IP Blacklist entry unregisters VOIP provider/phones

Discussion in '3CX Phone System - General' started by AlanM, May 31, 2011.

Thread Status:
Not open for further replies.
  1. AlanM

    Joined:
    Aug 3, 2010
    Messages:
    39
    Likes Received:
    0
    Hello,

    I just upgraded our system from v9 to v10 and applied the latest patch. One of the new features I was very interested in was the IP Blacklist feature. I have a list of seven public IP addresses I gleaned from using Wireshark that were trying to hack into my system via port 5060. All but one of them were from overseas.

    Here is the rub: Whenever I enter any of the IP addresses in the IP Blacklist under SETTINGS>ADVANCED using the single IP address entry field, within a minute my VOIP providers unregister AND all of my phones as well as the system extensions unregister. I remove the entries and they come back to life. I checked the server entry log and it discloses a packet from 192.168.x.x (one of my extensions) was blocked from Hacker 1 (the entry I placed in the remarks section of the blacklisted IP address). Yet the blacklisted-IP address is a public IP address and not even close to my internal IP addresses.

    Any ideas what may be going on?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Can you you share more details about your setup, what are your voip provider IP addresses, what are the hacking addresses, is your 3CX on a local area network, what are the addresses of your extension (local on the LAN or external), how you NAT your LAN to public address, what address you are entering into the blacklist, etc.
    It could be something with your LAN setup, so you block your providers and extensions yourself for some reason.

    BR
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. AlanM

    Joined:
    Aug 3, 2010
    Messages:
    39
    Likes Received:
    0
    BR,

    I am using Vitelity and have been successfully for over a year. As for the hacking addresses, they are all standard dotted quad addresses like 91.254.45.x, 216.113.75.x, etc. None of them come back to my VOIP provider. The exact IP addresses are not important unless 3CX is proxying traffic through China, Korea, and Great Britain.

    3CX is installed on a dedicated WinXP SP3 machine on a local LAN using a standard class C network scheme of 192.168.x.x with all extensions being local. I use four Cisco 504G IP phones and one Linksys PAP2T ATA. I use a Cisco consumer-grade router and am port forwarding the recommended 3CX and Vitelity ports to the dedicated machine. I use dynamic DNS in lieu of a static public IP address. This setup has worked successfully up until yesterday when I upgraded my licensed version from v9 to v10.

    When I entered the offending IP addresses into the IP Blacklist portion of the Settings > Advanced > IP Blacklist area of the application, ALL extensions including the system extensions failed as well as the VOIP registration.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. davidbenwell

    davidbenwell Active Member

    Joined:
    Apr 27, 2010
    Messages:
    704
    Likes Received:
    0
    you may wish to check with your VoIP provider to what IP Range they use on their network, you may be blocking their IPs.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. AlanM

    Joined:
    Aug 3, 2010
    Messages:
    39
    Likes Received:
    0
    Dave,

    The IPs I blacklisted were hacking attempts into my system. I used Wireshark to monitor the activity and then performed a reverse DNS lookup and ran them through a WHOIS database. Rest assured, these IPs are not from my provider.

    Entries into the IP Blacklist caused my internal extensions to stop registering to the server. There is no reason why this should happen. Additionally, I could not register with the VOIP provider even though the IP address statically entered into the 3CX configuration is different than any of those blacklisted.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,129
    Likes Received:
    153
    And how do you know for sure that a range of IP's does not contain some gateway or hop that the provider uses? You have to be careful because you cannot know. When you see a spam just block that ip for the time being. YOu have to make research before blocking a whole range of IPS. There are proxies which are useful and if you block them you will have problems.

    Also if how I see it, if you enter an ip address in there and all the extensions become unregistered you have blocked yourself in some way. I do not know exactly what is happening but this is what I see from your description.

    You have to be careful with this because you can block yourself.

    The anti hacking feature is not there to solve your problems for life.

    It is there to secure your mind temporarily - until you find time to contact your ISP and tell them to investigate this and block them on their firewalls. Blocvking on the anti hacking page in 3CX is just 1 part of it.

    Step1 - Just blocking in 3CX will still spam your router, slow your network and waste your uplink. (but save your pbx)
    step 2 - is to block on the firewall - this will save your netowrk but will still waste your uplink. Because the firewall has to stay responding to a spam with unauthorized. So if I send you 10000 pkts per second, your firewall will have to reply X number of times with unauthorized and to do this it will waste you uplink bandwidth.
    Step 3 is to contact the isp at abuse@iSP.com and tell them that this ip is hackling you and wasting your uplink bandwidth. Like this they stop the attacker coming to your public ip. This is when you are 100% secure. And this the scope of the antihacking - to give you time to reach step 3 and keep your system secured.

    However it is very strange - I need to see ip addresses. There is no problem putting ip addresses here - especially of hackers,

    Can you send me offending ip addresses that you have and tell me the entries you put in the antihacking feature that made your extensions and voip provider unable to register? Because I cannot understand how this can occur.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. AlanM

    Joined:
    Aug 3, 2010
    Messages:
    39
    Likes Received:
    0
    Nicky,

    The offending IP addresses are listed below. Thank you for your comments though they do appear somewhat condescending. I am not a novice. Please don't presume I did not do any research nor haven't attempted to work with my ISP. I am very aware of the limitations of blocking at this level. I have been trying to work with my ISP regarding these addresses. Though they are willing to switch my IP address, they are reluctant to want to block any IP addresses even though they could see I was getting hammered by them. Hmmm...

    61.137.89.46
    91.203.41.6
    63.247.141.210
    66.58.254.133
    216.167.238.44
    184.154.57.2
    91.223.89.82

    I went to Settings > Advanced > IP Blacklist and selected the "Block Single IP Address" and entered the IP. I think that is how it is supposed to work. Regardless, I will just leave them out since it is like trying to use screen doors on submarines to keep the water out.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,129
    Likes Received:
    153
    This is the thanks for explaining to you how the procedure works.
    Also when I explain something to a person, I also think on other people viewing the posts.

    I presumed nothing - I just explained to you that this procedure is not enough. This is the point I tried to make home.
    If you are not a novice, then you know exactly what to do.
    If your ISP cannot block them, then enjoy the spam.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,129
    Likes Received:
    153
    Digging deeper into this and based on your analysis and comments, I think you might have stumped on something important related to a configuration issue.

    Can you contact me via email? I need to check something on the configuration. Let me know when you are available for this.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.