ScopServ – Enhance System Security

ScopServ Hardening Guide – Enhance System Security

This guide is designed to provide you with essential information about how to harden the ScopServ Telephony PBX server. You should use this guide as part of your overall security strategy for ScopTEL.

 

Password Policy

Hopefully you already use strong passwords, but if you are not, then try to choose passwords that contain:

  • Minimum of 8 characters
  • Mix of upper and lower case letters
  • Mix of letters and numbers
  • Non alphanumeric characters (e.g. special characters such as ! ” £ $ % ^ etc)

The benefits of strong passwords have an impact on all aspects of systems security.

How to change the ‘admin’ password

The default user name to log into the ScopTEL PBX is admin and the default password is admin. To improve the security of your server, you should change the administrative password immediately after installing the server.

Log into the GUI and click on Tools -> Password and enter a new password

Tools -> Password




Enable SSL access on the GUI

HTTPS is a secure communications channel that is used to exchange information between a client computer and a server. It uses Secure Sockets Layer (SSL). To enable SSL in ScopTEL refer to https://service.scopserv.com/portal/en/kb/articles/scoptel-certificate-manager


How to protect the SSH server

We recommend to change the default root password.

Change the ‘root’ password :

  • Log into the server using SSH, we recommend to use ‘putty’ as client.
  • The default root password is: scopserv
  • Change the default password with the command 'passwd'
  • You will be prompted to enter a new password and confirm the password

Protect against SSH brute-force

If you are using SSH to connect into your server console, then you will sooner or later notice someone trying to hack into your box using dictionary attacks. These attempts are captured in the asterisk -vr console.

  • Go to Configuration -> Server -> SSH Server
  • The default port number for SSH is 22 editing the default value to a custom value will reduce brute force attacks that scan for port 22 open.
  • Open the Security tab and click on ‘Edit’ button and make any changes.
  • On the Security tab Allowed Hosts (Restriction) can be edited to permanently whitelist specific IP's and or subnets.

With DenyHosts enabled, you must enable Service on boot :

  • Go to Configuration -> Server -> General and click on Edit Services
  • Enable the ‘DenyHosts’ service and click ‘Apply Change’



Firewall

Firewall policies consist of one or more rules that work together to allow or block users from accessing the network.  The ScopTEL integrated firewall protects your server from undesirable traffic.

  • Go to Configuration -> Network -> Firewall
  • Click on Configuration Wizard and follow instructions.

If you need remote access to the server, you need to allow traffic to ports 22/tcp (SSH) and 5555/tcp (GUI).

The Firewall Wizard adds rules for MGCP traffic and does not automatically add rules for SIP TCP or SIP TLS traffic.
If ScopCOMM or TLS/SRTP is going to be implemented the required ports are 5060/udp 5060-5061/tcp 4569/udp 10000-20000/udp



Protect against SIP/IAX2 brute-force

Brute force attacks happen when an attacker runs an automated application/script that will try to determine an account’s password from a given list of passwords (dictionary file). Sometimes a malicious SIP User Agent is used to penetrate the server by scanning for open SIP ports and scan for vulnerabilities.

  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • Set Enable Password Policy for SIP/IAX2 extensions to Yes
  • Set Automatically fix invalid password to Yes
  • On the ‘Flood Protection’ section, enable the ‘Automatically blocks SIP/IAX2 attacks’ option
  • If Flood Protection is enabled then by default if the server detects an attack the detected IP address will be added to the distributed https://voipbl.org/ blacklist.
  • Enable Block SIP attacks based on User Agent
  • Enable VoIP Blacklist support
  • Save when done






Password Policies

password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization’s official regulations and may be taught as part of security awareness training. The password policy may either be advisory or mandated by technical means.

Voicemail Password Policy:

  • Go to Configuration -> Telephony -> Voicemail
  • Edit Force a new user to record their Name and change to Yes
  • Edit Force a new user to record their Greeting and change to Yes
  • When you create a new Extension and enable Voicemail set the password to match the Extension number. Whenever the voicemail password is set to the extension number the user will automatically be forced to initialize their voicemail box and change their password.



SIP / IAX2 Password Policy:

  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • Enable Password Policy for SIP/IAX2 extensions option and click ‘Save’
  • Enable Automatically fix invalid password. This will re-write any Extension's Authentication password if the current password does not comply with the Password Policy.

 

Define Access Control List for Extensions (SIP/IAX2)

An Access Control List refers to rules that are applied to SIP/IAX2 protocols, each with a list of hosts and/or networks permitted to use the service.  Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.

CAVEAT: if the User Agents are on a remote subnet ie. external User Agents then they must have static IP addresses. Therefore do not use ACL's if the remote peers have dynamic IP addresses.
  • Go to Configuration -> Telephony -> Extensions
  • Go to the Security (ACL) tab and click on ‘Add a new ACL’
  • Set the name of the group (ex. Local) and add list of allowed IP/networks
  • Click on ‘Add’ to save the new group
  • Go to Configuration -> Telepony -> Extensions
  • Go to the Phones tab, select an extension and click on ‘Edit’ button
  • Go to the ‘Authentication’ tab and select the group (ex. Local) on the ‘Security (ACL) Mode’ option

Class Of Service

A poorly configured Class of Service assignment imposes serious security risks and liabilities.
Refer to this knowledgebase article to configure Class of Service objects.
And refer to this article for additional caveats concerning Class of Service objects.
    • Related Articles

    • ScopSTATS Admin Guide

      ScopSTATS Admin Guide ScopSTATS is the ScopServ toolkit for generating real time reports, historical data, and system statistics. It also bundles ScopSWITCH utilities to manage your Call Centre and Operator functions. This document is a must read for ...
    • SCOPCOMM Admin Guide

      Introduction SCOPCOMM is a softphone and WebRTC solution offered by SCOPSERV International. This guide explains how to enable SCOPCOMM on SCOPTEL and issue provisioning data for user devices. SCOPTEL offers the following SCOPCOMM clients: SCOPCOMM ...
    • SCOPLINK and APA Administrator Guide

      For APA 3.0, updated August 3, 2021 Introduction This guide explains how to set up SCOPTEL to enable use of SCOPLINK and SCOPLINK Agent Portal Application (APA) by your installation’s endusers. SCOPLINK provides telephony controls to your enduser on ...
    • APA User Guide

      Introduction Agent Portal Application (APA) is the SCOPSERV desktop solution for call centres. It offers access to phone functions and integration with CRMs. The APA complements your telephony without replacing it. While using APA, you can keep using ...
    • Yealink Phones do not download provisioning files after updating to scopserv-telephony25-5.2.24.0.2014060

      During the finalization of APS support for Yealink Version 72 firmware, ScopServ included a configuration line in Yealink <MAC>.cfg files which broke the phone’s ability to download edited <MAC>.cfg files after the initial configuration download.  ...