If anyone is interested in helping create a new site logo please email webmaster@allworxforums.com

PLEASE NOTE: Allworxforums.com is not owned, nor run by Allworx Corp. The views and opinions found on this forum are not necessarily the views of Allworx or the forum moderators. Neither Allworx nor the forum will be held liable for any information found on the forum. The Allworx logo and name is a registered trademark of Allworx Corp.

Our phone server is under attack....

General installation and configuration help.
Post Reply
MASTERBrian
Posts: 8
Joined: Thu Nov 07, 2013 10:42 am

Our phone server is under attack....

Post by MASTERBrian »

To start over the last week or so our system would bog down and I'd reboot and all was well for a few days. As of yesterday I had to reboot for the 3rd time in about 1-2 weeks, it didn't help so we called our ISP and they did something on their end that brought us back up, but it got me wondering, so I went to look at the logs files.

Yesterdays and for a few days (at least) prior to yesterday there was an IP that kept trying to gain access. The message was tWebThread** "admin" FAILED Login attempt from IP address 151.***.*.***. I researched it and it was from a known trouble IP. I called a guy that used to support us, my cousin, and he confirmed what I thought. I called ISP to tell them and to get a new static IP, with that taken care of, I changed our IP and all was somewhat good until today.

Today, I'm getting tSip: INVITE from various IP's that are being discarded (not trusted). I've changed all our passwords and made them much more complex. At this stage I don't think anyone has gotten in and our ISP didn't see any strange activity on their end either.

So now my questions: (I'm also waiting for my cousin to call back, but he works elsewhere so he's busy fixing their stuff today)

1) How worried should I be at this? These are different attacks than yesterday and they are so far being discarded.
2) Should I change the static IP once more? Part of our system is being our firewall but part of it is obviously open, because we use Allworx Reach Handsets as well. I'm guessing that's the part of system they are trying to gain access to.
3) I've noticed that NAT/Firewall with DMZ is our current network mode, but I see that NAT/Firewall with Stealth DMZ is an option and looks to be preferred option when connected directly to Internet, which if my understanding is correct, we are.
4) I also went in to set it up to email me log reports so I can see more easily what's going on, but it seemed to want to open up a bunch more ports, such as DNS server, DNS client, pop3, smtp and I believe Communications center(it actually disabled that one).

I can fairly easy change the IP to stop this, but obviously that isn't conducive to do every day. Any suggestions here? Can I use the reach handsets without being directly connected to internet? We also have a VPN for several handsets. I'm guessing that part should be fine as it'd be just going through our VPN router....correct?
sp90378
Posts: 67
Joined: Mon Nov 06, 2017 6:51 am

Re: Our phone server is under attack....

Post by sp90378 »

1) Do not be worried. Extremely common on VOIP systems that have public IP's on them.
2) I would not change the IP. Changing IP's is never a good solution because they will eventually find you on a new IP anyways.
3) Stealth is OK, it just prevents the Allworx from responding to ICMP/Pings, but that's it. For SIP attacks, etc. it does not matter if its ON or OFF.
4) You only have to open up ports for inbound. We normally keep the ones for remote phones open along with PPTP (VPN) and DNS Client (so that it can check for updates, resolve DNS, etc. Everything for outbound, such as SMTP, etc. will work without opening them. So you do not need SMTP enabled under network config to use features such as voice mail to email, texts, emailing logs/syslog, etc.


Reach will continue to work on local WiFi as long as routing is in place and the devices can access the Allworx LAN/Private IP. Just be sure that you have strong passwords on any generic sip devices (which as of later versions, it auto generates them so that should not be a problem anymore, as older versions you could specify the password and people would use super weak passwords). The phones through your VPN should continue to work even if the Allworx WAN goes down as those phones are communicating with the Allworx LAN IP and not its WAN IP.
tech.time
Posts: 12
Joined: Wed Jul 29, 2015 11:40 am

Re: Our phone server is under attack....

Post by tech.time »

We have the same problem. We get HAMMERED sometimes (hundreds of attempts an hour) other times it will be days without anything (they probably get shut down temporarily). Traffic volume comes and goes during the month.

I have asked more than one reseller to explain how the hackers could possibly know the Allworx server is there if it is not responding and in stealth mode. Never got any satisfying answer.

We also have our international long distance and funky toll calls blocked on the Allworx and with our SIP vendor so if they hack in, they won't be able to make international long distance calls which is what many of them are trying to do.

I was thinking of putting a small router between the SIP and the Allworx server to block IP's since the Allworx firewall doesn't support any such thing (not sure why). Has anyone tried doing this? I have been concerned about affecting call quality by doing this.
sp90378
Posts: 67
Joined: Mon Nov 06, 2017 6:51 am

Re: Our phone server is under attack....

Post by sp90378 »

Simple answer as to how they know its there when in stealth mode is that they are not targeting Allworx specifically and they are not pinging it. Stealth mode only blocks ICMP. They send sip messages to the Allworx which it will respond to unless you disable SIP under network config, which if you use SIP on its WAN/internet interface, you cannot disable without breaking voice. It would also break things such as Reach. The traffic should be minimal and if you are with a good provider with QoS then it should not effect voice quality anyways. This is a common thing with any VOIP system on the internet and the Allworx just shows in its logs the attempts, but does not mean its going to cause any kind of issue.
tech.time wrote: Wed Jan 10, 2018 11:56 am We have the same problem. We get HAMMERED sometimes (hundreds of attempts an hour) other times it will be days without anything (they probably get shut down temporarily). Traffic volume comes and goes during the month.

I have asked more than one reseller to explain how the hackers could possibly know the Allworx server is there if it is not responding and in stealth mode. Never got any satisfying answer.

We also have our international long distance and funky toll calls blocked on the Allworx and with our SIP vendor so if they hack in, they won't be able to make international long distance calls which is what many of them are trying to do.

I was thinking of putting a small router between the SIP and the Allworx server to block IP's since the Allworx firewall doesn't support any such thing (not sure why). Has anyone tried doing this? I have been concerned about affecting call quality by doing this.
tech.time
Posts: 12
Joined: Wed Jul 29, 2015 11:40 am

Re: Our phone server is under attack....

Post by tech.time »

Thanks for the explanation sp90378, that makes sense!
Post Reply