Polycom OBiTALK enables you to easily activate devices and add any.A few years ago I had an email conversation with Chris Lyman, the former CEO of Fonality, the makers of trixbox IP-PBX systems. Factory resetting a phone is when you restore a device to its original factory. Open the .cfg file with a text editor, and then locate the line starting with the text. This MAC address is printed on a sticker attached to the underside of the phone. Copy the default 000000000000.cfg file to a file named .cfg where is the 12 character MAC address of the phone (which is also the phoneâs serial number).IP5000 Dual Button w/ Keypad. Below is the email conversation slightly edited for security and clarification reasons, followed by some further thoughts on SIP security:to continue or end the recorded call. Select âSAVEâ or âAdd another.â to add the phone and. Select VLAN if the phone is using a Metro Voice VLAN configured router. Select DID from the line number selection list. Select Device Type (Yealink, Polycom) Paste the MAC address from notepad into the MAC address field (remove the : colons if any) Set the Label.
Polycom Force Disconnect Call Address Password Use TheSecurity is going to be a huge competitive advantage after we see some high profile VoIP intrusions.For Polycom phones these will be contained in the -directory.xml file or the 000000000000-directory.xml file (only used if -directory.xml contains no entries). For password use the phoneâs MAC address (using CAPS for. Release them only when seeing the Enter Password message appear. As soon as the Welcome message appears, press and hold down 1, 3, 5. On the Loading Application screen press Cancel.Auto-expire all existing weak vm passwords (next login to the User Panel will force you to change it)3. Force strong vm passwords (no "1111", etc.)2. On the privacy side, you could listen to someone's voicemail.So, here is what we will do in the 2.1 release of trixbox Pro (coming to you in a couple of months):1. On the financial side, if the extension has the ability to make outbound calls from the voicemail system, then you could make free calls that way. DISA is not enabled on trixbox Pro or PBXtra, so no worries there.However, you can cause some financial or privacy damage if you get a vm password. (see link/story below)More importantly, how about automatically changing extension passwords every month and then flash all of the phones with the new passwords at 3am? This can be done easily with Aastra phones.Read my article including the comments from Ward Mundy:Interesting article.Their HUD won't log-in - very disruptive!FYI, trixbox Pro and PBXtra already (for a long time now) have brute force protection with IP-address lockout for the Web Admin and Web User Panels.Should I reach out to you when we launch 2.1, I bet the telephony world would like to see some of the measures we have already and are *soon* to be taking in the area of security.Good stuff! Sounds like I may have given you some ideas for password security.You covered 2 out of the 3 passwords in your email.For instance, aastra phones have this in the. Their click-to-call will break. Auto-expiry of admin password every 180 days on admin panelWhy aren't we auto-expiring user panel password? Huge pain! People's FONcall will break. This should eliminate the financial risk.In addition, trixbox Pro 2.1 carries a few other new security features coming:3. Disable "CallOut" on all existing and new extensions. Randomize vm passwords for all new systems provisioned.5. Once you get a successful registration, voila' free calling!Still, probably pretty hard to do. I believe the number of combinations is 6 letters (A-F) + 10 digits = 16^6 = 16,777,216 combinations to try and register with the SIP server by "hacking" all the Aastra combinations (assuming auth name is the same as the password). So for Aastra, it's 00085D.You can see that with this nifty mac address lookup tool:That only leaves 3D23E0 remaining in the password or 6 additional characters. Don't forget, each IP phone provider like any network device is assigned a unique 6 string MAC address (1st 6 digits/letters). A hacker that finds a trixbox server listening on port 5060 could in theory guess the MAC address and password. Dosbox emulator macIn fact, it actually becomes dangerous to do so because you can't guarantee a phone will get its new configuration file in case it's remote or is specifically configured not to get its configuration file or pointing to a different TFTP/FTP server. We considered auto-expiring them, but given that our customers use every type of phone from Astra, to Cisco, to Poylcom, to Counterpath, to Snom, to Grandsream.you can imagine the headache of auto-expiry. :)>Tom: You didn't mention IP phone passwords.Ah, yes.figured you were going to ask about this.Trixbox Pro 2.1 will have randomly generated SIP passwords. Could do this once per 3 months or something.>Tom: Good stuff! Sounds like I may have given you some ideas for password security.Yes, actually you did! Some of this was stuff already on the table, but the random expiry was a really nice call. Though I don't think anyone is doing this yet.Would require trixbox pro to modify each MAC address file, pick a random password, and then "push" out the new password to the phones & reboot them at say 3am. Phone's cfg file periodically. With this number, at 10 attempts a second, assuming you knew a trixbox Pro's public IP address, it had port forwarding enabled for remote phones, and you knew a model of phone it was using (such as Polycom or Aastra).your half life toward a brute force attack would be 9.709 days of sustained 24 hour attacking and you would reach a 100% intrustion rate at 19.42 days.I agree would be tough to crack. That is what I call the "stackable if" problem and probability starts decreasing in step functions at each layer.There are 16^6 combos (16,777,216). Not that I like publicly providing a blueprint for how to hack the baby I have spent 5 years building, but.Assuming you knew a trixbox Pro's public IP address, it had port forwarding enabled for remote phones, and you knew a model of phone it was using (such as Polycom or Aastra), you would be able to brute force a username and password in a few days to a few weeks.you could hijack the phone. However, even with more complex passwords, the hackers have several VoIP hacking tools in their arsenal, including Cain & Able, SIPVicious, and others that can scan for VoIP systems & extension numbers and then brute-force attack them.Trixbox Pro isn't alone in the Asterisk-based IP-PBX world in choosing insecure passwords. It chooses a random 12 alphanumeric password consisting of letters upper & lowercase and numbers. Essentially, trixbox Pro was relying on "security by obscurity" and hoping a brute force SIP cracker couldn't guess a MAC address number to use for both the username and password.Fortunately, as Chris promised, trixbox 2.1 (& later) no longer chooses a password that matches the SIP username. If you followed this password scheme and you configured your Asterisk-based system to be open to the outside (i.e. Username=101 password =101. In fact, early on most Asterisk PBXs had the extensions configured with the password secret being the same as the extension number. Then the script has certain triggers (i.e. I read one solution was to use an AGI script that is executed on every call to keep track of the number of calls per minute, and also the average length of calls per hour, in a MySQL db. The article doesn't specifically state it was an Asterisk system and it's true that other IP-PBX vendors aren't immune from easy to crack passwords, so my intention isn't to point fingers specifically at Asterisk.In fact, the beauty of Asterisk is how quickly is to fix bugs or in this case solve a security issue though the Asterisk community. Mailtrack for outlook macIt works by automatically adding a brute force attacker's IP address to iptables (Linux firewall) after 3 (by default) failed logon attempts. As such, fail2ban has become one of the most useful tools you can have loaded on your IP-PBX (or any other Linux-based server), since it can monitor SIP, IAX, SSH, FTP, and Web for brute force attacks. Later, it was easily extended to support brute force SIP password attacks simply by monitoring an Asterisk log file. Although, this rudimentary intrusion protection system wasn't initially designed by Asterisk developers with Asterisk in mind, it was developed by someone in the Linux community to ban abusive IP addresses that attempted to brute force attack SSH, FTP, and Web systems. If anyone volunteers to write an AGI script that does something similar, send me a link and I'll update this post.Still another popular solution is fail2ban. Alas, he didn't share the AGI script or I'd include a link to it. ![]()
0 Comments
Leave a Reply. |
AuthorHeather ArchivesCategories |