Security Considerations

From Integrics Wiki
Revision as of 04:47, 8 January 2020 by Dcunningham (talk | contribs)
Jump to: navigation, search

Technical:

  • Disallow routes to countries that customers don't need, especially high fraud countries.
  • Set a daily spending limit and maximum concurrent calls limit for all customers.
  • Set the "Telephone line failed registrations lock" and "Person failed logins lock" system configurations to be non-zero.
  • Require long password lengths for phones and people.
  • Change the SSH port from 22 to something non-standard.
  • Use iptables to lock out countries where you do not have customers.
  • Set Asterisk servers to use non default ports for SIP like 5065 instead of 5060.
  • Make sure all handsets have a username and password which are not the devices default.
  • Monitor servers with a tool like Zabbix, Nagios, or Cacti to alert if there are more calls than expected.

SIPSentry can be used to automatically block brute-force attacks: http://sipsentry.com/

Secure provisioning with a solution such as:

  • Use a provisioning password in Enswitch 4.1 and above
  • Use the source IP setting in Enswitch telephones.
  • Restrict access by user-agent.
  • Restrict access to a private domain.
  • Use HTTP basic authentication.
  • Use TFTP username and password authentication.

Non-technical:

  • Educate customers on choosing good passwords.
  • Have contracts to make sure the right person pays if they are hacked and run up a huge bill.
Retrieved from ‘http://wiki.integrics.com/index.php?title=Security_Considerations&oldid=237