Asterisk Forums

[hh2011]

I believe my PBX was compromised last night.


Anyone have any issues like this?

[hh2011]

Ok , def had one of our extensions compromised...

It called about 15k people yesterday and was prompting people for information.

[sterlingmarking]

it's not a good idea to put your pbx on the internet.

[hh2011]

It not a good idea to put anything on the public internet, but unfortunately I have a very distributed topology.

[Josh_E]

Unless your system is behind a firewall of some kind, your options for securing it are pretty limited.

Basically your options are:

- Ensure all extensions have extremely strong passwords for both SIP registration and Voicemail

- Lock down the Access Controls in order to limit as much traffic as possible.

- Modify the auto-lock out settings to allow for fewer failed attempts. The default lockout is 5 attempts, the default IP block is 10. If a system is not behind any kind of security then it's probably best to reduce this to 1 or 2 attempts max.


Ultimately, your best option is to protect your system behind a firewall. Breaking a SIP registration or VM password isn't especially hard. Considering the large variety of actions possible using the API interface of Switchvox, if someone knowledgeable is able to gain access to your system then could cost you alot of money in a very short period of time.

[sterlingmarking]

What is your topology like? we have an MPLS connection between our 6 branches and our Voip Provider. If it was necessary to have a connection over the internet we would use firewall ACLs to only allow certain IP's access to the pbx, or set up IPSEC tunnels between the users and the box. we have PIX 501's (about $40 on ebay) that we can set up to create a permanent connection to a users home network.

[hh2011]

The system is behind a firewall. SIP is open to the public as I have mobile users and such. The flexibility of the system is one of the reasons we choose it.

We have 37 locations with a single End Point at these. Another few locations with a couple phones, these are interconnected with a vpn. The other locations are not.


We changed the VM passwords and disabled access to the mobile app and api from outside the network.

[sterlingmarking]

When we first set up our machine it was connected to the public internet, and we got hammmered by DOS attacks. Even with secure passwords it brought the machine to a crawl. I don't think the built in ACLs were robust enough then to block multiple attempts, so we took off the public IP.

You say you have mobile users so you need the public access, do you mean mobile app users or home users with a sip phone? If you can get all your traffic on VPN that would be ideal. We have blackberry users that use the switchvox app and the connection is handled through BES.

Any laptop users should be using a VPN with softphone or a hardware VPN (router or firewall) where possible.

[hh2011]

I have tightened my ACLs on my firewall and pbx.

I have literally, blocked all the Chinese IP address. I am killing the SIP softphones for now and using some more creative ACLs to restrict access.

Went through and changed all the VM passwords. Some users had set the passwords to match the extension, I believe this is were access was gained.

[hh2011]

Palestine will be the next country I block.

[hh2011]

I also changed the blocking options.

[hiltonmw]

I was going to say, make sure your ACLs are set for "Never Block IPs" set to NO for "All Networks", this way your BLOCK IP rules will fire properly and prevent unauthorized hacking attempts. Strong passwords are a must, for both Phone Passwords (if they were set manually) and voicemail. Also, I'd probably lock down the Admin GUI from All Networks. Whereever possible, I would suggest you either set up soft phones with VPN tunnel or use static IPs at employee's homes / etc., to restrict as best as possible how many open IPs you're allowing through your firewall and ultimately to the switchvox.

It's nice to plop the Switchvox open to the internet , to allow anyone from anywhere to connect (without having to use a vpn) but in this day and age and device that's essentially out on the open internet is ripe for the picking/hacking.

We use physical VPN devices for our remote users, that only require web access on their end to tunnel back to us. From there, they can plug in their laptops, physical phones / etc. IT makes securing access to our internet systems a breeze and very easy for our employees to 'set up'. . . just plug it in to an internet connection and away they go.

[brucexx]

That is an interesting post. I understand the caution but the reality is that clients want to have their phones taken home or on a trip and connect them to the system to make or receive calls.

Limiting the Access Control is first, very good suggestion to turn off the API. I would also turn off whatever you do not need like IAX (if using SIP only), printing, web admin portal (you get the idea). The VPN is the best solution but in majority of cases not feasible from financial perspective for remote worker. SNOM has a few phones that support VPN (built into the phone) but SNOM phones never worked as they should so we never used them - I personally tested few models. I wish Digium new phones had VPN option.

Firewall setup is also important. I would allow only geographically local ip to go through (only US if you are in the US) but this can be misleading - there are many zombie computers in the US that can be controlled by hackers from abroad. DoS setting on your firewall is a must unless you want some teenager who does not know what to do with the time play with your system resources. As for other settings like IPS I have not checked in a while. I was always told that these settings can mess with the SIP protocol. I actually need to test it now with new Firmware on Firewalls we sell.

I have seen only one system hacked on 4.X something firmware version (this was before the ACL on Switchvox). The hacker used brute force to register to an extension. We found out from the carrier that found it suspicious that we are calling Romania out of the blue - and they were right. I have seen some attempts across 30 Swtichvoxes we are managing but they were all stopped by the ACL on the system. It is a good policy to check the system for unusual number of calls or some strange calls that failed in the Error Log. We are using a mix of Firewall/ACL/Common sense - for example what we do is to disallow every extension to use "International Calls" rule and make it only available to call through an IVR (sometimes password protected), also we set to "off" Never Block IPs on the Local Network.

Strong password policies are common sense too...

[rewart01]

I have some users that need to access my VoIP system from mobile phones (not a switchvox but irrelevant for this discussion). The phones are Droid smartphones, with a softphone running on them.

However, I lock down my system by IP to block the brute-force idiots. So, how to allow access to this group of road warriors?

I purchased DynDNS Pro from dyn.org and put the DynDNS client on the phones, with a host that has a very short TTL (20 seconds). I then have rules in my Sonicwall firewall set to allow traffic from the fully qualified domain name that corresponds with the mobile phones.

Reregistration after changing networks and having the DynDNS client update takes 30 seconds or so - fast enough that nobody really notices.

Of course, YMMV, but for us it seems to work really well.

Hope that helps.
Rick