Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IP Office VOIP was hacked 4

Status
Not open for further replies.

borsen

Technical User
Jul 12, 2014
52
MK
Hey guys,

Yesterday our IPO was hacked. They managed to get through one of the remote workers. And made some 300+ calls to various countries some of which I didn't know existed.

We really need the remote workers. Our employees use them natively on their android phones.


Currently we have the 5060 port disabled by firewall (Mikrotik router) which sits above the Avaya.

How can we secure the VOIP? I can't seem to find anything online?
 
I'm guessing your login codes are something lie 0000, 1234, 2580 or the extn number. This is the first thing you need to change.

The hackers try to login with extn 100, p/w (as above), then 101 etc until they get to login.

If you make your login codes harder to guess, this will help as will an SBC.

We enforce this for all our sites now, remote workers or not.

Also, set your remote workers to use secure port 5061 and don't forward 5060 anymore.

Nothing is foolproof, but all these things help.

Jamie Green

[bold]A[/bold]vaya [bold]R[/bold]egistered [bold]S[/bold]pecialist [bold]E[/bold]ngineer
 
Have some pink Jamie77 for being nicer than I am and much nicer than amriddle [rofl]

Joe W.

FHandw, ACSS (SME)


"This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter
 
What application do you use for remote workers? Can't be OneX Mobile. It would try to connect to port 5060 if that is configured as listen port in IPO. No chance to forward another port to 5060.

Using Avaya Apps (OneX Mobile, Avaya Communicator) only you wouldn't have to create extensions but only users with valid user license and the remote worker check box has to be enabled.

I also guess you didn't set up a SIP domain in IPO so that users can connect using any IP as SIP domain.

I just can confirm what the others say. Secure IPO and the remote endpoints. Use strict TLS. Place a SBC in between IPO and the Internet.
 
1) Start changing you sip operator, cost => 0€ to avaya, they had to block your account if they detect abnormal traffic outside office hours.( They have to have robot to detect abnormal traffic)
2) Buy a SBC, you can buy another brand than avaya ( we used in my previous company Intertex/ingate which cost less than 300€)
3) change remote worker password to complex password.
4) Change sip port for remote worker to another port.

But if you read the documentation, avaya always recommand the asbc for remote workers, it's expensive but there is a reason.

ACIS - ACSS
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top