ns500 attack 1

[ctamir]

hi all
i have 3 client with ns500 and ns1000 that attack from outside.
all 3 got https web connect from outside.
the pbx attacked and upgrade to ver9, added sip ext card, configured sip accound and make a lot of outside from country calles.
how is that happend? i got very hard password.

thanks

 

[MVickerson]

I can't help you with how they gained access to your system to upgrade to v9 but something similar happened to two systems I support. They did not gain access to my https or need my password.

I found the key vulnerability was when "auto-register" IP phones was enabled. The rogue devices are "auto-registering" to your system. If you look at the remote IP phone's IP address it's likely from India somewhere. I identified the rogue device because they registered with an NT3xx device which I have never sold, installed, or supported.

When you upgrade to version 9, the licenses for registering SIP/IP endpoints is eliminated. All ports are unlicensed and likely in the default state. If you have auto register enabled, any device wanting to connect has ports available to register to.

Countermeasure: 1. Disable "auto-register" for all SIP/IP devices. 2. Put any unused/unregistered port out of service.

Recommendations: Option 1: If you have port forwarding enabled, restrict the traffic to whitelisted external IPs only. 2. (BEST) Disable all port forwarding, put the system behind a VPN/firewall and have the remote devices connect using a basic VPN router from the far side.

In your case, I would strongly recommend putting your systems behind a VPN-capable firewall and only allowing remote connections via a VPN router on the far side. To continue supporting the system remotely, use the VPN as well.

Alternatively, use the very real increased security vulnerability of the dated technology to incentivize your customer to change to a more secure, updated system.

 

[ctamir]

yes
i start to configure on all router at sites connection with vpn or from my wan ip.
i change to OUS un use port.
i think there is a master password for ns500 or some thing like that FOR SURE NO ONE GOT MY PASSWORD.

 

[MVickerson]

If you are correct about a master password then the only safe method for remote access is disabling port forwarding for https and only using VPN.

 

[kizo]

hi all
i have 3 client with ns500 and ns1000 that attack from outside.
all 3 got https web connect from outside.
the pbx attacked and upgrade to ver9, added sip ext card, configured sip accound and make a lot of outside from country calles.
how is that happend? i got very hard password.

thanks

try this

 

[Ired]

Check at your router if there a port fwd rule for ports 31021 or 30021 to PBX's address. Kill those rules.

 

[ctamir]

Check at your router if there a port fwd rule for ports 31021 or 30021 to PBX's address. Kill those rules.

the ports close, what that ports do?

 

[Ired]

the ports close, what that ports do?

ftp.

Disable any external access to your PBXs. Use VPN only!!!
Also, internal attack is possible too - in that case you have no chances even with strong password... Then use VLANs with access control.