- Joined
- Jul 31, 2012
- Messages
- 45
- Reaction score
- 1
After two years of using 3CX V11 I am finally experiencing my first attack. It started yesterday with a single server on the other side of the planet sending a SIP REGISTER with a brute force authentication attempt. 3CX quickly put the IP address on the blacklist for awhile but it kept coming back. I went to the router and filtered out the single IP.
Today it has morphed into something else. From multiple IP addresses I am getting SIP INVITES. Now I do not believe I have direct IP calling enabled and the calls are not being completed by the 3CX PBX. Still I am concerned and want to make sure my bases are covered. There are two items in the log that I want clarification on. The first is
"PBX has dropped a message with 'User-Agent: friendly-scanner' from IP XXX.XXX.XXX.XXX because it is on blocked UAs list"
Can someone tell me what triggered the above event? Is it a scan? What port? And what does it mean? I don't recall generating a blocked UAs list.
The second item is
[CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
Invite-UNK Recv Req INVITE from XXX.XXX.XXX.XXX:5060 tid=xxxxxxxxxx Call ID=xxxxxxxxxxxxxxxxxxx INVITE sip:YYY.YYY.YYY.YYYSIP/2.0
Via: SIP/2.0/UDP XXX.XXX.XXX.XXX:5060;branch=xxxxxxxxxxxxxxx;rport=5060
Max-Forwards: 70
Route: <sip:YYY.YYY.YYY.YYY;lr>
Contact: <sip:XXX.XXX.XXX.XXX>
To: <sip:YYY.YYY.YYY.YYY>
From: <sip:XXX.XXX.XXX.XXX>;tag=xxxxxxxxxxx
I have removed the identifying information. This looks like someone attempting a direct SIP call and it appears unsuccessful. It is not coming via my VOIP provider. I am happy it is unsuccessful but it is not clear why it is unsuccessful. Is it unsuccessful because it is not coming from my defined VOIP provider and direct SIP calling is not enabled? I do have some ports opened manually on the router and forwarded to the PBX. The solution might to let the router open and close the ports automatically so it is restricted to my VOIP provider. Many thanks in advance.
Today it has morphed into something else. From multiple IP addresses I am getting SIP INVITES. Now I do not believe I have direct IP calling enabled and the calls are not being completed by the 3CX PBX. Still I am concerned and want to make sure my bases are covered. There are two items in the log that I want clarification on. The first is
"PBX has dropped a message with 'User-Agent: friendly-scanner' from IP XXX.XXX.XXX.XXX because it is on blocked UAs list"
Can someone tell me what triggered the above event? Is it a scan? What port? And what does it mean? I don't recall generating a blocked UAs list.
The second item is
[CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
Invite-UNK Recv Req INVITE from XXX.XXX.XXX.XXX:5060 tid=xxxxxxxxxx Call ID=xxxxxxxxxxxxxxxxxxx INVITE sip:YYY.YYY.YYY.YYYSIP/2.0
Via: SIP/2.0/UDP XXX.XXX.XXX.XXX:5060;branch=xxxxxxxxxxxxxxx;rport=5060
Max-Forwards: 70
Route: <sip:YYY.YYY.YYY.YYY;lr>
Contact: <sip:XXX.XXX.XXX.XXX>
To: <sip:YYY.YYY.YYY.YYY>
From: <sip:XXX.XXX.XXX.XXX>;tag=xxxxxxxxxxx
I have removed the identifying information. This looks like someone attempting a direct SIP call and it appears unsuccessful. It is not coming via my VOIP provider. I am happy it is unsuccessful but it is not clear why it is unsuccessful. Is it unsuccessful because it is not coming from my defined VOIP provider and direct SIP calling is not enabled? I do have some ports opened manually on the router and forwarded to the PBX. The solution might to let the router open and close the ports automatically so it is restricted to my VOIP provider. Many thanks in advance.