SSA Outside Attacks - What is really happening?

[dsm600rr]

Hello all,

So we have IX Workplace and J179's working remotely via FQDN to our Firewall and Split DNS to our IPO. We are using TLS with all the certificates in place. For awhile we were not getting any hits, now we are getting hit pretty hard.

Does this mean outside attackers are actually getting into the PBX?

I would love to get an Avaya SBC in here however the required IPOSS kind of kills it price wise.

ACSS

 

[LoPath]

You're logging the authentication failures. You're not seeing who's actually getting in. If you're getting this much activity, you should be checking for outgoing international/toll calls on a regular basis. Someone's obviously trying pretty hard. Hopefully you're keeping them out! Unless your users are truly all over the world, I'd look to block any IP ranges that aren't in countries that you service or whitelist only those that you do.

LoPath
Maintain HiPath 4000 V5 & V6, OpenScape Xpert V4 & V6, OpenScape Xpressions V7, OpenScape Contact Center V8, OpenScape Voice V9

 

[dsm600rr]

LoPath: Thank you. We do have port 5060 Locked down to our SIP Provider.

Any tips on how to block all countries aside from the US?

ACSS

 

[LoPath]

That's something you'd do in a firewall. Our company uses FirePower appliances and we just block everything that's not in a handful a countries outside of the US. You have to be careful to analyse all companies you do business with and the services you use. A bit beyond my area of expertise, but I did find a couple of sites from a Google search that would lead you down the path...

https://www.ip2location.com/free/visitor-blocker

https://serverfault.com/questions/389830/how-do-i-allow-only-us-ip-addresses-using-iptables

LoPath
Maintain HiPath 4000 V5 & V6, OpenScape Xpert V4 & V6, OpenScape Xpressions V7, OpenScape Contact Center V8, OpenScape Voice V9