v.15 - Blacklisted IPs

Discussion in '3CX Phone System - General' started by healthy, Oct 26, 2016.

Thread Status:
Not open for further replies.
  1. healthy

    Joined:
    Oct 26, 2012
    Messages:
    30
    Likes Received:
    2
    Since our upgrade to 15, I've been getting a lot of the following:

    The IP 195.154.38.21 has been blacklisted for 1800 sec. (Expires at: 2016/1026 17:11:03).
    Reason: Too many failed authentications!

    Learn how to get more out of 3CX at www.3cx.com


    Now, I've put a manual blacklist entry for up to 2036, yet I get the same notification every few hours.

    Is this a defect, or am I doing something wrong?

    Thanks!
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,594
    Likes Received:
    255
    If this is actually a hack, being blacklisted for a couple thousand seconds (35 minutes) may not be long enough to discourage them. Some people are annoyingly persistent. I use 250,000 (some use much longer), and I still see repeats. Those, I eventually block for ten years.
     
  3. healthy

    Joined:
    Oct 26, 2012
    Messages:
    30
    Likes Received:
    2
    I'm sorry, by 2036, I meant until 2036... or 20 years! It still pops-up an auto-block...

    My Blacklist table looks like this:

    IP Address Subnet Mask Action Expiration Date
    212.83.140.46 255.255.255.255 Deny 10/25/2036 1:35:49 PM 212.83.140.46
    195.154.38.21 255.255.255.255 Deny 10/26/2036 8:59:39 AM 195.154.38.21

    As you can see, I have the 195.x.x.x address Denied for 20 years, but I have gotten 6 additional notifications saying that after too many attempts, the IP will be blocked for 1800 seconds... Doesn't the 20 years trump 1800 seconds ?!?
     
  4. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    645
    Likes Received:
    1
    Hi there,
    The notifications you received indicate repeated hack/scan attempts which got caught by the security module of the PBX.
    Their source are external untrusted IPs trying to authenticate through your SIP port.
    The blacklisting time may vary depending the amount of repeated attempts.

    Some prevention steps can be taken from your side:
    - in the Settings / Security / Anti-Hacking / divide each values by two, except the blacklist time interval, and the security barrier (green). Set the blacklist time interval to a higher value such as 31536000 (1 year).
    - in your firewall, filter the SIP port to allow only trusted sources, meaning your VoIP providers IP/range, and remote extensions (if any).
    - validate, restart services. .
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.