User agent friendly scanner hacking

Discussion in 'Windows' started by Timeinspain, May 25, 2014.

Thread Status:
Not open for further replies.
  1. Timeinspain

    Joined:
    Mar 22, 2012
    Messages:
    3
    Likes Received:
    0
    I use 3CX on Windows 7 platform. I am constantly getting hacking attempts every day by something identified as user agent friendly scanner. I have various restrictions in place to stop it but is there a simple way that it can be blocked on 3CX. It seems to be a huge problem with 3CX but there are no easy solutions published. I am not so technical by the way so any simple solutions would be appreciated. Thank you for any help you can give me.
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,868
    Likes Received:
    304
    As with any hacker, the best place to stop it is at the router, however this isn't always possible without also blocking legitimate VoIP traffic. Some routers/Firewalls are obviously much better at this than others, it all depends on how much you are willing to spend on beefing up security.

    If it is always the same IP, or a similar range, you can use the IP blacklist to block them. You can also extend the automatic blacklist time. You can also try reporting the offending IP to the originating ISP. Or report it to your ISP and see if they will assist. I have 3CX send me an email on every failed registration attempt, that was blacklisted, allowing me to easily see "patterns" in the originating IPs. Any repeats get a permanent blacklist.

    Unfortunately if you have port 5060 (or even another port) open for VoIP traffic, then someone is going to be looking for that and attempting to exploit it.
     
  3. Timeinspain

    Joined:
    Mar 22, 2012
    Messages:
    3
    Likes Received:
    0
    Thank you for that. So you think I should try to switch to a different port throughout my system and it might help a lot ? This could be hard to do as everybody appears to use this port.

    I do have my blacklists set up and they are coping with stopping the attacks. I just think that if something is accessing my 3cX called "user friendly agent" that it should be possible for 3cx to just block these automatically within a service pack or some other way as they are NEVER welcome when they are called this as far as I can see. There seems to be a few more like this also with well known names. Could you do something like this maybe ? Thanks. David
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,868
    Likes Received:
    304
    As for changing the port from 5060, to something else, I believe that someone else had tried that and reported that it was "found" anyway. It might be worth a try if it didn't involve a lot of work. In reality it would only stop those only targeting port 5060, and I'm sure that most are going after more than just that one port.
    I agree, anything that could be added to 3CX to be more specific when blacklisting would be helpful. I'm assuming that they are relying on you having a decent firewall and, or router.
    For the moment you are stuck with the IP address (and ranges), number of failed attempts, and time periods.
     
  5. MariosS_3CX

    Joined:
    May 26, 2014
    Messages:
    12
    Likes Received:
    0
    The 3CX Phone system automatically blocks any user agent that are deemed malicious. By default a range of known user agents is being blocked 3CX will immediately ignore any responses and act dead in the case that the user agent matches the friendly-scanner,sipsak,smap,Elite 1.0 Brcm Callctrl.

    For more information about securing your 3CX Phone System please refer to: http://www.3cx.com/blog/voip-howto/securing-hints/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. way

    way

    Joined:
    Feb 21, 2011
    Messages:
    49
    Likes Received:
    3
    To continue what Marios has mentioned, this list of user agents to block is the 'SEC_IGNORE_USER_AGENT' field in Settings->Advanced->custom parameters. By default in Version 12, the system blocks friendly-scanner, sipsak, smap, Elite 1.0 Brcm, Callctrl, and sipcli. When the PBX ignores these user agents, you will see a log similar to the one below:

    PBX has dropped a message with 'User-Agent: friendly-scanner' from IP X.X.X.X because it is on blocked UAs list

    I have personally added in VaxSIPUserAgent and eyeBeam as these two also seem to be common user agents I see when I get IP blacklist notifications.

    As leejor mentions, it's best to stop hacking attempts at your router. If you know which External users or VoIP providers that are accessing your phone system, then you can whitelist them and block other traffic, effectively stopping hacking before it reaches your PBX.
     
  7. MarPyt

    Joined:
    Feb 7, 2015
    Messages:
    12
    Likes Received:
    0
    With PBX 12.5 we had an invasion of friendly scanners on server logs.
    We had reverted back to v12 (for different reasons) and now we do not see any scanners at all.
    When registering v12.5 we had put in FQDN for external static address in numeric form rather than in full name.
    This ( I think) invited the whole bunch of scanners.
    When we were re-installing v 12 we did not choose "https" option so we did not include FQDN.
    Actual static address resides only with SIP provider as a porting value for each one of DID's.
    As all this was done on the basis of intuition (telecommunication apprentices we are not) I want to draw my conclusions
    from this experiment:

    1. Friendly scanners are on holidays;
    2. Our firewall is more effective
    3. Web RTC will (obviously) not work with this setup
    4. If friendly scanners were knocking on the door with incorrect FQDN setup (numeric rather than full name)
    they could have gotten lucky and could have penetrated PBX to SIP provider data.

    Question: Do we now have a more secure setup for making telephone calls without being attacked by hackers?

    So far so good..
     
  8. Timeinspain

    Joined:
    Mar 22, 2012
    Messages:
    3
    Likes Received:
    0
    Thanks to everybody for the replies. The hackers are not getting in. The name seems to have changed now to 'User-Agent: VaxSIPUserAgent/3. Only to let you know.
     
Thread Status:
Not open for further replies.