Alright, let’s get into this. This idea that obfuscating your stuff with non-standards ports is the #1 method to stopping getting pwned is just word salad BS. Does it help? Sure it helps. Is it a 100% success, no not at all. Why? Because other ports are still scanned, may not be in the same level as the default ports but they are still scanned. So many people will go “Oh I changed my SIP ports to something non-standard so why did this happen?!” still.
Another thing to point out, every major carrier and provider use port 5060 and no domain setups, purely IP based connections. So are they getting hacked and pwned every which way till Sunday? No? Why? Oh yeah, security measures.
I’ll be honest, I got hit in July by fraud. Not by them compromising my systems but by someone compromising the Cisco SPA112 the user had. Just a little side note, for the first time in almost 3 years, the Cisco SPA112 has had two releases for firmware this year alone to fix to security holes that can give sensitive information to the hacker.
So now they had proper user/password, oh and they had the DOMAIN because I use FQDNs for everything. Luckily, I had other levels of checks and only some of it got through. Right there highlights how your network could be compromised without them touching your network. They got everything they needed.
And as much as we are going on about the PBX/server side, how many times do you get calls from your customers about strange calls (sometimes from themselves because they are that extension) that have no one on the other side and just keep calling them. Oh yeah, that’s the location being SIP scanned through freaking NAT. So now you have to deal with the fact your end users could have really crapping routers/firewalls, they may have horrible NAT rules and of course their devices are most likely listening on 5060 for the main line.
So you can sit there and lock down your network all you want, if you don’t account for your end users security (or lack of it) then you’re just leaving yourself open still. Because it’s never the large customers I see a problem from or weird attempts from. It’s always those little one line Resi/SOHO accounts that have ATA’s or a single IP phone with no actual network and just plug into the ISP’s modem/router combo.
Just to recap:
— Changing standard ports. Workable solution. Must be used with others to be fully effective.
— Using FQDN’s vs straight IPs. Workable solution. Should be used with others.
— Using TLS. Workable. A huge resource hog for a red herring since the PSTN doesn’t have TLS and it would require all the calls to be decyrpted/encrypted constantly. Again, not a lone solution.
Those three things are great when used together and with other things. Using them just alone is still leaving you open because none of those take into account what I pointed out earlier. Your end users being pwned on their side. So while those steps are great to block those that have no real clue on how requests should be formatted for your network, once they get your end users details they have exactly how the request should be formed.
You still need extra layers to account for when valid users are compromised and their information is being used. I still have flooding and tracking for how many INVITEs, REGISTERs, etc are being sent in X amount of time. I still have rules about what source IPs can actually connect to the network.
I also have various multi-factor auth methods. Such as, they can lock down requests to only be accepted from the end users IP plus auth creds. Since 99% of the compromises are straight up calls (they don’t register because that gives them away) so they must have a valid registration in order to make calls. Or they have to have a valid registration, it must come from their allowed source IP AND must still auth.
Much like an onion your security should have many layers.