Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ns500 attack 1

ctamir

ctamir

Programmer
Feb 11, 2018
235
1
18
IL
hi all
i have 3 client with ns500 and ns1000 that attack from outside.
all 3 got https web connect from outside.
the pbx attacked and upgrade to ver9, added sip ext card, configured sip accound and make a lot of outside from country calles.
how is that happend? i got very hard password.

thanks
 
Sort by date Sort by votes
I can't help you with how they gained access to your system to upgrade to v9 but something similar happened to two systems I support. They did not gain access to my https or need my password.

I found the key vulnerability was when "auto-register" IP phones was enabled. The rogue devices are "auto-registering" to your system. If you look at the remote IP phone's IP address it's likely from India somewhere. I identified the rogue device because they registered with an NT3xx device which I have never sold, installed, or supported.

When you upgrade to version 9, the licenses for registering SIP/IP endpoints is eliminated. All ports are unlicensed and likely in the default state. If you have auto register enabled, any device wanting to connect has ports available to register to.

Countermeasure: 1. Disable "auto-register" for all SIP/IP devices. 2. Put any unused/unregistered port out of service.

Recommendations: Option 1: If you have port forwarding enabled, restrict the traffic to whitelisted external IPs only. 2. (BEST) Disable all port forwarding, put the system behind a VPN/firewall and have the remote devices connect using a basic VPN router from the far side.

In your case, I would strongly recommend putting your systems behind a VPN-capable firewall and only allowing remote connections via a VPN router on the far side. To continue supporting the system remotely, use the VPN as well.

Alternatively, use the very real increased security vulnerability of the dated technology to incentivize your customer to change to a more secure, updated system.
 
Upvote 0 Downvote
yes
i start to configure on all router at sites connection with vpn or from my wan ip.
i change to OUS un use port.
i think there is a master password for ns500 or some thing like that FOR SURE NO ONE GOT MY PASSWORD.
 
Upvote 0 Downvote
If you are correct about a master password then the only safe method for remote access is disabling port forwarding for https and only using VPN.
 
Upvote 0 Downvote
ctamir said:
hi all
i have 3 client with ns500 and ns1000 that attack from outside.
all 3 got https web connect from outside.
the pbx attacked and upgrade to ver9, added sip ext card, configured sip accound and make a lot of outside from country calles.
how is that happend? i got very hard password.

thanks
Click to expand...
try this
 

Attachments

  • NS_series_V7_00138_MRGRelatedModification_Nov2018.pdf
    3.4 MB · Views: 9
Upvote 0 Downvote
Check at your router if there a port fwd rule for ports 31021 or 30021 to PBX's address. Kill those rules.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

ingy500
  • Locked
  • Question
ns500 to ns500
Replies
2
Views
169
BrixStand
BrixStand
ingy500
  • Locked
  • Question
ns500 /ns1000
Replies
3
Views
147
ingy500
ingy500
ingy500
  • Locked
  • Question
NS500 QSIG
Replies
3
Views
119
Ired
Ired
ctamir
  • Locked
  • Question
ns500 sip peer
Replies
2
Views
122
ctamir
ctamir
ingy500
  • Question
DOOR STATION HIKVISION /panasonic ns500
Replies
3
Views
240
ingy500
ingy500

Part and Inventory Search

Sponsor

Back
Top