• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Security help

Status
Not open for further replies.

DBOD

Joined
Jul 31, 2012
Messages
45
Reaction score
1
After two years of using 3CX V11 I am finally experiencing my first attack. It started yesterday with a single server on the other side of the planet sending a SIP REGISTER with a brute force authentication attempt. 3CX quickly put the IP address on the blacklist for awhile but it kept coming back. I went to the router and filtered out the single IP.

Today it has morphed into something else. From multiple IP addresses I am getting SIP INVITES. Now I do not believe I have direct IP calling enabled and the calls are not being completed by the 3CX PBX. Still I am concerned and want to make sure my bases are covered. There are two items in the log that I want clarification on. The first is

"PBX has dropped a message with 'User-Agent: friendly-scanner' from IP XXX.XXX.XXX.XXX because it is on blocked UAs list"

Can someone tell me what triggered the above event? Is it a scan? What port? And what does it mean? I don't recall generating a blocked UAs list.

The second item is
[CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
Invite-UNK Recv Req INVITE from XXX.XXX.XXX.XXX:5060 tid=xxxxxxxxxx Call ID=xxxxxxxxxxxxxxxxxxx INVITE sip:YYY.YYY.YYY.YYYSIP/2.0
Via: SIP/2.0/UDP XXX.XXX.XXX.XXX:5060;branch=xxxxxxxxxxxxxxx;rport=5060
Max-Forwards: 70
Route: <sip:YYY.YYY.YYY.YYY;lr>
Contact: <sip:XXX.XXX.XXX.XXX>
To: <sip:YYY.YYY.YYY.YYY>
From: <sip:XXX.XXX.XXX.XXX>;tag=xxxxxxxxxxx
I have removed the identifying information. This looks like someone attempting a direct SIP call and it appears unsuccessful. It is not coming via my VOIP provider. I am happy it is unsuccessful but it is not clear why it is unsuccessful. Is it unsuccessful because it is not coming from my defined VOIP provider and direct SIP calling is not enabled? I do have some ports opened manually on the router and forwarded to the PBX. The solution might to let the router open and close the ports automatically so it is restricted to my VOIP provider. Many thanks in advance.
 
Hi

when you plug in a phone to your network, it shows up in your telephone node in 3CX, for example "snom 320 8.7.3.19". (that would be a Snom phone)

Every SIP-capable device or software is being asked for it's brand and/or model.

That means, that even a software to intrude your PBX has such a "friendly name".
Because most of these Softwares are known by the 3CX developers, they built in that UA list into 3CX Phone System.

I believe you can find the UA list under Advanced settings --> userdefined settings (that huge list of parameters).
 
DBOD said:
The solution might to let the router open and close the ports automatically so it is restricted to my VOIP provider.
Yes, this is what you can do. In your router block all incoming SIP traffic on port 5060, except traffic from your VoIP provider.
Please note that if you use external extensions, these extensions will also be blocked.
 
I've only experienced one attack in the past two years and we searched who owned the server via a google search contacted that provider and let them know that particular server was being used malaciously and within a couple of hours they stopped the misuse of those resources. 3cx effectlively stopped the attacks and we were able to use the log to determine what the issue was.
 
tom_ch said:
Hi

when you plug in a phone to your network, it shows up in your telephone node in 3CX, for example "snom 320 8.7.3.19". (that would be a Snom phone)

Every SIP-capable device or software is being asked for it's brand and/or model.

That means, that even a software to intrude your PBX has such a "friendly name".
Because most of these Softwares are known by the 3CX developers, they built in that UA list into 3CX Phone System.

I believe you can find the UA list under Advanced settings --> userdefined settings (that huge list of parameters).

That was helpful. The custom parameter under Settings>Advanced>Custom Paramters is SEC_IGNORE_USER_AGENT specifies some known UAs that hackers use and 3CX will automatically ignore.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,626
Messages
748,908
Members
144,739
Latest member
Ghisl1
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.