Skip to main content

Security Recomendation

Posted by dbenders on Fri, 11/21/2008

Hi, I noted that if you use the PBX manager as default and use the autoprovisioning feature (That BTW is great) you will open a security problem.

As each device (Phone) will get the config file from the autoprovisionig directory that is located in the server and opened to internet under HTTP, any one can search and get your provisioning files. that is VERY VERY RISKY beacuse the config files have the users and passwords of the devices (Phones). You can imagine what that means, right?

Well, My recomendation (for now) is an improvement, but not the final solution. The idea is to restrict the access to this HTTP service not per IP, (because if you have travel users, or as me a MTE version, the Source IP is not static, can be any thing.), So, restrict it by client browser. I mean restrict to the browser that use your phones, that will give you a small protection, because ONLY a programer or expert, will be able to get there any way, but at least is something that will help or filter a lot of engines that search for users and passwords.

The final solution, is to use encryption, something that I'm working on. If there is someone that have already implemented the encryption for this please let us know so all of us can improve our security.

Well, here is the code that we put in our server to apply the restriction I told you:


#-------------------------------------------------------

SetEnvIfNoCase User-Agent "^Sipura" pbxserver
SetEnvIfNoCase User-Agent "^Linksys" pbxserver
SetEnvIfNoCase User-Agent "^Polycom" pbxserver

#------------------------------------------------------------

Options Indexes FollowSymLinks
AllowOverride None
#
Order deny,allow
Deny from all
Allow from env= pbxserver

#------------------------------------------------------------

Also, we restricted that directory to NOT list the files on it.

Hope this help!

Daniel Bendersky
dbenders at netline.cl


Submitted by eeman on Fri, 11/21/2008 Permalink

thats why i dont do http provisioning =)

btw in unix if you remove the x bit from the directory attributes (644 instead of 755) you can't get a listing of files, but you can read a file if you know its name. Which puts it in the same realm as TFTP.

if your using polycoms, FTP is your best provisioning method (just make sure to nologin the shell for the ftp user)

TFTP is another option. There is no authentication... but you'd have to know the filename which would mean having to know the mac address.

Submitted by justdave on Fri, 11/21/2008 Permalink

Our solution to this problem has been to provision the phones in the office first before sending them out to remote people. Direct provisioning is only available inside the office. The Polycoms, at least, will retain their configuration across reboots if they can't get to the provisioning server. Since our configuration doesn't change that often, this hasn't been a big issue. In the few cases where it has been, it's usually not that hard to walk someone through making a change through the Polycom's web interface, or in a couple cases (firmware upgrades) where we had technical users, walked them through setting up a tftpserver on their laptop, gave them a tarball to download with the contents of the /tftpboot directory (customized for just their phone), and had them connect the phone to their laptop with an ethernet cable.

Our user portal also requires using the VPN for remote folks, since that, too, is only available inside the office.

Submitted by dbenders on Mon, 11/24/2008 Permalink

Well, I agree that Autenticated provisioning is safer, i will look forward to implement that. But, using HTTP, you have very good logs, and you can use HTTPS to encrypt the data. In FTP is not encrypted.

I know that using VPN or restricting the autorpovisioning is a good idea, but if you want to provide multitenant services and you have more than 500 extensions, located around the city, will be much easier to have the autoprovisioning for all your users. Not all are familiar with VPN and all want to ohave the configuration working fine, so if you need to change something, is better doing it remotly than to get there.

Thanks for the recomendations.

Submitted by eeman on Tue, 11/25/2008 Permalink

agreed, I don't see VPN as practical in a MTE situation as the goal on MTE is one of keeping the load as minimalistic as possible. Encryption seems counter-intuitive to that goal. With regard to security, there is something else of concern. There are now SIP discovery and brute force tools used to guess passwords of extensions. this site has tools that discover all the extensions on your sip channel driver and then uses a dictionary attack to guess the passwords.

Some customers thought it was a good idea to make the sip secret the same value as the extension number. They got compromised quickly and were used to mass market credit card scams to residents all over the US. Make sure your passwords are completely random. Noone has to remember them, the phones just download the value and connect. PBX manager does a good job in its randomizing mode of password generation.

Submitted by raven on Thu, 12/11/2008 Permalink

When I think of HTTP config, I think of Grandstream. When I think of Grandstream, I think of a phone rebooting when anyone calls it after a firmware upgrade, and me being somewhere else not being able to give it a factory reset to wipe it's corrupted config file.

Submitted by olekaas on Mon, 12/15/2008 Permalink

We use FTP for our Polycom phones. Each Tenant have unique login/password which also allows advanced customers to hack their provisiong files them selves (or they pay us to do it :). I would like to use FTPS, but the Polycom bootloader doesn't support TLS.

We use HTTP for PAP2T. The provisioning file is encrypted and the files are served by apache. So no security issue here.

/Ole

Submitted by dbenders on Wed, 02/18/2009 Permalink

Hi, can you help us in how to set up the Polycomswith FTP and the Linksys with the encription?

Any help, doc will be very apreciated.

Submitted by eeman on Wed, 02/18/2009 Permalink

polycom runs FTP right out of the box. You just need to create your ftp account for the provisioning directory. Nothing special is needed on the polycom to tell it to use FTP as its protocol.