Attack on my IP Office 1

[edlee321]

I attached an image, does this mean someone is trying to gain access to my system?

8/8/2016 3:32:10 PM >999 Logon failed due to incorrect userId/password.
Application: VoIP Extension
Number: 3914

8/8/2016 3:11:51 PM 220 Access temporarily blocked due to repeated authentication failures
VoIP Client IP Address: 163.172.194.73
Lockout Time: 300 seconds

I just setup application server/One X Portal/VM Pro for the first time last week, and opened a bunch of ports for it

The address trying to log-into my network is out of Europe, and I am based in USA

 

[derfloh]

I guess you opened the wrong ports... So disable port forwarding immediately. Tell us what you want to achieve and we can talk about what to do... And for sure check the necessary docs.

 

[edlee321]

My main use is avaya communicator for web, and sometimes Onex Perferred mobile on my android device

Just as a note, my public IP cannot be pinged

These are the following ports i have opened:
ALL TCP 5060:5061 IP500V2 5060:5061
ALL UDP 5060:5061 IP500V2 5060:5061
ALL TCP 1719:1720 IP500V2 1719:1720
ALL UDP 49152:53246 IP500V2 49152:53246
ALL TCP 5222 ApplicationSever 5222
ALL TCP 5269 ApplicationSever 5269
ALL TCP 8080 ApplicationSever 8080
ALL TCP 8444 ApplicationSever 8444
ALL TCP 8063 ApplicationSever 8063
ALL TCP 8443 ApplicationSever 8443
ALL TCP 7070 ApplicationSever 7070
ALL UDP 7070 ApplicationSever 7070
ALL TCP 7443 ApplicationSever 7443
ALL UDP 7443 ApplicationSever 7443
ALL TCP 9443 ApplicationSever 9443
ALL UDP 9443 ApplicationSever 9443
ALL UDP 58002:60002 ApplicationSever 58002:60002
ALL TCP 7071 ApplicationSever 7071
ALL UDP 7071 ApplicationSever 7071

 

[AACon]

There's your problem.
You will always get people trying to hit your system when UDP 5060 is open.
Also, you have a HUGE range for NAT RTP open. Reduce it to 49152:50500, anything higher will overlap IPO service ports.

If you're going to put it on the internet, make sure you have ssl certs, and GOOD passwords for each extension.

-Austin
I used to be an ACE. Now I'm just an Arse.

 

[derfloh]

You don't know what you are doing, right?

Should I search for the guide to connect remote workers (1XM preferred) and Communicator for Web or will you search yourself?

 

[edlee321]

Hey derfloh, i followed the guide the step by step on which ports need to be open, it gave the exact range of ports on the guide

I understand that its too many, but i didnt make it up out of thin air.

 

[Telecomboy]

The problem is that the bad guys also have access to that manual and now know the ports that Avaya tells you to open. It is best to change the port range you use to make it harder on them.

 

[derfloh]

1719, 1720, 8080, 7070, 7071 are definitely not in a guide for 1XMobile or Communicator for Web...

 

[edlee321]

 

[edlee321]

I read them in different setup guides, whether it was for onex portal, or communicator for web, remote h.323 extension, application server.
I attached a snapshop from each guide.

Basically can you tell me which ports I should open for Communicator for web, 1xmobile and remote extension, and i will come up with different ports for the sip and rtp port range.

 

[amriddle01]

I would setup VPNs and use those, it will never be fully secure using port forwarding I'm afraid

 

[derfloh]

Correct Andy.

You should need RTP NAT UDP Port range for speech (2 ports for every concurrent call) and check IPO port matrix to not match any of the ports used by applications like Manager, SSA, SysMon etc...

You also need 5061/TCP for Communicator (Fat client/iPad) and 5222/TCP if you want OmeX Portal presence and IM.

For 1XM you need TCP 5222, 8069, 8444, 5061 and the NAT RTP range.

For Avaya Communicator for Web I'm not sure. It uses 9443 but I don't know if more is needed.

 

[chrisag]

You can use an sbc for secure communication or use vpn.
I install one lately and when I looked in sbc monitor I could see that every few seconds
a new attack was made.