The 3CX MCU Firewall Feature

Introduction

The 3CX MCU includes a sophisticated application-level firewall/anti-hack system, utilizing iptables for security. It operates as a transparent HTTP proxy in conjunction with the 3CX MCU Manager, which processes HTTP requests. Each request is evaluated and scored based on potential risk, with higher scores indicating greater danger or suspicion.

Key Operational Details

Scoring and Blocking:

  • Requests are scored, and if an IP's cumulative score within a 30-second window exceeds the default threshold of 100, that IP is immediately blocked in iptables for a default duration of 300 seconds.
  • If the same IP gets blacklisted for 300 seconds twice in a row, it’s considered a repeat offender and is blacklisted permanently or until manually removed by the admin.

Centralized IP Blacklisting:

  • In our production environment, any IP address that is locally banned three times will be globally blacklisted. This blacklist is then shared across all production servers, ensuring comprehensive protection. OnBoard MCUs maintain a local blacklist for immediate response.

Restarting the McuManager service (systemctl restart 3CXWMMcuManager) will clean up rules.v4 and rules.v6 files under /etc/iptables to the default and restore iptables rules. Any blocked IP will be unblocked.

Enhanced HTTP Request Scoring System Overview

Our integrated scoring system is meticulously designed to assess incoming HTTP requests, identifying and categorizing them based on their potential security implications. This refined approach enables us to effectively manage and respond to various types of requests, ensuring the security of our network while maintaining optimal accessibility for legitimate use. Here’s an overview of how the system works:

Scoring Criteria and Multipliers

Each type of request is assigned a specific score, acting as a multiplier that reflects its potential risk or legitimacy:

  • Legitimate Requests (HTTP 200):
  • Score Multiplier: 1
  • Description: Standard requests indicating regular usage.
  • Impact: Supports up to 100 requests in 30 seconds without triggering security protocols.
  • 404 Errors (File Not Found):
  • Score Multiplier: 5
  • Description: Often triggered by scanning bots, these errors indicate a request for a non-existent resource.
  • Impact: Exceeding 20 requests within 30 seconds results in automatic blacklisting.
  • Hack Attempts (Special Characters in URI):
  • Score Multiplier: 100
  • Description: Requests that are clearly malicious, such as hacking attempts or scans by automated bots.
  • Impact: A single request leads to immediate blacklisting.
  • SSL Errors (Downgrade Attacks, Weak Ciphers, etc.):
  • Score Multiplier: 20
  • Description: Requests that compromise SSL security through downgrade attacks or by exploiting weak ciphers.
  • Impact: Increases the IP's risk score, moving it closer to blacklisting.
  • Bad Requests (Null Connections, Socket Errors, etc.):
  • Score Multiplier: 0.7
  • Description: Covers invalid HTTP requests and TCP-based attacks, including those detected by MCU monitoring of TCP/UDP socket misuse.
  • Impact: More lenient handling due to the complexities of WebRTC browsers' socket management.

Operational Flow

Monitoring and Management

Admins can customize firewall configuration. While file /etc/iptables/rules.v4 is dynamically generated by McuManager and it’s worthless to edit it because it will be overwritten, admins can create file /etc/iptables/rules.v4.default which is permanent.

Example

Below is an example where the admin creates a custom firewall configuration, allowing IP 1.2.3.4/32 to connect to SSH port 22.

Example /etc/iptables/rules.v4.default file:

*filter

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p udp -m multiport --dports 48000:65535 -j ACCEPT

-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -m state --state ESTABLISHED -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A INPUT -j DROP

COMMIT

This file is used as a template and security blocks rules are added to /etc/iptables/rules.v4 including the custom rules specified by the admin.

The empty line above the “COMMIT” statement MUST always be empty as this is the space where dynamic rules are added.

Warning: Ensure to add your own IP in the whitelist to avoid getting locked out.

See Also

Last Updated

This document was last updated on 15 June 2024

https://www.3cx.com/docs/mcu-firewall/