GS Wave Security


#1

Does anyone have a good SECURE method of using GS Wave as a remote extension with using port forwarding of a vpn? We have a client that as soon as the port forwarding rule on 5060 is open it gets flooded with attacks so hard the failtoban cannot keep up with it and crashes the system. We are going to test with an IAX sofphone to see if it still gets attacked. Any other recommendations would be great.
It would be a nice feature to somehow use mac authentication on remote phones.


#2

Change your SIP port to something non-standard. I use something random above 50,000.

Also, if you’re correctly using a VPN, you shouldn’t need to have any port open on the firewall for the application. At least, that’s been my experience.


#3

changing the SIP port does not help much, you scan it in 20 seconds and you only lost time.
The only real tip is the vpn, or put the rules on the FIrewall in ACL.
As an alternative to creating an IAX internal test and testing it remotely (for example with Zoiper), I have excellent sound and IAX technology is less “targeted” than SIP.

Damiano


#4

I do not agree at all @damiano70. While scanning one port takes only seconds, scanning them all takes too long.

Using a random port, that is not commonly used by other popular applications, backed up with fail2ban has worked excellently for me across many systems for years.


#5

hello @costwisewpg , even I thought like you.
Then they showed me that the SIP ports are still there and in a short time and I had to change my mind.
However, computer security is not done by “hiding” the doors but protecting the used ones with ACL.
For the past 2 years I have been using the SIP 5060 port to the outside (protected with ACL) and I have never received attacks.
Before I used the 4000 and I received attacks continuously,
therefore it is useless to change the door. It only serves to delay the attack.
Then everyone thinks as he wishes.
Damiano


#6

please explain ACL


#7

access control list


#8

How does that work using gs wave when the smart phone carrier constantly changes the IP of your phone. I dont understand.


#9

in fact it is strongly discouraged (I wrote it above) in the presence of dynamic ips as in this case. For that a VPN connection is recommended.
One thing that could be done, even if it is a non-recommended test, to enable the manager’s range if you can control it.
At that point you do not open the SIP port to the whole world but only to a range (better than nothing).


#10

@tbooth207 Did you do the IAX test I told you?


#11

@damiano70 again, I disagree. I mentioned using a port over 50,000. Port 4000 is still in a range of commonly used ports.

While I would like to see GS implement more rigid security (ex. mac filtering), I have never, not once, been scanned on any device (*see caviate) with an open port over 50,000.

*Not all devices I use can alert me to port scan or log it in a usable / searchable fashion. However, I have fail2ban configured to block and alert me after even one failed connection. I have never had a login attempt I did not recognize. I recognize this is not the same as knowing if I’ve been port scanned but, the problem listed above is not just about a port scan but so many login attempts the system crashes.

If @tbooth207 changes the sip port to some random port over 50,000 this will resolve the issue.

@tbooth207, if you want to try, let me know and I can walk you through it.


#12

To further clarify. I don’t disagree about using VPN. For sure, use VPN if / when you can.


#13

We have tried the vpn it works fine but slows their phones to a crawl. Thats why we are looking for other options. Testing the IAX over the weekend.


#14

@costwisewpg you can disagree as much as you want but it’s reality.
Then my 4,000 door was just an example, I think it’s obvious.
If everyone thought like you, it would be enough to put Server and any other active / passive tool on 55,000 (also underlining is an example).
Instead all the big companies provide to adequately protect (even if they change the standard doors) against attacks by “example” the ACL.
If you do not believe it leaves your SIP door you want open to the world, time a month (maybe less) you can use your server only to count the damages.

Then I repeat, everyone has his own ideas, I have mine after 30 years of experience.
Good weekend,
Damiano :wink:


#15

@tbooth207 I was thrilled by the simplicity of IAX (1 door makes both recording and voice) and the quality of the result.
Remember that it is only a test, do not take literally what I say. :grinning: