Solved The IP has been blacklisted

Discussion in '3CX Phone System - General' started by Sergio Lourenco, Sep 23, 2017.

Thread Status:
Not open for further replies.
  1. Sergio Lourenco

    Joined:
    Sep 23, 2017
    Messages:
    2
    Likes Received:
    0
    Hi guys,
    Do you know what to do here?

    There is something happening what I believe to be someone trying to break into my system.
    What can I do to block it and guarantee security in my network?



    Blacklisted.JPG
    Register.JPG
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,586
    Likes Received:
    252
    Yes, it happens frequently. Looks like you have set a high time-out period, which is good. If you see repeats, then block that IP for several years. You can block a range of IPs if you see any pattens.
     
  3. Sergio Lourenco

    Joined:
    Sep 23, 2017
    Messages:
    2
    Likes Received:
    0
    We get about 100 a day. Is that still normal?
     
  4. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    219
    There is a a large scale SIP attacks worldwide, started into beginning of September.
    You can eventually eliminate attacks by creating a whitelist in your router / firewall in front of your 3CX PBX, allowing connections to port 5060 (TCP & UDP) only from trusted IP addresses like VoIP providers and certain remote locations, if you have any.
    3CX softphones and 3CX SBC use port 5090 (TCP & UDP) to communicate with 3CX PBX.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,586
    Likes Received:
    252
    And be sure you are not using any passwords that are easy to guess. I've often seen IP addresses change incrementally along with the extension number they are trying to register.
     
  6. techdummy

    techdummy New Member

    Joined:
    Sep 22, 2017
    Messages:
    171
    Likes Received:
    9
    Hi @Sergio Lourenco ,
    It isn't normal,but I had the same issue a few days back.
    What I have done is I've blacklisted the whole IP range since we don't have any genuine communication from the IP range.
    The attack that we used to get is from 5.62.XXX.XXX range. I went ahead and blocked 5.62.0.0/16.
    Now we have no issues.
    Additionally, you can block IP address individually too.

    I have done the blocking at the 3cx level, if you wish you can block it at the router level, which is preferred more.
    Also, I believe you have opened the port 5060 to the whole Internet, if that is the case it would be better to restrict the access to only those IP ranges which are supposed to contact you.

    N.B - While Listing is always preferred over blacklisting, not to mention more secure!
    Good day!
     
  7. IoannisM_3CX

    IoannisM_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Aug 10, 2017
    Messages:
    228
    Likes Received:
    17
    Hello @Sergio Lourenco

    From the PBX side you can do the following:

    Find Settings >>Security>>Anti-Hacking and divide each values by two, except the blacklist time interval, and the security barrier (green).
    Set the blacklist time interval to a higher value such as 31536000 (1 year).
    - in your firewall, filter the SIP port to allow only trusted sources, meaning your VoIP providers IP/range, and remote extensions (if any).

    Blocking ranges of IPs can give you extra security but be sure that you don' t get any traffic that you need from any IP inside of these ranges.

    You can find more information and instructions here.

    Thank you
     
    techdummy likes this.
Thread Status:
Not open for further replies.