Solved { Solved} Looking For Security/Harding Guidelines: Remote Login Attempts

Discussion in '3CX Phone System - General' started by JCLloyd, Mar 12, 2018.

Thread Status:
Not open for further replies.
  1. JCLloyd

    JCLloyd New Member

    Joined:
    Oct 5, 2017
    Messages:
    112
    Likes Received:
    19
    Are there decent 3CX guidelines or online training related to how far I can go to harden the system? I want to block unwanted remote access attempts I am seeing on the system. I am trying NOT to lock it down to the point it is useless.

    I did find this interesting link, but it is very generic, and doesn't address firewall settings...
    https://www.3cx.com/blog/docs/how-to-react-when-3cx-phone-system-is-under-attack/

    I already locked in port 5060 to my SIP provider, but things like this keep showing up in my activity logs. I seem to have missed something very basic for phone systems:
    -
    [CM102001]: Authentication failed for AuthFail Recv Req INVITE from 198.23.255.226: ...
    ...
    username="c",realm="3CXPhoneSystem",nonce=" ... ",uri="sip:00441173255610@{My IP Address}"
    ...
    ; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,752
    Likes Received:
    285
    From the looks of it you are getting Direct SIP call attempts, rather than attempted registrations, which is common. If you have blocked all IPs, other than your SIP provider (and perhaps a few others), then the router is allowing these through. I've seen many of these. They always seem to be trying to call UK numbers, for some reason.
     
    #2 leejor, Mar 12, 2018
    Last edited: Mar 12, 2018
  3. JCLloyd

    JCLloyd New Member

    Joined:
    Oct 5, 2017
    Messages:
    112
    Likes Received:
    19
    Leejor... I think I made a beginner-class policy error in the firewall. Enabling the 'deny' policy after setting it up really helps! Strange how I didn't notice that until I posted, but I should be good.

    May someone else benefit from my goof!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    accentlogic likes this.
Thread Status:
Not open for further replies.