Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Foreign hacking attempts constantly 3

Status
Not open for further replies.
safenestvmem

safenestvmem

Technical User
Nov 16, 2019
96
US
Hello, I've got an Avaya IP office 500 V2 9.1 with primarily digital handsets but we do have 10 off site 9608 handsets.

Up until recently we haven't had a problem until we have been getting event notifications of constant attempts to log in to the manager using various credentials. These are all coming from foreign IP addresses from other countries.

We have very complex passwords to protect us but I'm wondering if there is any way for me to turn off this specific access since we do not use remote access to the system for configuration using manager we only use a local PC in the phone room for programming. Many thanks
 
Sort by date Sort by votes
How will this effect our 9608 off site handsets and our voice mail to email?
 
Upvote 0 Downvote
VPN your 9608's or set them up properly as remote extn's with security
 
Upvote 0 Downvote
Have a look at Geo-IP Filtering if your firewall supports it.
 
Upvote 0 Downvote
safenestvmem said:
we do have 10 off site 9608 handsets
Click to expand...

Based on that and your thread I am assuming you have the IPO directly on a public IP which is why you are having hack attempts. You should NEVER put your IPO on a public IP for this very reason they will attempt to hack you and likely, at some point, eventually will hack you. The problem is I am betting you don't have the licensing to do remote worker the right way. You only get 4 remote workers for free and after that you need user licenses (like power user) which requires preferred edition. This is likely one reason this was done this way (the wrong way mind you) in the first place.

Since you likely could only have 4 remote workers you will likely have to setup a VPN on your firewall and then either VPN through the phone (which can be a pain) or a site to site if all the remote phones are at one location. You are looking at a lot of work and some hardware needed to do this the right way and really lock it down securely. How you have it setup (we are guessing but its likely based on the info) should of never been setup that way and will end up costing you and/or the customer in the end.

I attached where in the security guidelines it specifically tells you not to do this.



The truth is just an excuse for lack of imagination.
 
 https://files.engineering.com/getfile.aspx?folder=9f7eaf49-b215-4b7a-b343-96677591e689&file=Public_IP_Platform_Security_Guidelines_IPO.jpg
Upvote 0 Downvote
Sounds like you don't have a firewall between the IPO and your internet connection (router)

I would very strongly advise installing one.

Biglebowskis Razor - with all things being equal if you still can't find the answer have a shave and go down the pub.
 
Upvote 0 Downvote
block the administrative ports, they're in the upper default range of the 48-53xxx ports, stupid implementation on avaya's side.

______________________
|........................................|
|.....i.eat.bunny.children......|
|______________________|
(\__/) ||
(•Y•). ||
/ < )<||
 
Upvote 0 Downvote
It is stupid, and that is why Avaya changed teh defaults (after some presure from members on this forum!!) to 40750-50750 (SE) or 46750-50750 (500) at R9.1 or R10 (can't recall).

The real issue was only UDP was needed to be forwarded in this upper range, but many people/dealers/engineers/firewall guys didn't have a clue, so forwarded TCP & UDP to be 'sure'. Hence you got admin ports 50790-50814 TCP sent through from the internet.

To sort this, either change your RTP range on the IPO and firewall to match. May as well use the new defaults of 46750-50750 UDP for you RTP, and trim down to your aactual needs. Don't push TCP through on these ports.

Or like others have suggested, you lumped a public IP on LAN 2. Which is very stupid indeed.

Either way, you ARE still going to get people trying to register phones, no way to stop it (without VPN anyway!. Only way to address this is with a proper security policy for passwords.

Every system we have, either with or without an SBC, is getting attemots all the time to register a phone. They just don't succeed!!!

Jamie Green

[bold]A[/bold]vaya [bold]R[/bold]egistered [bold]S[/bold]pecialist [bold]E[/bold]ngineer
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dsm600rr
  • Locked
  • Question
Outbound Calls Connect after multiple attempts (Analog Trunks) 5
Replies
16
Views
140
dsm600rr
dsm600rr
dsm600rr
  • Locked
  • Question
Hacking Attempts. 3
2
Replies
31
Views
272
dsm600rr
dsm600rr
dsm600rr
  • Locked
  • Question
SCN Constantly Going Down 2
Replies
9
Views
55
budbyrd
budbyrd
j.flanagan
  • Locked
  • Question
D160 constantly loses config.
Replies
0
Views
30
j.flanagan
j.flanagan
Gerrard04
  • Locked
  • Question
I cannot dial a foreign IP Office extension from the Embedded Auto Attendant
Replies
5
Views
76
KottV
KottV

Part and Inventory Search

Sponsor

Back
Top