Howto:Protection against Brute Force Attacks
Applies To
This information applies to
- innovaphone PBX having direct access to the internet
More Information
Protection against Brute Force Attacks
Security: Does your PBX have sufficient protection? There are dangers lurking in the internet. You know this which is why you protect your systems with appropriate security mechanisms. A firewall protects your network from unauthorised access; virus protection keeps viruses, worms, trojans etc. at bay and enabling carefree surfing and emailing. Telephone systems also need to be equipped with security mechanisms to prevent them from being damaged or attacked. This is especially the case for systems directly connected to the internet which do not have a protected home in a company intranet, making them comparably accessible from the outside world. Over the past months there have been more and more attacks on telephone systems by means of the “Brute Force Attack” method. A hacker programme tests user-password combinations or registrations, making several parallel enquiries in a fraction of a second. If they successfully access the system, then it is easy to abuse the system, also called Call Fraud. The hacker can, for example, make free phone calls at the cost of the telephone system owner. There have been especially grave situations where hackers have firstly set up expensive hotlines, then called them via the cracked telephone system, earning money themselves from the call fees. In some cases, attacks only aim to bring a telephone system to a stand-still – to cause damage without any further abuse (Denial-of-Sevice attacks, so-called DOS). There are many other mechanisms which provide good protection for the innovaphone PBX. However, just following these steps can increase security many times over:
Only create used objects
Sometimes objects are created in the PBX, which are then not used actively (e.g. employees leave the company) these may not even be password protected. Somebody could register externally to the system, try out several extension numbers, find an unused one and cause damage. It is advisable to protect all objects created with a password and set No. of Regs w/o Pwd to 0.
Conscientious user name and password protection
The well-loved “admin” is often selected for a registration by default. Just a little creativity can make life harder for a hacker when this user is given a special name (e.g. “Fridolin”? or “FrauHolle”?). As a general rule, a password does not mean you are protected. The passwords “abc” or “pbx” are not a great obstacle for hackers. It would take a hacker just a couple of minutes to crack these three-figure, lower-case passwords. A three-figure password, combining a lower case letter with an upper case letter and a digit would stand up to the same attack for just half an hour. An eight-figure password is a different kettle of fish. Even if only lower-case is used, a programme needs the grand total of about 37,968 days to try all the combinations. A mixture of lower-case, upper-case and digits would amount to 97,400 years. It should be noted that this is not the case for the “dictionary approach”: if you select one of the 5,000 words which are included in the German and English basic vocabulary, then your password would stand for less than one hour. This is also the case for data such as own date of birth in any format (e.g. 01.01.1960 or 01.01.60). In order to provide real protection, therefore, the password should be quite long, should not use the dictionary approach, should include upper-case and lower-case letters, and both special characters and/or digits. This increases the combination possibilities, thus reducing the probability that the password will be cracked.
Deactivate “unknown registrations”
There are various functions which support an administrator when commissioning a telephone system thus simplifying the rollout. These are called “Zero Configuration Deployment”. This also includes “unknown registrations”, which help the administrator to carry out registrations on the system without having to enter the appropriate user and password. This is a real relief especially for larger installations. This function can be activated or deactivated. Therefore, it is important that “unknown registrations” are deactivated once the rollout has been completed, as otherwise, anyone from outside could register without needing a user name and password. Only selected error sources and appropriate security mechanisms have been described. Applying these mechanisms can significantly improve your telephone system’s security. A lesson in the innovaphone Advanced training course has been dedicated to the topic of Security. We recommend you to think about working through this lesson again! More detailed information can be found in the training course documents.
Configure IP Filter
It is recommended to define global IP address filters to protect the innovaphone PBX from unauthorised access. Only the configured IP subnets are allowed to register at the PBX. Starting from V8 HF8 you have 2 different filters. One filter is for registrations without password, and the other filter is for registrations with password.
Use H323/TLS with TLS Only
From V11r1, it is recommended to use H.323/TLS instead of plain H.323. In addition to call signalling encryption, this allows phones to be registered without any password (certificate based). By setting the TLS Only check-mark in the Devices' entry used for registration, password based registration is disabled. This way, no malicious registration is possible with a leaked or hacked user password.
See
- Reference11r1:Concept H.323 over TCP/TLS (H.460.17)
- Registration of phones and interfaces using H323/TLS
- Reverse Proxy and PBX Interaction
Related Articles
- Localized articles
Howto-localized:Schutz vor Brute Force Attacken (D)
Howto-localized:Bescherming tegen brute force attacks (NL)
Howto-localized:Protection contre les Attaques par Force Brute (FR)