The 3CX global IP blacklist is a key tool in the fight against hacking. But what is it and how does it work?
Global IP blacklist explained
The 3CX global IP blacklist was first released with version 16. It is a central database of IP addresses that have been blacklisted by one or many 3CX systems. Each instance taking part in the 3CX global anti-hacking defense program is part of a worldwide community of IP-PBX servers, all contributing to keeping hackers out of critical systems.
How does the global anti-hacking defense program work?
New installations have the blacklist enabled by default. Each 3CX system that has the option enabled imports our centrally managed list into its local blacklist every 6 hours.
Instances also report and contribute to the global list by posting each new blacklisting event that is triggered locally. This is mainly due to repeated failed authentications over SIP or web access.
This is the most important and neat feature of the service. 3CX security teams monitor every new offending IP address reported. We can identify attack patterns, resulting in a human decision whether to block the address globally. We did not fully automate this process for a reason. To ensure that legitimate VoIP servers or carriers are not blocked, our security teams carry out several manual checks before adding the IP address to the blacklist.
Sometimes, we reach out to administrators of compromised servers to make them aware that their machines are taking part in hacking attempts. This way, they can secure their machine to slow the attack or scan.
How effective is it?
At the date of writing, the global list has grown to include circa 400,000 IP addresses. Of these addresses, the typical use case is VPN and proxy servers, behind which hackers launch automated SIP scanning and brute-force campaigns.
The list also includes many compromised machines which are being used as part of botnet distributed scans. We regularly see patterns of machines like unpatched mail servers, network appliances, and video surveillance servers being used in this way.
Any 3CX administrator who has email alerts enabled for “An IP has been blacklisted” will know that if the global blacklist is disabled, those email alerts will become unmanageable because of the high volume of events.
Why turn it on?
As soon as a SIP service is deployed online using the default 5060 port, it will be subjected to almost immediate attack. The SIP scanning we mentioned previously is built to look for servers or endpoints configured with weak credentials. Having the global IP blacklist enabled means that a huge part of this traffic gets dropped immediately.
Additionally, any admin getting the IP blacklisted email alerts will benefit from a peaceful day.