INTRODUCTION:
Thank you for using our SIP Security Scanner! Here is some further information about the results produced by our scan:
Our test first scans the port and IP that your device is registered on. Then we try to contact the device that is registered to your trunk and perform some basic penetration tests. Both of these sets of communication come from an IP which is not associated with our SIP communications in any way. Accordingly, your server should not be responding to traffic from that IP.
If you get a message that you have failed our security test, it means that your device responded to at least one of our tests. You can fail for one or all of the following reasons:
1. Our server is able to get a response from your SIP server indicating that the port you are using for SIP signalling is visible to our server
2. Our server is able to get a response from your SIP server indicating the type of SIP software you are running
3. Our server is able to get a response from your SIP server indicating it is willing to accept SIP traffic from our server
ARE YOUR PORTS OPEN?
Having your server be able to respond to traffic from our test server represents a security vulnerability. This could be intentional or unintentional. If you intend to allow anyone in the world to connect to your SIP server, or if you must have the ability for an outside user to connect to your SIP server from any IP in the world, no further reading is required. Simply ensure you have incredibly strong passwords on the system and may the deity of your choice have mercy upon your soul.
If you do not intend to allow SIP traffic to reach you from anywhere in the world, and you have failed our test, you need to begin determining why you failed. The first step is to find a port scanning service and direct it at the IP and port listed in your registration with SIP.US. A good place to start may be: CanYouSeeMe.org but you will need to be at the same site and accessing the internet from the same IP as your SIP server. If you are not accessing the internet from the same IP as your SIP server, you will need to find another site which allows you to specify the IP and Port you wish to check. If you run a port scanning service and it says that the port you are testing is closed, that is a very good thing. However, our server disagrees with your result and you need to open a support ticket using the link in the upper-right corner of this page (be sure to note what service you used) to find out exactly what we are seeing.
RESTRICTING PORT ACCESS
If the port scanning service you have used says your port is open (or able to be seen) you need to figure out a way to limit access to that port. Typically this is done on your router or firewall. If your equipment allows it, please only enable access on the SIP port for the IP address of gw1.sip.us (65.254.44.194) and gw2.sip.us (74.81.71.18). Note that all inbound and outbound SIP traffic with SIP.US will only involve those two IP addresses and we do not intend to change them. However, some network equipment does not allow you to restrict access by IP address and/or port.
If you find yourself unable to restrict access to the SIP port on your firewall or router, you will need to see if the PBX has this capability. ANY PBX running on a linux server will have the ability to use firewalld or iptables, the only requirement is that you have root access or sudo permissions on that device to install and configure them. These are host based firewalls which can be configured to limit access to your SIP port based on the source IP address. However, you may not have to use these software packages.
Many PBXs have a host based firewall built-in to the Graphical User Interface (GUI). Among these are 3CX, FreePBX13+, and many more. You should contact your PBX manufacturer/developer/community for more information on how to configure their internal firewall. Some are more advanced than others so your mileage may vary. You can run our test as many times as necessary to see if you have achieved the results you are looking for.
HARDENING YOUR SIP SERVER
In the rare case where you must leave the port open/exposed due to technical or knowledge-based limitations, your SIP server should not be responding to SIP requests from just anywhere. Be sure to work with your PBX manufacturer/developer/community to prevent your PBX from responding to unauthorized requests. This is typically achieved through a combination of dialplan rules, requiring registration, restricting authorized sip servers by IP and port, and rate limiting the number of requests allowed per minute. If that is your aim, and you have successfully restricted SIP signaling to reject anonymous requests at the SIP software level, our security test should display a message like:
“Your ports are visible to hackers but your PBX is configured to minimize intrusions. We still recommend reducing port visibility if possible.”
That message essentially tells you that the door is locked, but the lights are still on. You will likely experience brute force attacks against your system on a daily basis. Your only real defense is strong passwords. Be sure to use extremely strong passwords EVERYWHERE (extensions, peers, users, etc.) on this system. If you intend to leave your system in this state, it would be a good candidate for some security by obscurity (using alternative SIP ports, using odd or long extension numbers, making usernames hard to guess).
PARTING WORDS
Lastly, if your firewall and your PBX are conspiring against you to prevent security (perhaps with management's explicit approval) consider the possibility of using a different software and different networking equipment. If that's not in the budget or management rebuffs such a request for any reason, we suggest searching for new employment. In the meantime, please be sure to note your objections in writing.
Comments