Well the absolute worst nightmare in the IP Office world has become a reality. My 9.0.4 system has been bootlegged. I was looking over my SIP accounts and found that one of my customers had placed 335 outbound calls over a 12 hour period. The only red flag was that the time period that this anomaly occurred was 7 P.M. to 7 A.M....WHAT!!!!! Sure enough, there were calls to countries I can't even begin to pronounce, let alone even heard of. alls to US only, but in less than an hour, they started to make US bound calls; that is only a very small "issue"; they added 83 SRS routes,so all in-bound calls to customer come back as 486 system busy, no lines available. HHHEEEEELLLLLLPPPPPPPP !!!!!!!!!!!!!!!!!!!!!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
hacked or compromised IP Office 500 V2 SIP 2
- Thread starter commnorth
- Start date
-
1
- #2
Change all passwords to start with.
Change the IP route to the outside and only allow the provider.
Put a firewall in front and only allow SIP ports or use a SBC.
Can you see if there is a change mentioned in the audit trial?
BAZINGA!
I'm not insane, my mother had me tested!
Change the IP route to the outside and only allow the provider.
Put a firewall in front and only allow SIP ports or use a SBC.
Can you see if there is a change mentioned in the audit trial?
BAZINGA!
I'm not insane, my mother had me tested!
- Thread starter
- #5
-
1
- #6
The 0.0.0.0 route will allow connection from any IP address on this planet.
The narrower (as close to the remote end as possible) you make your IP routes, the better.
If you have a SIP provider initiating traffic, from only a single public IP for the SBC, then that IP is what you put in your route. (And don't forget the MASK)
Kind regards
Gunnar
_______
B.U.B.F
The narrower (as close to the remote end as possible) you make your IP routes, the better.
If you have a SIP provider initiating traffic, from only a single public IP for the SBC, then that IP is what you put in your route. (And don't forget the MASK)
Kind regards
Gunnar
_______
B.U.B.F
trinetintl
Vendor
We also changed the ARS to block all international outbound calls except for the ones normally used based on somebody's suggestion on this forum.
RE
APSS - SME
ACIS - SME
RE
APSS - SME
ACIS - SME
- Thread starter
- #8
1) Call in a COMPETENT Maintainer!
2) Make sure your IPO is behind a firewall & is not visible to the Public internet
3) Change all system password & security password
4) Set strong passwords for all users
5) Call in a COMPETENT maintainer ( I Know this is the same as Point 1 but it is really important!)
A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear
2) Make sure your IPO is behind a firewall & is not visible to the Public internet
3) Change all system password & security password
4) Set strong passwords for all users
5) Call in a COMPETENT maintainer ( I Know this is the same as Point 1 but it is really important!)
A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear
They have access to your system, which means that either you have a public ip address on your system or you forward all the ports from the firewall to the ip office."
Not to mention default passwords.
APSS/ACIS/ACSS-SME
not arrogant, just succinct.
Not to mention default passwords.
APSS/ACIS/ACSS-SME
not arrogant, just succinct.
If your SIP provider's address is 123.123.123.123, you would add a route that says: 123.123.123.123 mask 255.255.255.255, gateway whatever the next hop router is, and of course the appropriate LAN interface.
The 255.255.255.255 mask specifies a SINGLE host rather than all hosts (which is 0.0.0.0/0.0.0.0). This way the IPO can't get to the internet at large, it can only use that hop to get to the SIP provider. By doing this, it cannot respond to any incoming SIP requests from anything but that SIP provider's IP - the IPO doesn't know how to talk back as there's no route.
By doing this you can still have a public IP address assigned to one of the IPO's ports and still be relatively secure.
You should still change all the default passwords, don't forget about the "security" and "system" defaults too.
New England Communications
The 255.255.255.255 mask specifies a SINGLE host rather than all hosts (which is 0.0.0.0/0.0.0.0). This way the IPO can't get to the internet at large, it can only use that hop to get to the SIP provider. By doing this, it cannot respond to any incoming SIP requests from anything but that SIP provider's IP - the IPO doesn't know how to talk back as there's no route.
By doing this you can still have a public IP address assigned to one of the IPO's ports and still be relatively secure.
You should still change all the default passwords, don't forget about the "security" and "system" defaults too.
New England Communications
reliable", until you find out the SIP NAT implementation is broken. Especially in the cheap ones.
You need to pick the right firewall.
New England Communications
You need to pick the right firewall.
New England Communications
Never connect the IPO directly to the internet.
Port forwarding is rarely necessary (& if should should be restricted to the ISTP proxy address only!)
in most cases SIP_ALG on the router should be disabled so even broken implementations should not be an issue, STUN can usually be used as an alternative when NAT traversal is an issue (trunks registered by IP Address not Credentials)
Commnorth Please Please Please contact a competent installer/maintainer to assist you with securing this system
A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear
Port forwarding is rarely necessary (& if should should be restricted to the ISTP proxy address only!)
in most cases SIP_ALG on the router should be disabled so even broken implementations should not be an issue, STUN can usually be used as an alternative when NAT traversal is an issue (trunks registered by IP Address not Credentials)
Commnorth Please Please Please contact a competent installer/maintainer to assist you with securing this system
A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear
- Status
Similar threads