Just got this...passing it along :) -----Original Message----- From: VoIP.ms [mailto:[email protected]] Sent: Tuesday, January 04, 2011 2:14 PM To: Nathaniel Watkins Subject: Important Security Tips
Dear Nathaniel Watkins, We are contacting you with some suggestions on how to improve the security of your PBX systems and VoIP adapters. We have no specific reason to believe your system may have been compromised. This is a courtesy email sent to all our customers. Based on the broad view we have of thousands of customers, leads us to believe that most of the hacking cases for the purpose of placing unwanted calls, can be avoided my following these suggestions: 1) Use strong Passwords: We can't stress this one enough: Use strong passwords! One of the first actions many people do when after they install their PBX, is often to create a phone extension with an easy password. Avoid using short or weak extension passwords. Please remember to use passwords of at least 8 characters, including a mix of upper and lower case along with digits. Remember to change them periodically every 2-3 months at most. 2) Public Internet: Avoid leaving your PBX systems, ATA Adapters and IP Phones open to the internet. Do not use DMZ mode on your router and do not forward ports to your equipment, unless you absolutely know what you are doing. This is only needed on specific cases, and only leave it open to the internet if you have experience on how to properly manage security on equipment that is open to the internet. 3) Asterisk Tweak: If you are using an Asterisk based PBX, add the following line to the sip.conf file under the [general] section and issue a reload alwaysauthreject = yes What this parameter does, is that it will always return an authentication error instead of a .404 not found:., even when the extension doesn't exist. This steps-up the difficulty for brute force scanners when they are attacking your PBX. 4) Trixbox, PBX In a Flash and other web interface based PBX: Change the default password. Different flavors of PBX installs come with default administration passwords. Make sure to change the default passwords immediately after your installation and also make sure the web interface is not reachable from the internet. 5) PBX Dial Plan: Do you make international calls? If no, do not allow international calls to be placed from your PBX. In Asterisk, remove ._011.. Or .00_. . Never use ._... If you are only calling a few countries on a regular basis, enable these countries only. For example: The only country you're calling is UK? Only configure _01144. In your dialplan. 6) Use additional caution while travelling: Do you plan on using a soft phone at a random internet cafe? Make sure you remove your login details after using it, and uninstall the software if possible. 7) Asterisk and Fail2ban: As an additional step you can install an additional security tool such as fail2ban, which is a free brute force detection system, it scans the log files of your PBX and then takes action based on the entries of those logs. (http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk) We also offer the optional service of installing fail2ban into your Asterisk PBX. A trained linux Asterisk professional can install it on your system for a one time fee of $150 USD. There are various other measures that you can perform to secure your VoIP equipment, however this email covers some of the most important aspects. The technology and the methods used by abusers keep evolving constantly. Meeting the recommendations on this email you will have a more secure PBX system. Feel free to contact us via Live Chat or through the ticketing system should you need any more information regarding how to improve the security of your PBX system. Kindest regards, VoIP.ms Technical Support Team Note: Do not reply to this email, you will not receive a response. You can contact us regarding this update by sending an email to [email protected] If you no longer wish to receive these emails, click on the following link: https://www.voip.ms/m/unsubscribe.php?id=109707&code=68c0a8201ed63461be7d5446078f22d6 This message and any files transmitted with it are intended only for the individual(s) or entity named. If you are not the intended individual(s) or entity named you are hereby notified that any disclosure, copying, distribution or reliance upon its contents is strictly prohibited. If you have received this in error, please notify the sender, delete the original, and destroy all copies. Email transmissions cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Garrett County Government therefore does not accept any liability for any errors or omissions in the contents of this message, which arise as a result of email transmission. Garrett County Government, 203 South Fourth Street, Courthouse, Oakland, Maryland 21550 www.garrettcounty.org _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
