MattRazParticipantThe first paragraph is a VPBX suggestion, the 2nd is just information.. considering all the great work already put into VPBX this seems a simple task for the guys to implement.
- June 29, 2020 at 5:44 pm
Yes i know they have but avoiding brute force attacks is not enough. Anyone malicious with access to the site can obtain a MAC address from the back of the phone and it’s not difficult to find out what server that phone is connected to without even gaining access to the phone’s config page.. Even a simple arp -a will give you the MAC address let alone a MITMA… It wouldn’t take long to add this info together and get ALL details to connect to that SIP user and make malicious calls..
As a Hosted Multi-Tenant provider and not a single on-site system end user/customer this is a bit scary as we have limited ways to stop people from accessing the customer’s building / LAN /WiFi.. Let alone anyone external who manages to access the network via the WAN.. (some sites have very basic LAN/WAN CPE)
SIP credentials are far too risky to leave out in the wild and hope no-one will find the MAC…
We do have daily call spend limits at network level with notifications to mitigate the issue a bit but this is a pain to manage and isn’t bulletproof…
Would love to hear any suggestions to get around this.. (ideally keeping things simple that fits for all customers..)0