Monitored Services

Background

Any computer system that is exposed to the internet risks being maliciously attacked through repeated attempts to login to the system, often refered to as brute force attacks. Brute force attackers will repeatedly guess new username/password combinations in an attempt to gain unauthorized access to the system. The IP Block List feature has been added to the UCX software to reduce the potential impact of these brute force attacks by temporarily blocking the connection requests originating from those IP addresses associated with repeated incorrect login attempts. Control of what services are monitored and the threshold criteria for determining when and for how long to block addresses is provided on the Monitored Services page.

The IP Block List feature is automatically installed and enabled through the standard UCX Software Update process. 

Monitored Services

The UCX software can monitor login attempts for the following services:

  • Telephony: monitors IP Addresses attempting to connect using some of the common protocols associated with UCX telephony; 
  • Secure Shell: monitors IP Addresses attempting to connect to the UCX using SSH protocol
  • Web Server: monitors IP Addresses attempting to connect to the UCX web server
Once the UCX software has been updated, the IP Block List feature is enabled by default; however, only the Secure Shell and Web Server services are initially enabled.  
SecurityIPBlacklistMonitoredServices.png
Before you enable monitoring of the Telephony services, please make sure that there are no SIP based devices (phones / softphones) attempting to register using an invalid password from a remote site with more than one user. All users at a remote site share the same (public) IP address of the site. All users at the remote site would therefore become banned from connections to the UCX system due to a single SIP device with an incorrect configuration. You could also add the public IP address of each of your remote sites where you have users with SIP phones to the Do Not Block field of the Telephony Service.

Action: Edit

Clicking the Edit button associated with any of the Monitored Services will allow you to change the Failed Attempt LimitBlock Time, Do Not Block entries, and the monitoring Status of that service.
SecurityIPBlacklistEdit.png

Failed Attempt Limit: The number of consecutive times that an endpoint can enter incorrect credentials before being placed on the IP Block List.  (Default = 6 attempts)

Block List Time (hours): The length of time that the endpoint will be blocked from access the service. (Default = 24 hours)

 
Do Not Block: A list of IP Addresses and or subnets that are manually entered (one per line) that will never be blocked from accessing this service. Subnets must be entered using standard CIDR notation (e.g., 192.168.1.0/24).   

Note that there is no need to include E-MetroTel VPN addresses in any of the Do Not Block fields as UCX software automatically ensures that the E-MetroTel VPN subnet is never blocked.

Status: You can Enable or Disable each of the individual Monitored Services.

 

Note: when changes are made to the configuration of a monitored service by clicking the Save button, all current bans are removed and the new configuration is used to determine which IP addresses are to be blocked. This procedure may require some time to be completed (up to a minute or two). You will receive a message that the configuration has been updated once the processing of the configuration changes is finished.