ScopTEL - Securing Configuration Files with http Authentication

Background

Hackers are routinely scanning IP addresses for open ports and if they find an IP address vulnerable to brute force scanning they will execute a remote Provisioning scan using the first 6 digits of popular vendor ID’s like Polycom, Yealink and then brute force the last 6 digits of a 12 digit MAC address.

By example a ScopTEL server using the default HTTP listen port of 5555 can be attacked using this method. Other vendors are also vulnerable on whatever HTTP listen port they use to remotely provision IP phones.

TFTP is especially vulnerable on UDP port 69 because no specific path is required to the MAC.cfg file. Only the <MAC>.cfg variable is required to harvest the MAC.cfg file. TFTP should be denied on the Firewall whenever possible.

If you have enabled Telephony>Configuration>Security>Flood Protection and the ScopTEL Firewall and Telephony Flood Protection (Fail2ban) Service then the remote attacker’s IP address will be blacklisted by the Firewall when a brute force attack is detected.

But if the remote attacker knows of a valid MAC address on the network then this MAC.cfg file can easily be harvested unless HTTP Authentication is configured. The exact methodology won’t be published here as this should not be public knowledge.

This document will explain how to lock down a server using HTTP Authentication

Locking down the Provisioning Server Using the ScopTEL Firewall and HTTP Authentication

Ensure that at least one Network Interface is configured as a WAN port

Enable the Firewall in the server using the Configuration Wizard

The minimal recommendation is to enable ScopServ Web GUI, SSH/SFTP, VoIP (SOP/IAX/MGCP) rules and proceed to the Next step in the Wizard. In Step 3 it is not mandatory to Deny any Outbound Services. In Step 4 you must only Apply the changes.

After you Commit your network changes you must ensure that the Firewall service is enabled and you must Restart the Firewall Service. It is not necessary to restart the entire server after modifying the Firewall

NOTE: Some installations will have a more strict security policy based on customer requirements. But this document assumes that these ports will be allowed on the public Internet interface for remote management and remote automatic provisioning of SIP phones supported by ScopTEL.

You must Edit the General Telephony Service page and ensure Floor Protection (Fail2ban) is enabled and running

Telephony|Configuration|Security

It is highly recommended to Enable Password Policy for SIP/IAX2 extensions so that trivial passwords will be automatically be audited

It is also recommended to Enable Block SIP attacks based on User Agent ? [x]

You must enable Automatically blocks attacks using Fail2Ban to add brute force attackers to the IP blacklist automatically

If your server has already been configured with the Automatic Provisioning System there are a few caveats

You must use the APS ‘Device” based HTTP Authentication because ‘Global’ mode is only available when the HTTP Provisioning Configuration ‘Enable HTTP Authentication’ mode has already been enabled. If the Global mode is configured prior to Provisioning any devices then the devices must manually be configured with the HTTP username and password.

You must configure all of your Automatic Provisioning Objects with Device based HTTP Authentication and all changes must be committed. When this step is done the HTTP username and password will be included in the phone’s MAC.cfg file. Therefore it is also imperative that all phones are rebooted as soon as possible and the ‘scopserv’ service is restarted before a hacker can scan the server for a MAC.cfg file including the HTTP username and password.

All supported devices must be rebooted to download their new configuration files because the HTTP username and password will be required by any device attempting to download a configuration file from the ScopTEL server once HTTP Authentication is Enabled and the ‘scopserv’ service is restarted. If this step is not taken then it will be mandatory to manually configure each device with the HTTP username and password. For some devices the phone will prompt the user for the username and password but this is not a feature provided by all vendors.

By example: Yealink and Polycom HTTP Authentication can be managed by keypad but Aastra phones require the username and password in the MAC.cfg file and cannot manually be entered.

​

Managing ‘Device’ based HTTP Authentication Mode

Edit an existing APS object

Click on Provisioning tab

HTTP Authentication change the mode to Device

In the Username and Password fields use a global username and password which will be common to all devices to this server!

Save your changes

Commit all your changes after ALL objects have been edited

Reboot your phones and ensure that each device has downloaded the new files

NOTE: One way to reboot your phones is to use the Tools>Telephony>Mass Phone Reboot tool but it is possible that not ALL phones will appear in the list to reboot.

Once you are certain that all devices have been rebooted and have download their new HTTP Authentication configuration you must enable HTTP Authentication on the server

Navigate to Server|Configuration|Enable HTTP Authentication? (Default No) and Edit this tab

Enable HTTP Authentication mode

This section assumes you have already configured your server for HTTP Provisioning. If you have not done this already then refer to our knowledgebase article at https://service.scopserv.com/portal/en/kb/articles/module-10-scoptel-automatic-provisioning-system

In the Master Username field use the same Username you configured in the APS Device configuration

In the Master Password field use the same Password you configured in the APS Device configuration

NOTE: Once you click Save the Web service will automatically restart and HTTP Authentication will be enforced and this means that any new device added to the network must be configured with the correct HTTP username and password.

• Related Articles

• ScopTEL IP PBX Software - Vegastream Analog Gateway Configuration

  FXO interfaces Also known as POTS line (Plain Old Telephone Service). Also known as 1fl (1 family line). Each FXO line can support one conversation between two parties (Tx and Rx Transmit and Receive). Most business use ‘equivalent lines’ placed into ...

• ScopTEL - DHCP APS Configuration

  DHCP Configuration DHCP detection of new devices when the ScopTEL DHCP server is the only DHCP server on the LAN. During DHCP acquisition a newly installed and supported SIP device can be added to the APS list automatically. DHCP discovery can ...

• General-Presentation-ScopTEL-ENGLISH

  ScopServ – The Company  ScopServ is a Canadian firm founded in 2004, specializing in information technology.  It designs high-end corporate applications and holds the intellectual property rights for its products and solutions.  A strong actor in ...

• Module 21 - ScopTEL IP PBX Software - Asterisk T.38 Fax Gateway Configuration

  ScopTEL Asterisk T.38 Fax Gateway Full T.38 Capabilities Initial support for handling of T.38 sessions was merged into the Asterisk 1.4 codebase. Inside of Asterisk 1.4, it is possible to perform what is referred to as T.38 passthrough. T.38 ...

• Module 7 - ScopTEL IP PBX Software - Class of Service Configuration

  Class of Service (CoS) | Background The Class of Service Manager is used to create objects with permissions or restrictions to Outgoing Lines, Incoming Lines, Extensions, Feature Codes, or Applications. These CoS objects can then be applied to ...