Log Watch and Ban
Log Watch + Ban Service
This feature allows the PBX to monitor the SIP registration traffic and ban any IP address that makes 5 failed registration attempts. The IP address will be banned for either 3 days or until the service is restarted. Configuration settings allow you to ignore (not monitor) IP addresses attempting registration, as well as allowing you to manually add addresses you want the system to ignore. If you set up an Admin Email Address under PBX Setup>General and have Unified Messaging configured, the PBX will send you an email any time an IP address is banned via this feature. Follow this link to see what a Ban Email will look like.
TLDR: Log Watch+Ban protects the PBX from hacking attempts by restricting access from outside IP addresses.
PRO Tip: If you are troubleshooting a single remote phone that has gone offline, this feature could be the reason. Confirm the user's IP address and make sure it's in the ignore list.
Enable Log Watch + Ban Service
Steps:
- From the PBX Setup->General page, locate the Security Settings
(use the Ctrl+F feature in your browser to search for the word "security" if you are having trouble scrolling to it). - Enable the Log Watch Ban Service by setting the parameter to “Yes” on the drop-down list.
- Click the "Save Changes" button at the bottom of the page to save the changes. Be sure to also click "Apply Changes" at the top right to put the changes into effect.
Once you have enabled the Log Watch/Ban Services, you will be able to configure the parameters for the security settings.
Settings
The following screenshot and table describes the settings for the Log Watch and Ban feature.
| Service is currently Running |
This indicates the status of the service, either Running or Not Running. |
| Reload Button |
Restarts the Ban service, clearing any existing banned IP addresses. |
| Enable Log Watch & Ban Service |
Set to Yes and the PBX will monitor failed SIP registration attempts. 5 failed attempts and the IP is blocked for:
|
| Ignore IPs in SIP LocalNets |
If set to Yes, this service will not ban IP addresses which have been specified in PBXSetup>SIP. When set to No, all IP addresses will be banned after three failed attempts to register unless they are entered into the "Ignoring Addresses" list below. |
| Ignoring Addresses |
Lists the addresses that were manually entered to be ignored in regards to failed SIP registration attempts. |
| Add Entry |
Enter the IP addresses you wish to be ignored by the PBX in regards to failed SIP registration attempts. The IP address field will accept many different formats of IP address (e.g. - 10.0.0.1/24 is accepted as well as 192.168.1.1). |
Be sure to Use the "Save Changes" button at the bottom of the page and the "Apply Changes" button at the top right to commit any of these settings changes to the database
Disable Log Watch + Ban Service
Steps:
- From the PBX Setup->General page, locate the Security Settings (use the Ctrl+F feature in your browser to search for the word "security" if you are having trouble scrolling to it).
- Disable the Log Watch Ban Service by setting the parameter to “No” on the drop-down list.
- Click the "Save Changes" button at the bottom of the page to save the changes. Be sure to also click "Apply Changes" at the top right to put the changes into effect.
It should be noted that the Log Watch is not intended to be the only line of defense for security. It is best practice, if you are being attacked by an intruder, to permanently ban the offending IP address at the router/firewall level. This keeps the problem traffic off your LAN.