ScopTEL - Securing Configuration Files with http Authentication
Hackers are routinely scanning IP addresses for open ports and
if they find an IP address vulnerable to brute force scanning they will execute
a remote Provisioning scan using the first 6 digits of popular vendor ID’s like
Polycom, Yealink and then brute force the last 6 digits of a 12 digit MAC
By example a ScopTEL server using the default HTTP listen port
of 5555 can be attacked using this method. Other vendors are also vulnerable on
whatever HTTP listen port they use to remotely provision IP phones.
TFTP is especially vulnerable on UDP port 69 because no specific
path is required to the MAC.cfg file. Only the <MAC>.cfg variable is
required to harvest the MAC.cfg file. TFTP should be denied on the Firewall
If you have enabled
Telephony>Configuration>Security>Flood Protection and the ScopTEL
Firewall and Telephony Flood Protection (Fail2ban) Service then the remote
attacker’s IP address will be blacklisted by the Firewall when a brute force
attack is detected.
But if the remote attacker knows of a valid MAC address on the
network then this MAC.cfg file can easily be harvested unless HTTP
Authentication is configured. The exact methodology won’t be published here as
this should not be public knowledge.
This document will explain how to lock down a server using HTTP
Locking down the Provisioning Server Using the ScopTEL Firewall and HTTP Authentication
Ensure that at least one Network Interface is configured as a
Enable the Firewall in the server using the Configuration Wizard
The minimal recommendation is to enable ScopServ Web GUI,
SSH/SFTP, VoIP (SOP/IAX/MGCP) rules and proceed to the Next step in the Wizard.
In Step 3 it is not mandatory to Deny any Outbound Services. In Step 4 you must
only Apply the changes.After you Commit your network changes you must ensure that the
Firewall service is enabled and you must Restart the Firewall Service. It is
not necessary to restart the entire server after modifying the Firewall
NOTE: Some installations will have a more strict security policy
based on customer requirements. But this document assumes that these ports will
be allowed on the public Internet interface for remote management and remote
automatic provisioning of SIP phones supported by ScopTEL.
You must Edit the General Telephony Service page and ensure Floor Protection (Fail2ban) is enabled and running
It is highly recommended to Enable Password Policy for SIP/IAX2
extensions so that trivial passwords will be automatically be audited
It is also recommended to Enable Block SIP attacks based on User
Agent ? [x]
You must enable Automatically blocks attacks using Fail2Ban to
add brute force attackers to the IP blacklist automatically
If your server has already been configured with the Automatic Provisioning System there are a few caveatsYou must use the APS ‘Device” based HTTP Authentication because
‘Global’ mode is only available when the HTTP Provisioning Configuration
‘Enable HTTP Authentication’ mode has already been enabled. If the Global mode
is configured prior to Provisioning any devices then the devices must manually
be configured with the HTTP username and password.
You must configure all of your Automatic Provisioning Objects
with Device based HTTP Authentication and all changes must be committed. When
this step is done the HTTP username and password will be included in the
phone’s MAC.cfg file. Therefore it is also imperative that all phones are
rebooted as soon as possible and the ‘scopserv’ service is restarted before a
hacker can scan the server for a MAC.cfg file including the HTTP username and
All supported devices must be rebooted to
download their new configuration files because the HTTP username and password
will be required by any device attempting to download a configuration file from
the ScopTEL server once HTTP Authentication is Enabled and the ‘scopserv’
service is restarted. If this step is not taken then it will be mandatory to
manually configure each device with the HTTP username and password. For some
devices the phone will prompt the user for the username and password but this
is not a feature provided by all vendors.
By example: Yealink and
Polycom HTTP Authentication can be managed by keypad but Aastra phones require
the username and password in the MAC.cfg file and cannot manually be entered.
Managing ‘Device’ based HTTP Authentication ModeEdit an existing APS object
Click on Provisioning tab
HTTP Authentication change the mode to Device
In the Username and Password fields use a global username and
password which will be common to all devices to this server!
Save your changes
Commit all your changes after ALL objects have been edited
Reboot your phones and ensure that each device has downloaded
the new files
NOTE: One way to reboot your
phones is to use the Tools>Telephony>Mass Phone Reboot tool but it is
possible that not ALL phones will appear in the list to reboot.
Once you are certain that all devices have been rebooted and have download their new HTTP Authentication configuration you must enable HTTP Authentication on the serverNavigate to Server|Configuration|Enable HTTP Authentication?
(Default No) and Edit this tab
Enable HTTP Authentication modeThis section assumes you have already configured your server for
HTTP Provisioning. If you have not done this already then refer to our
knowledgebase article at https://service.scopserv.com/portal/en/kb/articles/module-10-scoptel-automatic-provisioning-system
In the Master Username field use the same Username you
configured in the APS Device configuration
In the Master Password field use the same Password you
configured in the APS Device configuration
NOTE: Once you click Save the Web service will automatically restart and HTTP Authentication will be enforced and this means that any new device added to the network must be configured with the correct HTTP username and password.
ScopTEL IP PBX Software - Vegastream Analog Gateway Configuration
FXO interfaces Also known as POTS line (Plain Old Telephone Service). Also known as 1fl (1 family line). Each FXO line can support one conversation between two parties (Tx and Rx Transmit and Receive). Most business use ‘equivalent lines’ placed into ...
ScopTEL - DHCP APS Configuration
DHCP Configuration DHCP detection of new devices when the ScopTEL DHCP server is the only DHCP server on the LAN. During DHCP acquisition a newly installed and supported SIP device can be added to the APS list automatically. DHCP discovery can ...
ScopServ – The Company ScopServ is a Canadian firm founded in 2004, specializing in information technology. It designs high-end corporate applications and holds the intellectual property rights for its products and solutions. A strong actor in ...
Module 21 - ScopTEL IP PBX Software - Asterisk T.38 Fax Gateway Configuration
ScopTEL Asterisk T.38 Fax Gateway Full T.38 Capabilities Initial support for handling of T.38 sessions was merged into the Asterisk 1.4 codebase. Inside of Asterisk 1.4, it is possible to perform what is referred to as T.38 passthrough. T.38 ...
Configure High Availability Telephony server
Background The ScopTEL IP PBX supports different methods for High Availability and replication of MySQL databases; this article will explain the easiest way to configure two (2) servers in a Main / Main Server (Circular) scenario using RSYNC to ...