Technical support 3CX answers - 5 rules of IP-PBX security
Hacking PBX 3CX, which lead to serious consequences, happen quite rarely. However, our clients sometimes fall victim to scammers. As practice has shown, this is mainly due to either incorrect system settings or the use of the outdated version of 3CX. In this article we will look at the most common mistakes that can lead to hacking your PBX, and explain how to prevent them.
Telephony fraud is rather trivial - outsiders or a robot-dealer make calls through your PBX at your expense. This usually happens late at night or on non-working days. Challenges continue for as long as possible, with high frequency and on the most expensive international destinations. And at the end of the month, you receive a bill from a telecoms operator for a huge amount that you must pay or challenge in court.
Calls to the most expensive international destinations were the main goal of hackers in the early period of development of program PBXs. One might think that this type of fraud is a thing of the past, especially given the cheapening of international negotiations. However, this is currently being done by well-organized international groups that are looting customers and operators on an industrial scale.
')
Now PBX hack to make thousands of calls to the "expensive" numbers of various paid automatic services, which are controlled by the same scammers. In this case, the attacker receives a profit in the form of a commission from the operator for each minute of a paid call. This fraud is also called International Revenue Sharing Fraud (IRSF).
Another way to make illegal money is to sell the stolen credentials of SIP clients on “underground” online exchanges. Further, such access is used in different ways - or to compete with legal telecom operators, which makes it possible to sell minutes much cheaper than the market price, or for some personal needs of the buyer.
3CX has several security levels, the default settings of which prevent most known types of attacks. However, some system administrators change or disable these settings without even realizing what the consequences are.
Let's look at the most common mistakes in security settings that 3CX administrators make.
The first error is the “weak” account credentials that are used by 3CX applications, IP phones and users.
When you create a user (extension) in 3CX, secure credentials are automatically generated for it at all levels of access. These are complex SIP password and web client login password, randomly generated passwords for accessing the IP phone's web interface, random voice mail PIN, etc ... Be sure to use only these secure credentials, because random long passwords guarantee protection against attacks with password pickup (also called brute force attacks).
Starting from 3CX v15.5, the system will not allow you to set an extension password weaker than is required by modern security rules. However, often weak account passwords are inherited from backups of previous versions of 3CX. Therefore, 3CX now warns the administrator if there are extension numbers with weak passwords in the system — a warning appears near such numbers. If you hover over it, additional information will appear.
By the way, we strongly do not recommend setting weak passwords for testing purposes. As a rule, people forget to change them and leave the PBX "full of holes".
The second mistake is disabling the option “Deny connection from the public network” and not turning it back on when the user does not need it anymore.
This option is enabled by default in 3CX and prevents any users outside your local network from logging in. Please note - you can use 3CX applications or web client without enabling remote access, since they use tunneling technology to connect to the PBX. This option should be disabled only if someone needs a direct SIP connection for a hardware IP phone.
Try to avoid direct SIP-connections to your PBX or allow them only from certain IP addresses specified in the firewall.
When installing 3CX, the Initial Setup Wizard asks which countries need to allow outgoing calls. The same list of countries can be seen (and changed) in the section Settings - Security - Allowed international country codes. You should allow only those countries (prefixes) to which your users are actually calling. By default, 3CX allows calls only to the country that was specified as the installation location of the PBX.
A very dangerous practice is to allow all countries to install a PBX, and limit them later. Usually they forget about it, allowing the attacker to call in all directions as soon as he received the credentials of the PBX user.
Another bad practice is the use of too general outgoing rules that allow any user (3CX Default organizational group) to call in any allowed direction. Some administrators, in order not to complicate their lives, create for this one universal rule.
In fact, you should create outgoing rules with the minimum necessary permissions, according to the same principle, according to which they are created, for example, in a firewall. Specifically, list the prefixes, set the minimum and maximum length of the number, explicitly specify the group of extensions that are allowed to call in this direction.
In the Parameters - Numbers section, E164 sets the number processing, in which the “+” symbol at the beginning of the number is replaced with the international dialing code. Substitution rules are determined for the country that is listed as the place where the PBX is installed. In most countries, "+" is replaced by 00, and for America - by 011. Substitution conforms to ITU standards.
The parameters of E164 are important because they are used to determine prohibited directions (prefixes), which we discussed above. For example, if the blocked country is Albania, 3CX will analyze and block numbers starting with 00355xxx and + 355xxx.
If you incorrectly specify the international dialing code for your country, this will lead not only to the erroneous substitution of “+”, but also to the incorrect operation of the blocking function of countries.
The 3CX v16 adds two interesting security features.
The first is to restrict access by IP address to the 3CX management interface. It is configured in the section Settings - Security - Restricting access to the interface. By default, all IP addresses are allowed, but if IP protection is enabled, access will be allowed only from the local network and explicitly specified external IP addresses. Please note that this restriction does not affect the operation of other 3CX web services, such as auto phone configuration, web client, etc.
The second security feature is a self-learning global blacklisting of IP addresses supported by 3CX. It is included in the section Settings - Security Settings - Anti-hacking. If this option is enabled, the PBX will automatically transmit suspicious activity information to our central server, including the source IP address. After analyzing the event, information about this IP address will be automatically transferred to all 3CX systems in the world that also have this feature enabled. Thus, suspicious traffic will be blocked due to “collective intelligence”. Today, our global list already contains more than 1000 IPv4 IP addresses, with which scanning or hacking attempts have been consistently repeated. We strongly recommend to enable this feature on your PBX!
We noticed that the hacking of the system is preceded by several errors taken together. We practically did not observe situations when serious consequences arose only because of one error.
Well, if you still hacked - do not panic! It is very important to collect server logs before taking radical actions. Subsequently, it will help conduct a qualitative investigation of the incident. To collect logs, go to the Support section - Create a file for technical support. A zip archive will be generated, the link to which will be sent to your e-mail. Attach this file and the incident description to contacting 3CX technical support.
You should contact technical support if you have any reasonable questions about 3CX security or you want to report a hack that has already taken place. To understand the situation and get the necessary recommendations, open an appeal to the category "Security - Fraud". These appeals are treated with the highest priority. You can also get 3CX security advice in our user forum .
How do phone scammers work?
Telephony fraud is rather trivial - outsiders or a robot-dealer make calls through your PBX at your expense. This usually happens late at night or on non-working days. Challenges continue for as long as possible, with high frequency and on the most expensive international destinations. And at the end of the month, you receive a bill from a telecoms operator for a huge amount that you must pay or challenge in court.
Calls to the most expensive international destinations were the main goal of hackers in the early period of development of program PBXs. One might think that this type of fraud is a thing of the past, especially given the cheapening of international negotiations. However, this is currently being done by well-organized international groups that are looting customers and operators on an industrial scale.
')
Now PBX hack to make thousands of calls to the "expensive" numbers of various paid automatic services, which are controlled by the same scammers. In this case, the attacker receives a profit in the form of a commission from the operator for each minute of a paid call. This fraud is also called International Revenue Sharing Fraud (IRSF).
Another way to make illegal money is to sell the stolen credentials of SIP clients on “underground” online exchanges. Further, such access is used in different ways - or to compete with legal telecom operators, which makes it possible to sell minutes much cheaper than the market price, or for some personal needs of the buyer.
3CX has several security levels, the default settings of which prevent most known types of attacks. However, some system administrators change or disable these settings without even realizing what the consequences are.
Let's look at the most common mistakes in security settings that 3CX administrators make.
Weak user credentials
The first error is the “weak” account credentials that are used by 3CX applications, IP phones and users.
When you create a user (extension) in 3CX, secure credentials are automatically generated for it at all levels of access. These are complex SIP password and web client login password, randomly generated passwords for accessing the IP phone's web interface, random voice mail PIN, etc ... Be sure to use only these secure credentials, because random long passwords guarantee protection against attacks with password pickup (also called brute force attacks).
Starting from 3CX v15.5, the system will not allow you to set an extension password weaker than is required by modern security rules. However, often weak account passwords are inherited from backups of previous versions of 3CX. Therefore, 3CX now warns the administrator if there are extension numbers with weak passwords in the system — a warning appears near such numbers. If you hover over it, additional information will appear.
By the way, we strongly do not recommend setting weak passwords for testing purposes. As a rule, people forget to change them and leave the PBX "full of holes".
Enabled SIP Remote Access to an Extension Number
The second mistake is disabling the option “Deny connection from the public network” and not turning it back on when the user does not need it anymore.
This option is enabled by default in 3CX and prevents any users outside your local network from logging in. Please note - you can use 3CX applications or web client without enabling remote access, since they use tunneling technology to connect to the PBX. This option should be disabled only if someone needs a direct SIP connection for a hardware IP phone.
Try to avoid direct SIP-connections to your PBX or allow them only from certain IP addresses specified in the firewall.
Many allowed directions for calls
When installing 3CX, the Initial Setup Wizard asks which countries need to allow outgoing calls. The same list of countries can be seen (and changed) in the section Settings - Security - Allowed international country codes. You should allow only those countries (prefixes) to which your users are actually calling. By default, 3CX allows calls only to the country that was specified as the installation location of the PBX.
A very dangerous practice is to allow all countries to install a PBX, and limit them later. Usually they forget about it, allowing the attacker to call in all directions as soon as he received the credentials of the PBX user.
Outgoing rules too loose
Another bad practice is the use of too general outgoing rules that allow any user (3CX Default organizational group) to call in any allowed direction. Some administrators, in order not to complicate their lives, create for this one universal rule.
In fact, you should create outgoing rules with the minimum necessary permissions, according to the same principle, according to which they are created, for example, in a firewall. Specifically, list the prefixes, set the minimum and maximum length of the number, explicitly specify the group of extensions that are allowed to call in this direction.
Invalid processing parameters E164
In the Parameters - Numbers section, E164 sets the number processing, in which the “+” symbol at the beginning of the number is replaced with the international dialing code. Substitution rules are determined for the country that is listed as the place where the PBX is installed. In most countries, "+" is replaced by 00, and for America - by 011. Substitution conforms to ITU standards.
The parameters of E164 are important because they are used to determine prohibited directions (prefixes), which we discussed above. For example, if the blocked country is Albania, 3CX will analyze and block numbers starting with 00355xxx and + 355xxx.
If you incorrectly specify the international dialing code for your country, this will lead not only to the erroneous substitution of “+”, but also to the incorrect operation of the blocking function of countries.
New security features in 3CX v16
The 3CX v16 adds two interesting security features.
The first is to restrict access by IP address to the 3CX management interface. It is configured in the section Settings - Security - Restricting access to the interface. By default, all IP addresses are allowed, but if IP protection is enabled, access will be allowed only from the local network and explicitly specified external IP addresses. Please note that this restriction does not affect the operation of other 3CX web services, such as auto phone configuration, web client, etc.
The second security feature is a self-learning global blacklisting of IP addresses supported by 3CX. It is included in the section Settings - Security Settings - Anti-hacking. If this option is enabled, the PBX will automatically transmit suspicious activity information to our central server, including the source IP address. After analyzing the event, information about this IP address will be automatically transferred to all 3CX systems in the world that also have this feature enabled. Thus, suspicious traffic will be blocked due to “collective intelligence”. Today, our global list already contains more than 1000 IPv4 IP addresses, with which scanning or hacking attempts have been consistently repeated. We strongly recommend to enable this feature on your PBX!
Conclusion
We noticed that the hacking of the system is preceded by several errors taken together. We practically did not observe situations when serious consequences arose only because of one error.
Well, if you still hacked - do not panic! It is very important to collect server logs before taking radical actions. Subsequently, it will help conduct a qualitative investigation of the incident. To collect logs, go to the Support section - Create a file for technical support. A zip archive will be generated, the link to which will be sent to your e-mail. Attach this file and the incident description to contacting 3CX technical support.
You should contact technical support if you have any reasonable questions about 3CX security or you want to report a hack that has already taken place. To understand the situation and get the necessary recommendations, open an appeal to the category "Security - Fraud". These appeals are treated with the highest priority. You can also get 3CX security advice in our user forum .
Source: https://habr.com/ru/post/443186/
All Articles