During my recent years on deploying voip systems I have learned a few things other have learned probably the hard way too.
I thought I had all setup with strong firewall in place including an intrusion-lockout system until one day I learned that my voip account had been compromised.
In fact – it wasn’t that one hacked into my server or recorded or stole my logon details. No – I found that the hacker had it much easier. He only had to register to my server from outside, guessing my phone extension and matching password. Up to then it didn’t come to my mind that it is that simple for crims to reroute their offered cheap voip termination and earn big bucks with it.
Latest when such a “hijack” occurs one gets the lesson: “I should have followed those advices about securing voip.”
This type of voip units stealing is basically what is often referred to as “man-in-the-middle-attack” and goes like that:
The hacker might employ some software to track voip traffic to a voip provider. Then he obtains data about the local extension used from the voip data and then tries to register the same extension on his server instead, trying simple passwords and when he succeeds including a test call, routes calls of his clients via his new trunk – which is basically your voip server.
That’s why you never make your extension password “1234” or the same as your extension. But that’s not all: you also make sure that no-one can register extensions from outside on your server and if you have to, limit them coming from a specific IP address, including a strong password and if possible via a VPN line.
To recap, this is what I was told to do and how else you can secure your voip lines:
* Disable non-secure access to your server
* Change all default passwords
* Make all your passwords strong (including upper and lower and numeric chars)
* Use a secure firewall with no holes
* Use a intrusion-lockout system (for example: fail2ban)
* Use VPN tunnels for outside registrations
* Disallow direct outside registrations of extensions
* Setup a session border controller (SBC)
The above steps are actually easy to implement and should cost you little if no money at all.
There may be additional steps to secure your voip deployment but with those things in place you should be able to sleep un-worried.
And remember – doing it now might save you a lot of trouble.