Security help

Discussion in '3CX Phone System - General' started by DBOD, Sep 15, 2013.

Thread Status:
Not open for further replies.
  1. DBOD

    Joined:
    Jul 31, 2012
    Messages:
    45
    Likes Received:
    0
    After two years of using 3CX V11 I am finally experiencing my first attack. It started yesterday with a single server on the other side of the planet sending a SIP REGISTER with a brute force authentication attempt. 3CX quickly put the IP address on the blacklist for awhile but it kept coming back. I went to the router and filtered out the single IP.

    Today it has morphed into something else. From multiple IP addresses I am getting SIP INVITES. Now I do not believe I have direct IP calling enabled and the calls are not being completed by the 3CX PBX. Still I am concerned and want to make sure my bases are covered. There are two items in the log that I want clarification on. The first is

    "PBX has dropped a message with 'User-Agent: friendly-scanner' from IP XXX.XXX.XXX.XXX because it is on blocked UAs list"

    Can someone tell me what triggered the above event? Is it a scan? What port? And what does it mean? I don't recall generating a blocked UAs list.

    The second item is
    [CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
    Invite-UNK Recv Req INVITE from XXX.XXX.XXX.XXX:5060 tid=xxxxxxxxxx Call ID=xxxxxxxxxxxxxxxxxxx INVITE sip:YYY.YYY.YYY.YYYSIP/2.0
    Via: SIP/2.0/UDP XXX.XXX.XXX.XXX:5060;branch=xxxxxxxxxxxxxxx;rport=5060
    Max-Forwards: 70
    Route: <sip:YYY.YYY.YYY.YYY;lr>
    Contact: <sip:XXX.XXX.XXX.XXX>
    To: <sip:YYY.YYY.YYY.YYY>
    From: <sip:XXX.XXX.XXX.XXX>;tag=xxxxxxxxxxx
    I have removed the identifying information. This looks like someone attempting a direct SIP call and it appears unsuccessful. It is not coming via my VOIP provider. I am happy it is unsuccessful but it is not clear why it is unsuccessful. Is it unsuccessful because it is not coming from my defined VOIP provider and direct SIP calling is not enabled? I do have some ports opened manually on the router and forwarded to the PBX. The solution might to let the router open and close the ports automatically so it is restricted to my VOIP provider. Many thanks in advance.
     
  2. tom_ch

    Joined:
    Jul 6, 2011
    Messages:
    69
    Likes Received:
    0
    Hi

    when you plug in a phone to your network, it shows up in your telephone node in 3CX, for example "snom 320 8.7.3.19". (that would be a Snom phone)

    Every SIP-capable device or software is being asked for it's brand and/or model.

    That means, that even a software to intrude your PBX has such a "friendly name".
    Because most of these Softwares are known by the 3CX developers, they built in that UA list into 3CX Phone System.

    I believe you can find the UA list under Advanced settings --> userdefined settings (that huge list of parameters).
     
  3. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    752
    Likes Received:
    38
    Yes, this is what you can do. In your router block all incoming SIP traffic on port 5060, except traffic from your VoIP provider.
    Please note that if you use external extensions, these extensions will also be blocked.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. jpillow

    jpillow Well-Known Member

    Joined:
    Jun 20, 2011
    Messages:
    1,342
    Likes Received:
    0
    I've only experienced one attack in the past two years and we searched who owned the server via a google search contacted that provider and let them know that particular server was being used malaciously and within a couple of hours they stopped the misuse of those resources. 3cx effectlively stopped the attacks and we were able to use the log to determine what the issue was.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. DBOD

    Joined:
    Jul 31, 2012
    Messages:
    45
    Likes Received:
    0
    That was helpful. The custom parameter under Settings>Advanced>Custom Paramters is SEC_IGNORE_USER_AGENT specifies some known UAs that hackers use and 3CX will automatically ignore.
     
Thread Status:
Not open for further replies.