- Vladimir Toncar (Kerio)
We have been recently informed about a new kind of VoIP attack, so I would like to remind all Kerio Operator administrators about paying attention to security.
The scenario that has become the inspiration for this post included a basic security mistake - the Operator server was accessible from the Internet and one of the extensions had an empty password. That's an equivalent of leaving the door open with the sign "Please help yourself" next to it, you would say.
However, it was just a single extension out of many in the system, and it was none of the usual numbers the hackers try first (100, 101, etc.). The scanning botnet actually needed several days to discover the single unprotected extension number. The scanning machines were blocked several times by Operator's anti-guessing feature but they returned after one day, when the default block on the given IP address expired. Luckily for the user, his outgoing calls constrains kicked in quite early, thus reducing the loss (significantly reducing, one can guess).
The conclusion? The black-hat guys are getting smarter. Please consider the following steps if your Operator is accessible from the Internet (and maybe even if it is not):
* Check that all your extensions have a password. Make sure your passwords are strong.
* Consider decreasing the number of unsuccessful SIP logins and increasing the blocking time in Operator's Security screen.
* Review your Outgoing calls constraints. Will your setup really mitigate your loss if a password is stolen (by a virus/trojan)? Are there international prefixes your users will never call?
* Visit Operator's administration GUI more often to see what's going on, check the list of blocked IP addresses etc. Alternatively, set up e-mail notifications about blocked machines.
Thank you for paying attention,
[Updated on: Thu, 30 January 2014 10:07]
Kerio discussion forums are intended for open communication between forum
members and may contain information and material posted by members which may
be useful in learning about Kerio products. The discussion forums are not
intended to provide technical support for any specific product. Any
information implied or expressed in the discussion forums is that of the
posting member. Kerio is in no way responsible for the information posted in
the forums, or its accuracy. Kerio employees may participate in the
discussions, but their postings do not represent an offical position of the
company on any issues raised or discussed. Kerio reserves the right to
monitor and maintain the forums to promote free and accurate exchange of