Someone Trying To Hack via public IP

[gknight1]

So I see the following in System Status....

Temporarily disable access from repeated failed login or something.

Then I have 50 alarms of failed extensions logged in. I didn't have auto create ext or user on, so nothing was harmed and I closed the security.

The question I have is, what determines the number of failed attempts before disabling? I looked through manager and security settings, but didn't see anything.

IPO R9.1

The public address the hacker is using is 66.55.92.11 if anyone wants to return the favor...

 

[shardian]

I can't remember exactly, but I think there was a change in 9 or 9.1 for failed registration attempts and then the IP address was blacklisted for xx amount of minutes, with that period of time extended for each subsequent attempt.
I don't think it was a configurable setting...it was just hard coded in there. Unless I'm thinking of something completely different.

 

[Jhon88]

please change default password. and disable or remove default another account that ipo given, like operator, maintener etc.
disable auto create extn and user.

 

[sizbut]

IP Office has applied non-configurable automatic blacklisting since 9.1. From the manuals:

[ul]
[li]Source IP Address Blacklisting
Registration attempts to a non-existent extension or using the wrong password of an existing extension are logged against the source IP address. The address is blacklisted for 5 minutes after 20 failed attempts in any 20 minute period.
[/li]

[li]Extension Blacklisting
Registration attempts to an existing extension using the wrong password are logged against that extension. The extension is blacklisted for 1 minute after 10 failed attempts in any 20 minute period.[/li]
[/ul]

When blacklisting occurs, the system generates an System Status Application alarm and adds an entry to its audit log. A system alarm is also generated and can be output using any of the supported system alarm routes (SMTP, SNMP, Syslog).

Stuck in a never ending cycle of file copying.

 

[IPGuru]

DO NOT CONNECT THE IP OFFICE DIRECTLY TO A PUBLIC IP ADDRESS!

How many times does this advise need to be given.

If your installer/maintainer wishes to do so find a competent installer IMMEDIATLY.

If you are an installer/maintainer that wishes to do this do every one a favor an cease installing any equipment ntill you now what you are doing.



Do things on the cheap & it will cost you dear

 

[gknight1]

none of my passwords are default and its not connected directly to a public, I have just a few ports forwarded through a firewall. we've had it like this for almost 2 years, and this is the first hack attempt that we are aware of and it failed. the only thing I could do now would be to try and see what port they are coming in on and change it from default if possible.

 

[Pepp77]

This is usually only an issue if you have One-x mobile, because if you have SIP you would have the firewall only allowing traffic through from the SIP providers IP addresses. However if you have one-x mobile you have to have it open to anywhere. simplest solution is to change the port used from 5060 on the one-x mobile to something else like 6060.

| ACSS SME |

 

[IPGuru]

I have just a few ports forwarded through a firewall. we've had it like this for almost 2 years,

clearly you have more than just a few ports forwarded & this is still poor practice & almost always unnecessary.

You have been lucky for the past 2 yars, I am supprised it has taken so long




Do things on the cheap & it will cost you dear

 

[gknight1]

IPguru, ok, you are right, we have the normal ones for SIP trunks, remote phones, and one-x.

So,tell me how this is unnecessary and poor practice? Besides changing the default port number, how else can I do it?

 

[kyle555]

At the very least by ensuring no ports for Manager or other admin tools are accessible from the internet.

Next thing would be to use TLS for SIP and use your own certificate authority to generate certs for your SIP endpoints outside and for the IPO so unless a SIP client has a certificate you issued, they won't even be able to send a register message

 

[amriddle01]

The IP Office up until 9.1 was easy to hack, very easy, that's why it was so rife. Remote phones and One x portal is the best way to get yourself hacked, it's giving someone almost everything they need, the only other thing they need is time to crack your passwords. We don't do remote phones (they're terrible anyway) and not OXP either, certainly not for external addresses. Mobile twinning is the best compromise if it's from non fixed sources.

Try and find a SIP provider that's doesn't require 5060 to be forwarded to the system, because that's like a red rag to a bull with hackers (at least only forward from providers address)

For remote access a VPN or logmein is the best option where ISDN isn't available

 

[hairlessupportmonkey]

Next thing would be to use TLS for SIP and use your own certificate authority to generate certs for your SIP endpoints outside and for the IPO so unless a SIP client has a certificate you issued, they won't even be able to send a register message

That's all very well if you are using an SBC. The IPO doesn't support certs for SIP endpoints as far as I am aware let alone the software that connects to the IPO.

ACSS - SME
General Geek

 

[IPGuru]

SIP Trunks should not need ports forwarding.

If they do then either find another provider or use an SBC or at least ristrict inbound traffic ON THE ROUTER so that it can onl be accessed from the SIP Providers IP Address.

If not expect to be hacked it is that simple

None of our sip instalations have the port forwading to the IPO on a connection that is publicly accessable




Do things on the cheap & it will cost you dear

 

[hairlessupportmonkey]

You need to at least have port 5060 open for non-registered SIP trunks.

ACSS - SME
General Geek

 

[amriddle01]

Registration has many advantages and strong username/passwords takes away the disadvantage

 

[amriddle01]

Also, I'm fairly sure the IPO can be configured to send options messages at such intervals it keeps the return path open on 5060, so even IP authenticated trunks don't need 5060 forwarded

 

[tlpeter]

Don't use providers on the open internet. Get a decent provider who has its own dedicated trunk without internet on it.
It will cost some but it is much more safe.

BAZINGA!

I'm not insane, my mother had me tested!