HOWTO: Thwarting SIP Scanners during Set-up

<< < (2/20) > >>

Mango:
Quote from: Shale on March 11, 2013, 08:57:16 am

2. Change the (Voice Services)SPx Service->X_UserAgentPort ports for each SPx  to a number not in the 506x range. This seems effective based on people's experience, but how long until the scanners broaden their scans?

I think it is unlikely the scanners will broaden their scans, though of course not impossible.

What they're trying to find is PBX systems set up with default or test settings, for example a User ID of "1001" and password of "password".  Once they find such credentials, they can route calls to high cost destinations through the compromised PBX.  Us OBi users aren't the target of their activities; we're just a side effect.  Since someone who knows enough to change their PBX's port probably also knows not to use easy passwords, I think the scanners will find themselves most successful in the 50xx range.

So, I expect your suggestion is a good one and that using a port in the range of 20000-65535 should be quite safe.

Mango:
Shale,

Perhaps you could add Oleg's solution to this excellent post:

Change the (Voice Services)SPx Service->X_InboundCallRoute: {>('Insert your AuthUserName here'):ph}

Also, perhaps this thread could be made sticky  ;D

m.

Shale:
Thanks. I have made fixes and additions per your suggestions.

QBZappy:
Quote from: Shale on March 11, 2013, 08:57:16 am

If anybody knows an easier way to find the strings actually being used, let us know.


Phoner lite and Jitsi softphones both have built in 'wireshark like' abilities to debug calls. It should be possible to use this as a tool to read the sip information provided by the call.
http://phonerlite.de/index_en.htm
https://jitsi.org/

Felix:
The more I am thinking, Oleg's solution (#4) is bulletproof and doesn't have negative side effects. In other words, it's ideal.

Or what would be the situation when this wouldn't work? I assume that your adapter is not in DMZ; so if it is not registered with a provider, the port is closed to the internet. And if it is registered, then you have some kind of id that you can match against X_InboundCallRoute

Am I missing something? I don't know Oleg (I wish I knew), but it looks like a solution that is genius in its simplicity  :D

Navigation

[0] Message Index

[#] Next page

[*] Previous page