When installing an Allworx system, it is imperative to use proper security settings. Most hostile and unauthorized access to an Allworx system results in unauthorized calls and toll fraud. Compromises usually start with port scans to determine if a host is a candidate for unauthorized access. Disabling the use of ports often discourages a fraudulent attacks, and the attacker will move on to another IP address.
What you should do
Allworx Server
- Update every server to the most recent patch level of either 7.3 or 7.4 software release. Example, releases 7.3.14.8 and higher or 7.4.10.2 and higher. These patches change each Allworx sip registration passwords during the phone reboot.
- Install the server behind a firewall or connect it to the public internet using the WAN port. DO NOT connect the Allworx LAN port directly onto the public internet.
- Disable Allworx WAN services (ports) that are not in use.
- Change voicemail ports (SMTP and IMAP) to non-standard port numbers.
- Change all server administration, phone administration, and user passwords from default values
- Use STRONG passwords for the server and phone administration pages. DO NOT use simple password such as "1234" or "Allworx".
- Verify that there is no exposure of the administration page (port 8080) to the public network. To disable Wan Administration, navigate to "Network > Configuration". Click modify and set "WAN Admin" to Disable. DO NOT port forward directly to the LAN port of an Allworx server from the router. For remote maintenance, use the Allworx VPN. Navigate to Home --> Network --> VPN --> Modify to configure the VPN settings.
- When configuring the WAN interface to connect to the public network, enable the server in NAT Firewall Mode, preferably with stealth DMZ. In stealth mode, the WAN port will not respond to "Pings" for other devices.
Remote Handsets
- Use STRONG passwords for the phone administration and phone web administration pages. DO NOT use simple password such as "1234" or "Allworx" (Home --> Servers --> VOIP --> Modify --> Phone Administration Password)
- Use STRONG passwords for the Plug 'n' Play Secret Key. DO NOT use simple password such as "1234" or "Allworx". (Home --> Servers --> VOIP --> Modify --> Plug 'n' Play Secret Key)
- Use Proper firewall protection to connect remote handsets to the public Internet.
- Disable Phone Creates via LAN and Wan Plug and play except during phone installation.
Px Expander
- Change the Px administration password from the default value.
- Use STRONG passwords for the Px administration password. DO NOT use simple password such as "1234" or "Allworx".
- Use Proper firewall protection to connect remote Px Expanders to the public Internet.
- Disable Phone Creates via LAN and Wan Plug and play except during phone installation.
Other Considerations
Evidence from recent security incidents does not show attackers penetrating firewalls to access customer LANs or the servers/phones on customer LANs. Nonetheless, because aggressive malware/botnet/spyware attacks are known to compromise many desktop PC's, we encourage customers to deploy LAN security solutions including:
- Maintaining up-to-date anti-virus/anti-malware protection on LAN systems.
- Deploying phones on VLANs to reduce opportunities to sniff phone network traffic. This also has the added benefit of improved network Quality of Service for the phone traffic across the LAN.
- Report any observed activity to an Allworx Technician or Technical support immediately so we can investigate and stay in front of these malicious attempts.
security, configuration, prevention, setup
What you should do
Allworx Server
- Update every server to the most recent patch level of either 7.3 or 7.4 software release. Example, releases 7.3.14.8 and higher or 7.4.10.2 and higher. These patches change each Allworx sip registration passwords during the phone reboot.
- Install the server behind a firewall or connect it to the public internet using the WAN port. DO NOT connect the Allworx LAN port directly onto the public internet.
- Disable Allworx WAN services (ports) that are not in use.
- Change voicemail ports (SMTP and IMAP) to non-standard port numbers.
- Change all server administration, phone administration, and user passwords from default values
- Use STRONG passwords for the server and phone administration pages. DO NOT use simple password such as "1234" or "Allworx".
- Verify that there is no exposure of the administration page (port 8080) to the public network. To disable Wan Administration, navigate to "Network > Configuration". Click modify and set "WAN Admin" to Disable. DO NOT port forward directly to the LAN port of an Allworx server from the router. For remote maintenance, use the Allworx VPN. Navigate to Home --> Network --> VPN --> Modify to configure the VPN settings.
- When configuring the WAN interface to connect to the public network, enable the server in NAT Firewall Mode, preferably with stealth DMZ. In stealth mode, the WAN port will not respond to "Pings" for other devices.
Remote Handsets
- Use STRONG passwords for the phone administration and phone web administration pages. DO NOT use simple password such as "1234" or "Allworx" (Home --> Servers --> VOIP --> Modify --> Phone Administration Password)
- Use STRONG passwords for the Plug 'n' Play Secret Key. DO NOT use simple password such as "1234" or "Allworx". (Home --> Servers --> VOIP --> Modify --> Plug 'n' Play Secret Key)
- Use Proper firewall protection to connect remote handsets to the public Internet.
- Disable Phone Creates via LAN and Wan Plug and play except during phone installation.
Px Expander
- Change the Px administration password from the default value.
- Use STRONG passwords for the Px administration password. DO NOT use simple password such as "1234" or "Allworx".
- Use Proper firewall protection to connect remote Px Expanders to the public Internet.
- Disable Phone Creates via LAN and Wan Plug and play except during phone installation.
Other Considerations
Evidence from recent security incidents does not show attackers penetrating firewalls to access customer LANs or the servers/phones on customer LANs. Nonetheless, because aggressive malware/botnet/spyware attacks are known to compromise many desktop PC's, we encourage customers to deploy LAN security solutions including:
- Maintaining up-to-date anti-virus/anti-malware protection on LAN systems.
- Deploying phones on VLANs to reduce opportunities to sniff phone network traffic. This also has the added benefit of improved network Quality of Service for the phone traffic across the LAN.
- Report any observed activity to an Allworx Technician or Technical support immediately so we can investigate and stay in front of these malicious attempts.
security, configuration, prevention, setup