Allworx Phone System Security Updates

Allworx, a Windstream company, has announced new security practices in response to recent Hacking Issues. 

Suggested Security Best Practices

Overview

One of the primary advantages of the Allworx family of products is its flexibility in configuration and settings in a way that is easy to understand. Security is an important consideration, and we are constantly striving to improve our systems to protect our customers.

We are investigating reported instances and have seen fraudulent SIP registration attacks that search public IP addresses and gain access to either an Allworx server or, most recently, to remote Allworx handsets not installed behind a firewall. We have also received reports of recent toll fraud incidents in which fraudulent attacks take over the SIP registration of an Allworx handset attached to a public network. This document summarizes the security best practices to prevent security compromises.

What You Should Do

 It is imperative to use the proper security settings so that hostile, unauthorized attempts to access the system do not result in situations where either remote access or the spoofing of handsets can occur. Most often, the result is unauthorized calling and toll fraud. Compromises usually start with port scans to determine if a host is a candidate for unauthorized access. Disabling the use of ports often discourages a fraudulent attack, and the attacker will move on to another IP.
  • Update Allworx server to the most recent patch level of  7.6 . These patches change each Allworx phone SIP registration passwords during the phone reboot.
  • Install the server behind a firewall or connect it to the public internet using the WAN port. DO NOT connect the Allworx LAN port directly onto the public internet.
  • Disable Allworx WAN services (ports) not in use.
  • Change voicemail ports (SMTP and IMAP) to non-standard port numbers.
  • Change all server admin, phone admin, and user passwords from the default values.
  • Use strong passwords for server and phone administration pages. DO NOT use simple passwords such as “1234″ or “Allworx”.
  • Verify that there is no exposure of the Admin Page (Port 8080) to the Public network. DO NOT port forward directly to the LAN port of an Allworx server from the customer’s router. For remote maintenance, use the Allworx VPN. Navigate to Home > Network > VPN > modify to configure the VPN settings.
For more information about Allworx please contact Telcom & Data at 800-335-0229
Allworx, upgrade 7.6, phone system hacking, allworx 6x, phone system support, Upgrade Your Allworx Phone System Against Hacking
Leave a Reply