unauthorized register

Discussion in '3CX Phone System - General' started by mhmmdreza1977, Jan 9, 2017.

Thread Status:
Not open for further replies.
  1. mhmmdreza1977

    Joined:
    Oct 18, 2016
    Messages:
    11
    Likes Received:
    2
    Dear Forum

    This day our system log full with unknown call to unknown destination.
    It seem someone already registered with fake user and make that call.

    This are output from the call log.
    ===================================================
    01/09/2017 8:48:13 AM (@(Ln.20000@JAKARTA HQ)) 0101722063047451 Not Answered
    01/09/2017 8:48:08 AM (@(Ln.20000@JAKARTA HQ)) 9007972592317313 Not Answered
    01/09/2017 8:47:08 AM (@(Ln.20000@JAKARTA HQ)) 0101722063733292 Not Answered
    01/09/2017 8:47:04 AM (@(Ln.20000@JAKARTA HQ)) 007972599979917 Not Answered
    01/09/2017 8:46:53 AM (@(Ln.20000@JAKARTA HQ)) 0101722063733292 Not Answered
    01/09/2017 8:46:43 AM (@(Ln.20000@JAKARTA HQ)) 0101722063733292 Not Answered
    01/09/2017 8:46:39 AM (@(Ln.20000@JAKARTA HQ)) 0101722063733292 Not Answered
    01/09/2017 8:44:00 AM (@(Ln.20000@JAKARTA HQ)) 90101722063733292 00:01:22
    01/09/2017 8:41:28 AM (@(Ln.20000@JAKARTA HQ)) 90101722063733292 00:03:57
    01/09/2017 8:35:37 AM (@(Ln.20000@JAKARTA HQ)) 90101722063733292 00:09:43
    01/09/2017 8:28:36 AM (@(Ln.20000@JAKARTA HQ)) 90101722063733292 00:12:06
    01/09/2017 8:27:54 AM (@(Ln.20000@JAKARTA HQ)) 90101722063733292 00:15:25
    01/09/2017 8:27:54 AM (@(Ln.20000@JAKARTA HQ)) 90101722063733292 00:17:24
    01/09/2017 8:26:01 AM (@(Ln.20000@JAKARTA HQ)) 90101722063733292 00:09:29
    01/09/2017 8:25:51 AM (@(Ln.20000@JAKARTA HQ)) 010170101722063733292 Not Answered
    =========================================================================
    And this is are some suspicious log from event log
    ==========================================================================
    SIP Server/Call Manager ID: 4101
    Extension 32202 is unregistered, removed contact: sip:32202@10.172.224.10:50195;transport=TCP;rinstance=1-9r88maescugl8lxcr7ras5y29d6y0brk;ob;inst="3f55ae51"

    SIP Server/Call Manager ID: 4101
    Extension 32202 is registered, contact: sip:32202@10.172.224.10:50195;transport=TCP;rinstance=1-9r88maescugl8lxcr7ras5y29d6y0brk;ob;inst="3f55ae51"

    =======================================================================
    In order to mitigate this, i block outbound call from Ln.20000@JAKARTA HQ and blacklisted some suspicious IP address

    Can someone help us to hardening this system ?

    regards
    Reza
     
  2. cobaltit

    cobaltit Active Member

    Joined:
    Mar 22, 2012
    Messages:
    734
    Likes Received:
    112
    The best way to harden the system is to undo all the things you might have done to weaken the system. 3CX is pretty secure out of the box. All extensions are disallowed connection from outside the LAN, international calls are disabled, complex passwords are set. So if you changed any of those settings I would change them back. 99% of toll fraud is due to either vendor defaults or poor system administration. And since toll fraud is almost always over SIP, you can block SIP traffic at the firewall where not needed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. mhmmdreza1977

    Joined:
    Oct 18, 2016
    Messages:
    11
    Likes Received:
    2
    Dear Cobalit

    Noted with thank's
    Not much configuration tuning in our system
    We just simply add user, add trunk and external address book.
    Yes, we publish the extension to Internet for our mobile internet user's
     
  4. GiannosC_3CX

    GiannosC_3CX Guest

  5. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,362
    Likes Received:
    227
    The only way that extensions can register is if they have the correct password. So...the password has been obtained somehow, or was easy enough to guess, given the extension number. I would, perhaps, review your passwords.
     
Thread Status:
Not open for further replies.