meaning your VoIP providers IP/range, and remote extensions (if any).
    - validate, restart services.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. ian.watts

    ian.watts Active Member

    Joined:
    Apr 8, 2011
    Messages:
    532
    Likes Received:
    1
    Sorry for my other thread.. I really did try a search first!

    Anyway, the last item is something I will be considering.. locking down SIP.
    Two side-effects are..

    I'll need SBCs for end users with remote handsets, so that they can tunnel in.. dynamic IPs won't help me otherwise.
    Audio quality does sound better over 3/4G when on straight SIP versus the tunnel.. just saying.

    Given I can rPi an SBC for < US$100 (with a card, and a box, and a power supply..), will probably be the way to go. The remote handsets are for home office folks.. who are a rare breed.

    FYI.. even though I shut down most all non-North America (ARIN) IPv4 blocks outright for SIP.. there still a TON of domestic addresses.

    "Anti hacking modue".. please correct the English come SPx.
    And yes.. the time is random and NOT what the IP blacklist value is.. at all.
    167
    1001
    201
    334.. I don't even.
     
  10. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    646
    Likes Received:
    1
    Hi there,
    Indeed if you opt for an SBC then filtering the SIP port won't affect your remote handsets, since the SBC will then connect through the tunnel port.
    Alternatively you may stay in STUN and change your SIP port to an exotic one with higher number, open the port and then reprovision all your phones.

    About the typo you mentioned in the notification title it had been already reported for next service pack but thanks anyway.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. golden123

    Joined:
    Jun 21, 2016
    Messages:
    7
    Likes Received:
    0
    We had a large increase in this too, which seems to have stopped now.

    Same thing with the random timings though, which don't seem to relate to any settings.

    has been blacklisted for 28 sec
    has been blacklisted for 1001 sec
    has been blacklisted for 10 sec
    has been blacklisted for 11 sec

    etc etc....
     
  12. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    646
    Likes Received:
    1
    Hi there,
    Those blacklisting times are not random but determined by the amount of traffic received above the amber barrer, but below the red barer.
    The attacker is thus ensuring to not hit the maximum limit to avoid getting blacklisted for good.

    To secure further and stop this trafic please apply steps described above on topic45772.html#p185160
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.