VoIP Security: Difference between revisions
mNo edit summary |
|||
(44 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
[[file:Snom710.png|link=:Category:VoIP|Go to the VoIP Category]] |
|||
This page gives information about features on the AAISP side that can help secure your VoIP service, as well as what you can do on your network to secure your VoIP service. |
This page gives information about features on the AAISP side that can help secure your VoIP service, as well as what you can do on your network to secure your VoIP service. |
||
=Security Settings on the AAISP Control Pages= |
=Security Settings on the AAISP Control Pages= |
||
These settings are set on the |
These settings are set on the [[:Category:Control Pages|Control Pages]]: http://aa.net.uk/login.html |
||
The control page will also show you the number of SIP registrations and the useragent and IP of the registered phones. |
The control page will also show you the number of SIP registrations and the useragent and IP of the registered phones. |
||
== SIP Password == |
== SIP Password == |
||
*A number will have a sip password, this can be changed from the |
*A number will have a sip password, this can be changed from the [[:Category:Control Pages|Control Pages]], the 'Make Password' button will generate a password for you. |
||
== Call Rate Limits == |
== Call Rate Limits == |
||
Line 16: | Line 14: | ||
*National outgoing calls can have a price limit (default = 20p/min) |
*National outgoing calls can have a price limit (default = 20p/min) |
||
*International outgoing calls can have a price limit (default = 2p/min) |
*International outgoing calls can have a price limit (default = 2p/min) |
||
*International calls can be disabled (setting price limit to 'Free') |
|||
*National calls can be disabled (setting price limit to 'Free') |
|||
See: [[VoIP Call Rate Limits]] |
|||
Contact AAISP if you're needing these limits changed up, customers can reduce the limits though. |
|||
== IP access == |
== IP Access List (restrict access by IP) == |
||
IP Access List - a VoIP number can be given an IP address to which is only allowed to register (i.e. you can add the IP of your phone, and only that phone will be able to register) |
|||
You can specify the IP as a subnet in CIDR format, e.g. 192.0.2.0/29, and multiple IPs can be comma separated. |
|||
⚫ | |||
⚫ | |||
Valid examples: |
|||
128.66.0.1 (single IP4 address) |
|||
128.66.0.1, 128.66.0.2, 128.66.0.9 (3 single IPv4 addresses) |
|||
128.66.0.0/27 (a IPv4 network range) |
|||
128.66.1.1, 128.66.2.0/24 (a single IPv4 and an IPv4 network range) |
|||
2001:DB8::1 (a single IPv6 address) |
|||
2001:DB8::/48 (a IPv6 network block) |
|||
2001:DB8::/48, 128.66.0.0/27 (a IPv6 and an IPv4 network block) |
|||
⚫ | |||
⚫ | |||
During the month, each time the amount is reached an email will be sent. At the end of the month the amount is reset. |
During the month, each time the amount is reached an email will be sent. At the end of the month the amount is reset. |
||
This feature was added in October 2011, the default warning level is £10, and numbers |
This feature was added in October 2011, the default warning level is £10, and for numbers which used over £10 in September the rate was set to 1.2 times September's bill amount. |
||
== IP and User Agent Warning Emails == |
|||
A new feature added [http://status.aa.net.uk/1948 2014-06-11] |
|||
(A User Agent is the text string that a VoIP device sends, typically it would be the name of the software and it may include version number, for example: "FireBrick/1.30.004" or "snom300/8.7.3.25". |
|||
By default: |
|||
*If a new IP address registers with a new User Agent then you will be sent an email |
|||
*If you have IP Lockdown set you will get an email when a blocked IP has used your correct username/password to try to register. This could mean your credentials have been compromised. |
|||
Each of these warning emails should be looked in to as they are a strong indication of someone else using your VoIP credentials, and therefore may make calls which cost you money. Please do speak to Support if you need further help though. |
|||
These options are configurable, the default is to send an email whenever a new IP or new User Agent registers. |
|||
[[File:Voip-agentip.png|none|frame|IP/Agent notification setting]] |
|||
*New IP/Agent - will log and email whenever a new IP or a new User Agent registers. (Default Setting) |
|||
*New Agent - will log and email only when a new User Agent registers. i.e., the IP is able to change, but whenever we see a new User Agent then it will be logged and emailed. |
|||
*None - will not log or email, NOT RECOMMENDED! |
|||
*We email the email address as set on the individual phone number. If the email address is not set then an email won't be sent. |
|||
=Secure Your Equipment= |
=Secure Your Equipment= |
||
Line 46: | Line 73: | ||
*Periodically check for software/firmware updates for your hardware |
*Periodically check for software/firmware updates for your hardware |
||
==Keep the Software/Firmware updated== |
|||
⚫ | |||
Regularly checking for software updates is strongly recommended. e.g., check the website of the phone manufacturer for updates. |
|||
*[[SNOM Firmware Updates]] |
|||
==Set web interfaces to only use HTTPS== |
|||
This encrypts the data to and from your phone's web interface - this prevents eavesdroppers seeing your settings and passwords. |
|||
==Physical Security== |
|||
If you think your equipment may be in a semi-hostile environment, then look in to enabling pin codes on the actual phone - i.e. a key lock feature. |
|||
==Snom Phones== |
|||
Snom has a page about securing their devices on their wiki: https://service.snom.com/display/wiki/How+do+I+secure+my+Snom+phone |
|||
=Odd incoming calls that are not on the CDRs?= |
|||
If your phone receives odd calls that are not logged on the AAISP CDR pages, then it may be that calls are being sent direct to your phone from the Internet. This would be because your phone or phone system is not firewalling SIP, and so auto-diallers are trying to make spammy calls to you. The caller id may be anything, but we have seen calls from 100, 150, 1000, 2000 etc. Also check your SIP logs to look for the SIP INVITE packet and see what the source IP is. e.g., a SNOM has a SIP Log from within the web interface. |
|||
Solution: Firewall SIP as explained above. |
|||
Also some equipment may support the disabling of calls being sent direct from the Internet. For example, Grandstream firmware often has a feature ''Allow Incoming SIP Messages from SIP Proxy Only'', which is worth using (unless you need to accept such calls). |
|||
Your equipment may also support a feature whereby incoming INVITE messages are only accepted if they use the User ID which you used when registering with the SIP server, maybe named ''Check SIP User ID for incoming INVITE''. The SIP server will know this User ID, random SIP spammers will not. This User ID is ''not'' the Authentication Username (e.g. +442083xxxxxx), but what is often termed ''Username'' in equipment configuration (where you can set a Username and a Real Name, e.g. ''fred'' and ''Fred Bloggs'') which is used in SIP calls. |
|||
⚫ | |||
⚫ | |||
[[Category:VoIP]] |
[[Category:VoIP]] |
||
[[Category:Control Pages]] |
|||
⚫ |
Latest revision as of 09:02, 14 Haziran 2023
This page gives information about features on the AAISP side that can help secure your VoIP service, as well as what you can do on your network to secure your VoIP service.
Security Settings on the AAISP Control Pages
These settings are set on the Control Pages: http://aa.net.uk/login.html
The control page will also show you the number of SIP registrations and the useragent and IP of the registered phones.
SIP Password
- A number will have a sip password, this can be changed from the Control Pages, the 'Make Password' button will generate a password for you.
Call Rate Limits
- National outgoing calls can have a price limit (default = 20p/min)
- International outgoing calls can have a price limit (default = 2p/min)
IP Access List (restrict access by IP)
IP Access List - a VoIP number can be given an IP address to which is only allowed to register (i.e. you can add the IP of your phone, and only that phone will be able to register)
You can specify the IP as a subnet in CIDR format, e.g. 192.0.2.0/29, and multiple IPs can be comma separated.
Valid examples:
128.66.0.1 (single IP4 address) 128.66.0.1, 128.66.0.2, 128.66.0.9 (3 single IPv4 addresses) 128.66.0.0/27 (a IPv4 network range) 128.66.1.1, 128.66.2.0/24 (a single IPv4 and an IPv4 network range) 2001:DB8::1 (a single IPv6 address) 2001:DB8::/48 (a IPv6 network block) 2001:DB8::/48, 128.66.0.0/27 (a IPv6 and an IPv4 network block)
Bill Warning Emails
The system can send advisory messages when a billing amount is reached. This is set per number on the Control Pages. The email set for the Number and for the Login is used. During the month, each time the amount is reached an email will be sent. At the end of the month the amount is reset. This feature was added in October 2011, the default warning level is £10, and for numbers which used over £10 in September the rate was set to 1.2 times September's bill amount.
IP and User Agent Warning Emails
A new feature added 2014-06-11
(A User Agent is the text string that a VoIP device sends, typically it would be the name of the software and it may include version number, for example: "FireBrick/1.30.004" or "snom300/8.7.3.25".
By default:
- If a new IP address registers with a new User Agent then you will be sent an email
- If you have IP Lockdown set you will get an email when a blocked IP has used your correct username/password to try to register. This could mean your credentials have been compromised.
Each of these warning emails should be looked in to as they are a strong indication of someone else using your VoIP credentials, and therefore may make calls which cost you money. Please do speak to Support if you need further help though.
These options are configurable, the default is to send an email whenever a new IP or new User Agent registers.
- New IP/Agent - will log and email whenever a new IP or a new User Agent registers. (Default Setting)
- New Agent - will log and email only when a new User Agent registers. i.e., the IP is able to change, but whenever we see a new User Agent then it will be logged and emailed.
- None - will not log or email, NOT RECOMMENDED!
- We email the email address as set on the individual phone number. If the email address is not set then an email won't be sent.
Secure Your Equipment
Your Firewall
Protect your phones and VoIP servers from the outside world!
- See VoIP Firewall for firewall requirements.
Passwords, etc.
Many Phone systems and VoIP phones will have their own security features, do make use of them and use strong passwords. See your equipment documentation for further information.
- Set strong http and admin passwords on your VoIP phones
- If you run your own PBX, ensure passwords are secure, and access lists are up to date
- Periodically check for software/firmware updates for your hardware
Keep the Software/Firmware updated
Regularly checking for software updates is strongly recommended. e.g., check the website of the phone manufacturer for updates.
Set web interfaces to only use HTTPS
This encrypts the data to and from your phone's web interface - this prevents eavesdroppers seeing your settings and passwords.
Physical Security
If you think your equipment may be in a semi-hostile environment, then look in to enabling pin codes on the actual phone - i.e. a key lock feature.
Snom Phones
Snom has a page about securing their devices on their wiki: https://service.snom.com/display/wiki/How+do+I+secure+my+Snom+phone
Odd incoming calls that are not on the CDRs?
If your phone receives odd calls that are not logged on the AAISP CDR pages, then it may be that calls are being sent direct to your phone from the Internet. This would be because your phone or phone system is not firewalling SIP, and so auto-diallers are trying to make spammy calls to you. The caller id may be anything, but we have seen calls from 100, 150, 1000, 2000 etc. Also check your SIP logs to look for the SIP INVITE packet and see what the source IP is. e.g., a SNOM has a SIP Log from within the web interface.
Solution: Firewall SIP as explained above.
Also some equipment may support the disabling of calls being sent direct from the Internet. For example, Grandstream firmware often has a feature Allow Incoming SIP Messages from SIP Proxy Only, which is worth using (unless you need to accept such calls).
Your equipment may also support a feature whereby incoming INVITE messages are only accepted if they use the User ID which you used when registering with the SIP server, maybe named Check SIP User ID for incoming INVITE. The SIP server will know this User ID, random SIP spammers will not. This User ID is not the Authentication Username (e.g. +442083xxxxxx), but what is often termed Username in equipment configuration (where you can set a Username and a Real Name, e.g. fred and Fred Bloggs) which is used in SIP calls.