Any computer system that is exposed to the internet risks being maliciously attacked through repeated attempts to login to the system, often refered to as brute force attacks. Brute force attackers will repeatedly guess new username/password combinations in an attempt to gain unauthorized access to the system.
The IP Block List feature has been added to the UCX software to reduce the potential impact of these brute force attacks by temporarily blocking the connection requests originating from those IP addresses associated with repeated incorrect login attempts. Control of what services are monitored and the threshold criteria for determining when and for how long to block addresses is provided on the Monitored Services page.
The IP Block List feature is automatically installed and enabled through the standard UCX Software Update Process.
IP Block List
The IP Block List page allows you to view information about sites that have been temporarily banned from accessing the UCX based on surpassing the threshold criteria set for your system in Monitored Services.
The IP Block List page includes the following details :
- IP Address: The IP address from which repeated attempts were made to connect to the UCx system with incorrect / invalid credentials.
- Location: The UCX attempts to identify the region where the connection attempts have originated from using geo-location techniques. If no region can be identified the field will be blank.
- Service: Identifies which of the Monitored Services was associated with the invalid connection attempts.
- Start Time: Shows the local UCX time at which the threshold criteria was exceeded and the IP address was placed on the IP Block List.
- End Time:Shows the time at which the IP Address will be removed from the IP Block List
The actions that can be performed on this page are as follows:
Click the Update button to refresh the list. The UCX software will remove addresses that had been previously banned but the ban has now expired and add any newly blocked addresses to the list.
You may remove one or more items from the current list of blocked addresses by selecting them in the left hand check-box and then clicking the Delete button. You will be asked to confirm this action.
Once an IP Address has been removed from the list, all records associated with that address and service are removed. Subsequent attempts to connect via that address will be tracked and the address will be added to the IP Block List if the threshold criteria have once again been surpassed. If you actually wish to prevent an IP Address from being placed on the IP Block List, you can add the IP address to the Do Not Block associated with that service on the Monitored Services page.
You may filter the list to display records associated with a particular IP Address, Location, or Service using the Show Filter button, entering the search criteria, and clicking Apply.
Monitored Services
The UCX software can monitor login attempts for the following services:
- Telephony: monitors IP Addresses attempting to connect using some of the common protocols associated with UCX telephony;
- Secure Shell: monitors IP Addresses attempting to connect to the UCX using SSH protocol
- Web Server: monitors IP Addresses attempting to connect to the UCX web server
Before you enable monitoring of the Telephony services, please make sure that there are no SIP based devices (phones / softphones) attempting to register using an invalid password from a remote site with more than one user. All users at a remote site share the same (public) IP address of the site. All users at the remote site would therefore become banned from connections to the UCX system due to a single SIP device with an incorrect configuration. You could also add the public IP address of each of your remote sites where you have users with SIP phones to the Do Not Block field of the Telephony Service.
Clicking the Edit button associated with any of the Monitored Services will allow you to change the Failed Attempt Limit, Block Time, Do Not Block entries, and the monitoring Status of that service.
Failed Attempt Limit: The number of consecutive times that an endpoint can enter incorrect credentials before being placed on the IP Block List. (Default = 6 attempts)
Block List Time (hours): The length of time that the endpoint will be blocked from access the service. (Default = 24 hours)
Do Not Block: A list of IP Addresses and or subnets that are manually entered (one per line) that will never be blocked from accessing this service. Subnets must be entered using standard CIDR notation (e.g.,
Status: You can Enable or Disable each of the individual Monitored Services.
There is no need to include E-MetroTel VPN addresses in any of the Do Not Block fields as UCX software automatically ensures that the E-MetroTel VPN subnet is never blocked.
When changes are made to the configuration of a monitored service by clicking the Save button, all current bans are removed and the new configuration is used to determine which IP addresses are to be blocked. This procedure may require some time to be completed (up to a minute or two). You will receive a message that the configuration has been updated once the processing of the configuration changes is finished.