Allworx, a Windstream company, has announced new security practices in response to recent Hacking Issues.
Suggested Security Best Practices
One of the primary advantages of the Allworx family of products is its flexibility in configuration and settings in a way that is easy to understand. Security is an important consideration, and we are constantly striving to improve our systems to protect our customers.
We are investigating reported instances and have seen fraudulent SIP registration attacks that search public IP addresses and gain access to either an Allworx server or, most recently, to remote Allworx handsets not installed behind a firewall. We have also received reports of recent toll fraud incidents in which fraudulent attacks take over the SIP registration of an Allworx handset attached to a public network. This document summarizes the security best practices to prevent security compromises.
What You Should Do
- Update Allworx server to the most recent patch level of 7.6 . These patches change each Allworx phone SIP registration passwords during the phone reboot.
- Install the server behind a firewall or connect it to the public internet using the WAN port. DO NOT connect the Allworx LAN port directly onto the public internet.
- Disable Allworx WAN services (ports) not in use.
- Change voicemail ports (SMTP and IMAP) to non-standard port numbers.
- Change all server admin, phone admin, and user passwords from the default values.
- Use strong passwords for server and phone administration pages. DO NOT use simple passwords such as “1234″ or “Allworx”.
- Verify that there is no exposure of the Admin Page (Port 8080) to the Public network. DO NOT port forward directly to the LAN port of an Allworx server from the customer’s router. For remote maintenance, use the Allworx VPN. Navigate to Home > Network > VPN > modify to configure the VPN settings.