This document outlines some of the most common IP PBX hacking situations and proposes some basic safeguard configurations. Source: http://i3forum.org
Why is securing your Softswitch/PBX/Gateway and following best practice rules important?
- If your network is not secure, you assume the risk of criminals seizing and sending traffic via your voice switches without your knowledge
- IP fraud is most common on weekends, special holidays and evenings when staff are off-duty
- Open source platforms/networks/switches are a core target as well as known bugs for some vendors. Keep your software updated with the latest patches.
- Fraudsters are sophisticated, organized and should not be underestimated. Given the high-profit potential, they tend to be well funded and have access to the latest software tools and best programmers
Recommended actions to fulfill
- Limit PSTN dialing to essential destinations you really need to call and only ask to open those countries/breakouts
- Avoid routing plans which facilitate loop access to the PSTN via the PBX. In the case where it is necessary for contingency/backup access, check out credentials prior to access.
- Check invoicing and routing when the backup mode is triggered.
- Disable remote dial-in, when possible, and dial-through capabilities.
- Secure remote maintenance ports and use call back modems or alphanumeric passwords. Make sure system administration and port numbers are randomly selected
- Enable call admission control for the simultaneous call, max sessions, registration policies, authentication for registers, and authentication calls (INVITES).
- Use IPSec, TLS, & SRTP for encryption when connecting through the Internet
- If downloading templates for a Centrex device is needed make sure the downloading profile is secured with https, SCP, or other secured protocol as all the users and passwords are contained in that file
- For web portals, access over the Internet, encrypt communications with a challenge/response authentication and a strong cipher algorithm
- Resolve DNS FQDNs with the least amount of information about your network as possible.
- Disable ports, not in use. Allow only trusted VoIP IPs to send traffic to you.
- Apply patches and upgrades on a regular basis. Check regularly with your supplier for any security advisory requiring patching.
- Use some mechanism to check long term call duration and audit them based on logs
- Be aware of signs of PBX fraud such as:
– Repeated calls of short duration
– High numbers of incoming hung up calls
– Unexpected increases of incoming calls where the caller hangs up when answered
– The sudden increase of Toll-Free usage or high-cost destinations
– Changing in after-hours calling patterns - Enable dynamic dialing rules if possible, so time of day routing and routing destination policies and barring at certain times (weekends, nights, in general, out of your traffic regular patterns)
- Secure the edge with an SBC to protect your infrastructure
- Limit access and call processing to known and trusted IP addresses
- Change the default password for all your servers- especially for accounts with admin privileges
- Don’t allow to use default shortcodes or FACs configured in the server to change call forwards, call transfers, etc.
- Use strong password policy with a combination or capital and lowercase letters, numbers, and symbols
- Do not use predictable PIN numbers, such as your extension number or public number or last digits, predictable passwords with sequential or incremental numbers, like 1234 or 1111
- Set up a password expiration policy
- Establish account lockup policies to combat brute-force and dictionary-based attack
All these rules should be applied to all the webserver management
account, as well as voice access/PBX and voice mail server
Establish proper and secure notification policies for lockup accounts - Block all lower TCP ports (lower than 1024) to public IPs
- If ports must be accessible by Internet change the default port number using a customized one
- Block ICMP responses for critical devices
- Understand the device you are running, as some of them may allow endpoint registration only with extension and no authentication challenge, like username/ password. MAC-based challenge is not recommended as it´s a weak challenge.
- Block administration access from public IP for VoIP devices
- If public access is required, implement strong passwords and only allow trusted IP access.
- Ensure these policies are also applied to voice mail portal
- Require carrier authentication for every conference call and PINS of at least a 6 digits long code, change on a regular basis
- Scan and audit your network from an IP public address, on a regular basis, to check open ports or possible security breaches
- Test your security measurements and log information by trying to access your
own network from an IP public address. - Send voice call to your own network to test its vulnerability
- Ignore and block completely messages from unknown IPs. Make a silent drop so as not to provide information about your network or servers
- Never divulge system information, unless you know to whom you are giving it
- Analyze call detail activity daily (usage of CDRs).
Use antivirus and use firewalls. - Customers may need to take additional measurements depending on the type of platform/server/PBX in use.
Photo by John Salvino on Unsplash