Port scanning on 5060 and Security

Discussion in '3CX Phone System - General' started by IrvineCAGuy, Feb 17, 2014.

Thread Status:
Not open for further replies.
  1. IrvineCAGuy

    Joined:
    Feb 9, 2009
    Messages:
    6
    Likes Received:
    0
    Trying to track down why my 3CX Ver 12 periodically fails to register with the SIP provider, causing a busy-signal for incoming calls.
    I replaced the DSL router with a new version that reports attempted port scans and DoS attacks. Within minutes I'm getting a flurry of reports. Many Source IPs are coming from various European countries:

    UDP Packet - Source:53.217.61.xxx,42381 Destination:216.175.xx.yyy,53 - [DOS] UDP Packet - Source:109.77.156.190,29531

    I am not (yet) familiar with these UDP Packet reports so my question is: is this normal to have the firewall banged on by would-be hackers and my PBX is safe, or is this something I should be concerned about from a security or Denial of Service perspective?
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,737
    Likes Received:
    278
    I usually get a couple of registration , or Direct SIP call attempts a week. the same IP will show up a couple of times, then they give up after being locked out for 250000 seconds. I don't have my router set to report port scans but I'm sure that there are a lot more going on than what makes it through 5060 and shows up in the 3CX log.

    I try not to think too much about it or I'll become paranoid.

    I suppose that if you are using a fixed IP, and running a business where DOS attacks may cost you downtime (money), then you should probably be discussing your concerns with your ISP. They may be able to assist with some blocking, or at least provide some insight on how much of this is going on.

    If you have a dynamic IP, and can get it to change easily, then it might be interesting to see how long it takes for the attacks/port scans to begin happening after the change.
     
  3. cobaltit

    cobaltit Active Member

    Joined:
    Mar 22, 2012
    Messages:
    913
    Likes Received:
    146
    Yes it is very common to be port scanned. It's the tool of choice for script kiddies. They run automated tools which scan whole netblocks and then, based on what ports they find open, run other tools looking to exploit whatever may be on the other end of that open port.

    As far as 3CX is concerned, it does a reasonable job out of the box as far as defending itself. As long as you've stuck with the defaults when creating extensions (complex passwords, Disallow use of extension outside the LAN, etc), you should be fine. That, along with the country restrictions and the hacker checks should deter the opportunistic attempts. Additional protective measure would include disabling outbound calling after hours, setting pin protected extensions, and using a pre-pay provider or working with your current provider to setup alerts for suspicious activity.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. IrvineCAGuy

    Joined:
    Feb 9, 2009
    Messages:
    6
    Likes Received:
    0
    Thanks for your replies. Before moving to 3CX I ran a TrixBox. It got hacked and calls made to parts afar. So I get a bit paranoid, although I have full faith in the 3CX security measures. I might just turn off the port scan reporting. On the other hand, we do need to understand by learning what is going on out there. Hacking is big business. Knowledge is your defense against it. Thanks.
     
Thread Status:
Not open for further replies.