Hacked phones!


(Jared Busch) #21

That is impossible to scale. There are perfectly secure ways to use provisioning files over the internet.


#22

It’s not a good idea to have a PBX system running on an, almost, open network of 2000 devices that may, potentially, try to break into your phone system.
I suggest to setup a VLAN, allowing only known MAC address to obtain DHCP. Add a new device: just register the MAC.
Also, I wrote a custom TFTP that compares the requestor IP with the last phone registration: no match no delivery and block the IP.
Another suggestion is not to keep xml provisioning files on /tftpboot root use, for example a random directory name. A hacker can easily find the phones on the network (nmap), then find the TFTP server with the same method, and request the provisioning file: will include the phone passwords. Also, set your phone provisioning time, for example 2AM, stop and restart the TFTP server just for that window.
Also, on my case, passwords are not stored on the xml file: it’s added upon delivery, getting it directly from the Asterisk’s ‘asterisk’ database. If you change the password on the GUI will be replicated to the phone on the next update, however you may have registration issues if the phone is not updated at the same time.
Also there is NO reason to allow more that one password registration error: ONE strike and your are block, honest error? request admin to unblock.


(system) closed #23

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.