MyPBX Security Configuration Guide

Similar documents
MyPBX Security Configuration Guide

MyPBX Security Configuration Guide

Release Note for MyPBX Enterprise X

Contents. Introduction Upgrade your firmware to v Always use strong passwords Secure Web Admin user password...

Release Notes for TA1610. Version X. Yeastar Information Technology Co. Ltd

Grandstream Networks, Inc. UCM6100 Security Manual

Sales Tel: Support Tel: Web:

Intercommunication between Two MyPBX (Peer to Peer Mode)

K2 VoIP PBX. Administrator Guide

Grandstream Networks, Inc. UCM series IP PBX Security Manual

Tiptel 31XX IP Phone Configuration Guide. Yeastar Technology Co., Ltd.

Grandstream IP Phone Configuration Guides

Cisco IP Phone Configuration Guide

Yeastar Technology Co., Ltd.

Fanvil IP Phone Configuration Guides. Yeastar Technology Co., Ltd.

Htek IP Phone Configuration Guides

How to Connect Yeastar TA FXS Gateway to AskoziaPBX

Yeastar Technology Co., Ltd.

How to Connect MyPBX to NeoGate TA FXS Gateway

Yeastar Technology Co., Ltd.

NeoGate TG Series User Manual. TG Series. User Manual. Version 5X Yeastar Technology Co., Ltd.

TA1600/2400/3200 FXS Gateway. User Manual

Version: V1.1. Yeastar Technology Co., Ltd. Date: 9 th, Aug, 2013

TA410/810 User Manual

NeoGate TA1600/2400/3200 User Manual

Configuring Local Firewalls

NeoGate TG Series User Manual

Yealink IP Phone Configuration Guides. Yeastar Technology Co., Ltd.

Panasonic Configuration Guides

TG200 User Manual. Version Yeastar Technology Co., Ltd

SoLink-Lite IP-PBX. Administrator Guide. (Version 1.0)

Polycom IP Phone Configuration Guides. Yeastar Technology Co., Ltd.

Sales Tel: Support Tel: Web:

XT-800FXO Gateway User Manual

Maxincom MWG1000 Series Release Notes. of Version

Yeastar Technology Co., Ltd.

TB200/400 User Manual

How to Connect Elastix to NeoGate TA FXS Gateway

IS-381 / IS-382 IP Audio gateway. User Manual

Release Note for MyPBX Standard/Pro X

Release Note for TG200/400

DMP 128 Plus C V DMP 128 Plus C V AT. Avaya Aura Configuration Guide REVISION: 1.1 DATE: SEPTEMBER 1 ST 2017

Release Note for TG800

Yeastar Technology Co., Ltd.

Sales Tel: Support Tel: Web:

char utile h+ Integration App User Guide

CONNECTION ELECTRONICS LTD.

Version:V1.1. Yeastar Technology Co., Ltd. Date: 9 th, Aug, 2013

How to Connect Trixbox to NeoGate TA FXS Gateway

Version: V1.0. Yeastar Technology Co., Ltd. Date: 25 th, July, 2012

4G Business Continuity Solution. 4G WiFi M2M Router NTC-140W

DMP 128 Plus C V DMP 128 Plus C V AT. Avaya IP Office Configuration Guide REVISION: 1.2 DATE: JANUARY 9 TH 2018

CHAPTER 7 ADVANCED ADMINISTRATION PC

JT4100P LTE Outdoor CPE Administrator User Manual V1.0

Maxincom MUC1004 Release Notes of. Version

Release Notes for MyPBX U500&U510&U520. Version: X. Yeastar Information Technology Co. Ltd.

How to open ports in the DSL router firmware version 2.xx and above

Quick Installation Guide

Lab Configure Basic AP security through GUI

Release Notes for MyPBX SOHO V4&V5&V6. Version X. Yeastar Information Technology Co. Ltd.

FREUND SIP SW - V SIP-server setup

VG422R. User s Manual. Rev , 5

Volume SKYSWITCH. Configuring an Edgemarc Nov Configuring An Edgemarc

FREUND SIP SW - V Intercom Setup

Escene IP Phone Configuration Guide. Yeastar Technology Co., Ltd.

Step 3 - How to Configure Basic System Settings

SPA400 Internet Telephony Gateway with 4 FXO Ports


DMP 128 Plus C V DMP 128 Plus C V AT. Avaya Aura Configuration Guide REVISION: DATE: MARCH 7 TH 2018


TA Series Analog VoIP Gateway Installation Guide

XonTel XT-60/XT-120 PBX s Administrator Guide

Release Notes for DrayTek VigorBX 2000 series (UK/Ireland)

Yeastar Technology Co., Ltd.

UCM6100 Series IP PBX Firmware Release Note

Cisco TelePresence Conductor with Cisco Unified Communications Manager

Allworx System Administrator s Guide (Release x)

Section 3 - Configuration. Enable Auto Channel Scan:

A5500 Configuration Guide

XIPLED Software User s Manual. For Firmware release V3.5.0.*

OSPREY BOSS USER GUIDE

1. NVR Connection Diagram Wizard Setup Access System Using Mobile Device Access System Using PC Client Software 5

Welltech WellGate User Manual

Cisco TelePresence Conductor with Cisco VCS (Policy Service)

Connecting IP-PBX to BroadSoft's BroadCloud SIP Trunk using AudioCodes Mediant SBC

THINKTEL COMMUNICATIONS FONALITY TRIXBOX-PRO

Release Notes for MyPBX Standard V6/V7. Version X. Yeastar Information Technology Co. Ltd.

BiPAC 6404VP/VGP. VoIP/(802.11g) Broadband Firewall Router. Quick Start Guide

6.2. Management & Administration Guide

TECHNICAL NOTE HOW TO CONFIGURE ALLOYVOICE SIP TRUNKS ON GRANDSTREAM UCM 6XXX SERIES. 1. Introduction. Author: Adam Wells Date: June 6th, 2018

How to Use Billing Addon

DFL-700 FAQ ? 6) The service I need to use is not listed in the group of pre-defined services. How do I create a custom

BCM50 Rls 6.0. Router - IP Firewall. Task Based Guide

Please follow the steps that are listed here to get started with your Berkshire 10K ippbx telephone system.

TG Series GSM/3G VoIP Gateway User Guide

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

Xchange Telecom SIP Trunk Setup

Application Notes for Configuring Tidal Communications tnet Business VoIP with Avaya IP Office using SIP Registration - Issue 1.0

Managing Standalone EAP

SIP Trunking. Overview. 1) Network Setup (here)

Transcription:

MyPBX Security Configuration Guide Version: V1.3 Date: January 11 th, 2013 Yeastar Technology Co., Ltd. http://www.yeastar.com 1/17

Contents 1. Security Configuration for Web GUI..3 1.1 Change the default access port for HTTP on Options page... 3 1.2 Change the default password for the web GUI... 4 2. Disable SSH on LAN Settings Page 4 2.1 Disable SSH... 4 2.2 Change the default password for SSH... 4 3. Security Configuration for Extensions 6 3.1 Change the default SIP Port... 6 3.2* Disable guest calls... 6 3.3* Security Configuration for remote extensions... 6 3.4 Set an enhanced password and enable IP restriction for extensions... 7 4. Set up Proper Firewall Rules 7 5*. Alert Settings 14 5.1 IPATTACK... 14 5.2 WEBLOGIN... 15 6. Note 17 http://www.yeastar.com 2/17

VoIP attacks, although it is not an everyday occurrence, it does exist. While using VoIP, system security is undoubtedly one of the issues we care about most. But with the appropriate configuration, and some basic safety habits, we can improve the security of the telephone system. Moreover, the powerful built-in firewall function in MyPBX is adequate to enable the system to run safely and stably. This guide will introduce the highest defense level in MyPBX, and we strongly recommend that you configure firewall and other security options according to this guide, to prevent the attack fraud and the system failure or calls loss. Note: In this guide, the configuration options marked with * only exist in 2.17.XX.XX and above versions, namely, 3.2 guest calls option, 3.3 remote registered option, and 5 alarm settings. 1. Security Configuration for Web GUI 1.1 Change the default access port for HTTP on Options page Select Internal Settings Options General Preferences HTTP Bind Port Figure 1-1 http://www.yeastar.com 3/17

1.2 Change the default password for the web GUI Select System Settings Change Password Figure1-2 2. Disable SSH on LAN Settings Page 2.1 Disable SSH Select LAN Settings Enable SSH. If external debugging isn t required, please select No. Figure 2-1 2.2 Change the default password for SSH We can use the Linux command passwd to change root password of MyPBX. 1. Login via putty.exe http://www.yeastar.com 4/17

Figure 2-2 2. The default username is root and the default password is ys123456. Figure 2-3 3. Step 2 use command passwd to change the root s password Figure 2-4 http://www.yeastar.com 5/17

3. Security Configuration for Extensions 3.1 Change the default SIP Port Select SIP settings General UDP Port Figure 3-1 3.2* Disable guest calls Select SIP settings Advanced Settings Allow Guest Figure 3-2 3.3* Security Configuration for remote extensions If remote registration isn t required, please disable it. Figure 3-3 http://www.yeastar.com 6/17

3.4 Set an enhanced password and enable IP restriction for extensions 1) Set a new extension password at the higher security level, e.g. AjK5Up1G. Figure 3-4 2) Enable IP restriction and enter the permitted IP address/subnet mask, e.g. 192.168.5.136. Figure 3-5 4. Set up Proper Firewall Rules Note: Please backup the configurations on backup and restore page before you go ahead. In the case that you lock the device, you can reset to factory default and restore the previous configurations. Below example rules works with MyPBX firmware version 2.15.xx.xx or higher versions. http://www.yeastar.com 7/17

Step 1. Enable firewall on firewall page of MyPBX. Step 2. Add a common rule to accept local network access. Create a common rule to allow the all the IP addresses of the local phones to access MyPBX server. For example, if the IP addresses of the local network are 192.168.5.1-254, the configurations could be as below: Name: LocalNetwork Protocol: BOTH Port: 1:65535 IP: 192.168.5.0/255.255.255.0 Action: Accept Figure 4-1 Step 3. Create common rules to accept remote extensions or remote administrators, if you use SIP trunk, please accept the provider s host as well. Note: If there are no remote extensions, the rule is not required. 1) Set up the firewall rule to allow the public IP address of remote extensions to access MyPBX server. e.g.110.111.132.6, the configurations could be as below: Name: Remote Extension Protocol: BOTH Port: 1:65535 IP: 110.111.132.6/255.255.255.255 Action: Accept http://www.yeastar.com 8/17

Step 4. Configure auto blacklist rules Figure 4-2 Auto blacklist rules: the Server would add the IP address to the blacklist automatically if the number of the packets it sends exceed the rule you configured. 1) Add two auto blacklist rules for port: 5060. Rule No.1: Port: 5060 Protocol: UDP IP Packets: 120 Time Interval: 60 seconds Rule No.2: Port: 5060 Protocol: UDP IP Packets: 40 Time Interval: 2 seconds Figure 4-3 http://www.yeastar.com 9/17

2) Add an auto blacklist rule for Port:8022 Rule No.3 Port: 8022 Protocol: TCP IP Packets: 5 Time Interval: 60 seconds Figure 4-4 Figure 4-5 Step 5. Add a Firewall Rule for VoIP trunk registration Note: If there is no VoIP trunk, this rule is not required. And if the RTP IP address of VoIP trunk and Registration IP address of the VoIP trunk are different, we need create a rule to accept the RTP IP address too. Add a rule to accept the IP address of the VoIP trunk to access MyPBX server. For example: If the IP address of the VoIP trunk is 110.5.14.6, Protocol is UDP and Port is 5060, the configuration could be as below: Name: VoIPTrunk Protocol: UDP Port: 5060: 5060 IP: 110.5.14.6/255.255.255.255 Action: Accept http://www.yeastar.com 10/17

Figure 4-6 Step 6. Add a firewall rule to accept the remote access of HTTP port. For example, if the remote access IP is 110.5.14.6, and the port is 80, the configuration could be as below. Name: RemoteHTTP Protocol: TCP Port: 80:80 IP: 110.5.14.6/255.255.255.255 Action: Accept Figure 4-7 http://www.yeastar.com 11/17

Step 7. Add a firewall rule to accept remote access of SSH port. For example: if the remote access IP is 110.5.14.6 and the port is 8022. Note: If the remote access of SSH port is not needed, this rule is not required. Name: RemoteSSH Protocol: TCP Port: 8022:8022 IP: 110.5.14.6/255.255.255.255 Action: Accept Figure 4-8 Step 8. Add other firewall rules by yourself. For example, if you are using features about email, you should add the firewall rules for the SMTP server and POP3 server. Step 9. Enable Drop all (If this feature is enabled, all the packets and connection that do not match the rules would be dropped.) Note: Before enable this feature, please add a rule to accept the local network access, or the server might not be accessed. Figure 4-9 http://www.yeastar.com 12/17

Step 10. The Configuration of firewall settings is completed. See as below figure. Figure 4-10 Step 11. Define the authorized data transmitting rate and drop all other unauthorized hosts. Note: If we setup IP blacklist rules here, those unauthorized hosts will still be able to send SIP packets into MyPBX if the packets transmitting rate is under the rate defined. But as soon as the transmitting beyond the define rate, the IP will be added into blacklist automatically. This is useful for remote extension who is using dynamic IP address. Remove all the IP blacklist if you don t allowed any other unauthorized hosts access MyPBX. See as below figure. http://www.yeastar.com 13/17

Figure 4-11 5*. Alert Settings After enabling alert settings, if the device is attacked, the system will notify users the alert via call or e-mail. The attack modes include IP attack and Web Login. 5.1 IPATTACK When the system is attacked by some IP addresses, the firewall will add the IP to auto IP Blacklist and notify the user if it match the protection rule. Example: Configure to notify extension 500, outbound number 5503301 and E-mail alert@yeastar.com. configuration could be as below. Phone Notification Settings: Phone Notification: Yes Number: 500;5503301 Attempts: 1 Interval: 60s Prompt: default Note: If there s outbound number to notify, the number should be fit with the dial http://www.yeastar.com 14/17

pattern of outbound route. E-mail Notification Settings: E-mail Notification: Yes To: alert@yeastar.com Subject: IPAttack Figure 5-1 5.2 WEBLOGIN Enter the password incorrectly five times when logging in MyPBX Web interface will be deemed as attack, the system will limit the IP login within 10 minutes and notify the user. Example: Configure to notify extension 500, outbound number 5503301 and E-mail alert@yeastar.com. configuration could be as below. Phone Notification Settings: Phone Notification: Yes http://www.yeastar.com 15/17

Number: 500;5503301 Attempts: 1 Interval: 60s Prompt: default Note: If there s outbound number to notify, the number should be fit with the dial pattern of outbound route. E-mail Notification Settings: E-mail Notification: Yes To: alert@yeastar.com Subject: WebLogin Figure 5-2 http://www.yeastar.com 16/17

6. Note If the phenomena of toll fraud have been happened in your MyPBX system. We are really sorry about that, then please enhance the protection level of your firewall refer to the above steps. In addition, please change the all password: Web GUI password, SSH password, and all extensions password. <The end> http://www.yeastar.com 17/17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback