Don’t Shoot the Messenger!!

It’s the New World of Security Concerns on Phone Systems (SIP & PBXs)

10438958_10152541405630027_32244201905965824_n  mcse     securityplus

By Scott Mugford, Telrad Security Specialist

Let me tell you the story about a major law firm client of ours and their security breach on their PBX Platform.  Our client, a major Vancouver based Law Firm came in one morning and noticed a huge spike in their bandwidth. This client’s IT Person really knows their stuff and had their phone system and their regular data traffic on completely different networks in their environment. And thank God He Did!!

Their onsite IT Person immediately contacted us to find out what was causing the issue.

So we pack up our caffeine and laptops and head downtown to figure out what the heck is going on!!

We arrive onsite and are let into the dungeon room with all the wires and dust and spiders and a whole bunch of blinking lights. This is the type of place where most us ubber nerds feel right at home. Yes it’s sad I know.

“I will be in my office … let me know when you figure it out”

Ahhh the magic words. Challenge Accepted!!

So I fire up the old command line on the system and get to work trying to figure out what’s going on.

As always I start with my best friend and yours the security log files….so exciting I know.

Hmmmm, what do we have here??!!

Someone or something is absolutely hammering the SSH port to the tune of a login attempt basically every second!! Holy Denial of Service Attack Batman!! No wonder their bandwidth went through the roof.

Ok problem found and confirmed. So what the heck to we do about it?

Fortunately with this client there was no reason to have the SSH port open on the firewall so we closed the SSH port on the firewall (and a few other unrequired ports just in case) and boom problem solved! Bandwidth back to normal and phone system back to normal.

What this little troubleshooting adventure proved to me was that its not just new SIP Platforms that are vulnerable at risk. With the move to everything going online from your fridge to your phone there are going to be security concerns that we didn’t even think of a few years ago.

ANYTHING with an IP Address is at risk, including old PBX’s.   So don’t think you are safe if you are on an older technology platform. If it has an IP address you need to take appropriate security measures Period.

In the new Internet everywhere world that we live in it is not a matter of IF you are going to be probed for a potential attack it’s WHEN and HOW OFTEN you are being probed for a potential attack.

That’s an old system, what about newer systems that use SIP and SIP Trunks?

Well there is good news and bad news.

Let’s start with the Bad News.

Hackers are going to hack and if there is ANYTHING that they can exploit they are absolutely try to exploit it even if it’s just to get their jolly’s and it’s a giant pain in the BLEEEP!!

If you are interested in learning more about sip and sip trunks here is the Wikipedia link (

The Laymen’s terms explanation is that instead of your communications going over analog lines it goes over the internet which increases the amount you can do with your lines and decreases the line costs.

If you’ve been paying attention, and I am sure you have been this is where you get your static IP address and boom you are ready for the hackers to start scanning for open ports.

The good news is that they aren’t targeting you specifically they are looking for ANY known vulnerability that they can exploit.

One of the main symptoms of a hack attempt is something called “Ghost Calls”.

A lot of these 100@ and 101@ calls come from a SIP scanning program. It is NOT a malicious program as-is. It was written to probe sip servers to see what could be learned about them. But in the wrong hands and combined with other tools it can be quite damaging.

In some system setups the 100 series of extensions isn’t even configured. Imagine your surprise when you start getting calls on your system to extensions that don’t even exist!!

What do we do about it?

The steps to make sure you are secure are very similar to the things that you do when you buy a new computer.

  • Make sure the system is well protected with a good quality firewall (modern if at all possible) and that it is placed in DMZ if you need to have it on public IP.
  • If your system is linux based and you can update your iptables to block traffic from ip’s that are port scanning your system.
  • Purchase a IP blocking solution from a third party like SIPProt that automatically blocks the ip address after three failed authentication attempts.

Is it fair that you get a brand new system and then the first thing you have to think about is how to protect it?

If you went and spend a bunch of money on a brand new bike would you walk out of the store without a lock? Would you buy a new computer and not install antivirus software on it?

Just like buying a new computer and making sure that it is properly protected with the proper security measures your phone system can provide you with excellent reliable service for many years to come.