ScopServ Hardening Guide – Enhance System Security

This guide is designed to provide you with essential information about how to harden the ScopServ Telephony PBX server. You should use this guide as part of your overall security strategy for ScopTEL.

 

Password Policy

Hopefully you already use strong passwords, but if you are not, then try to choose passwords that contain:

  • Minimum of 8 characters
  • Mix of upper and lower case letters
  • Mix of letters and numbers
  • Non alphanumeric characters (e.g. special characters such as ! ” £ $ % ^ etc)

The benefits of strong passwords have an impact on all aspects of systems security.

How to change the ‘admin’ password

The default user name to log into the ScopTEL PBX is admin and the default password is admin. To improve the security of your server, you should change the administrative password immediately after installing the server.

Log into the GUI and click on Tools -> Password and enter a new password

Tools -> Password

Tools -> Password

Enable SSL access on the GUI

HTTPS is a secure communications channel that is used to exchange information between a client computer and a server. It uses Secure Sockets Layer (SSL). To enable SSL in ScopTEL and encrypt/decrypt the information that is transferred over the network, you must first log into the GUI  and …

  • Go to Configuration -> Server -> Configuration
  • Go to the Security (SSL) tab and click on ‘Edit’ button
  • Click on ‘Enable SSL’ then check the ‘Use Self-Sign SSL key’ option.
  • Click on ‘Save’
Server -> Configuration -> SSL

Server -> Configuration -> SSL

How to protect the SSH server

We recommend to change the default root password and to create a dedicated user that will be used to log into the server.

Change the ‘root’ password :

  • Log into the server using SSH, we recommend to use ‘putty’ as client.
  • Enter the IP of the SSH server and click on Connect/Open
  • At the login prompt, enter: root
  • The default password is: scopserv

Add a new username:

  • From SSH do ‘ adduser admin ‘
  • Disable SSH root login from the Server

Protect against SSH brute-force

If you are using SSH to connect into your server console, then you will sooner or later notice someone trying to hack into your box using dictionary attacks.

  • Go to Configuration -> Server -> SSH Server
  • Open the Security tab and click on ‘Edit’ button
  • Enable the option ‘Automatically blocks SSH attacks’
  • Click on Save

Once DenyHosts enabled, you must enable Service on boot :

  • Go to Configuration -> Server -> General and click on Edit Services
  • Enable the ‘DenyHosts’ service and click ‘Save’
SSH Bruteforce Protection

SSH Bruteforce Protection

Firewall

Firewall policies consist of one or more rules that work together to allow or block users from accessing the network.  The ScopTEL integrated firewall protects your server from undesirable traffic.

  • Go to Configuration -> Network -> Firewall
  • Click on Configuration Wizard and follow instructions.

If you need remote access to the server, you need to allow traffic to ports 22/tcp (SSH) and 5555/tcp (GUI). In case of VoIP protocols, you can allow traffic to  5060/udp (SIP), 4569/tcp (IAX2) and range 10000-20000/udp (RTP).

Network -> Firewall

Network -> Firewall

 

Protect against SIP/IAX2 brute-force

Brute force attacks essentially allow an attacker to run an automated application/script that will try to determine an account’s password from a given list of passwords (dictionary file).  If you are using ScopTEL PBX, you could take advantage of the ‘Flood Protection’ system under Telephony configuration.

  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • On the ‘Flood Protection’ section, enable the ‘Automatically blocks SIP/IAX2 attacks’ option and click on ‘Save’
Password Policy

Password Policy

Password Policy

password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization’s official regulations and may be taught as part of security awareness training. The password policy may either be advisory or mandated by technical means.

Voicemail Password:

  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • Enable the Trivial Password Check
  • Set the Minimum Length (ex. 6 digits)
SIP / IAX2 Password Policy:
  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • Enable the Password Policy option and click ‘Save’

Define Access Control List for Extensions (SIP/IAX2)

An Access Control List refers to rules that are applied to SIP/IAX2 protocols, each with a list of hosts and/or networks permitted to use the service.  Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.

  • Go to Configuration -> Telephony -> Extensions
  • Go to the Security (ACL) tab and click on ‘Add a new ACL’
  • Set the name of the group (ex. Local) and add list of allowed IP/networks
  • Click on ‘Add’ to save the new group
  • Go to Configuration -> Telepony -> Extensions
  • Go to the Phones tab, select an extension and click on ‘Edit’ button
  • Go to the ‘Authentication’ tab and select the group (ex. Local) on the ‘Security (ACL) Mode’ option

 

Access Control List (ACL)

Access Control List (ACL)

 

 

VoIP Distributed Blacklist

VoIPBL is a distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX’s and it fully integrated on the ScopTEL PBX.  This application also allow to blacklist and/or whitelist specific countries or Regional Internet Registry (eg. ARIN) and interact directly with the Network Firewall.

  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • Check the option Enable VoIP Blacklist support and click Save.

 

VoIP Distributed Blacklist