So what do you do when the PABX is attacked from within LAN


#1

Hi

First-time experience with this scenario on an active site.
25 users mix of desktops and laptops.
UCM 6102 totally locked down from Wan
Sonicwall managed by IT company controlling all rules
No Vlans voice and data on one network and one set of cabling pc plug into the back of the phone.

cant create a rule on the LAN to restrict t traffic to the PABX cause the phones need to reach the PABX.
Sure we could do a reserved range for the phones then allow only that range local to the PABX.

The only time this login attempts stopped is when they closed and went home for the day. Suspect a user pc is infected and creating a path back in.

Think this is interesting as lots of companies want one simple network. Just thought I with share it since its the first time This has happened and we have hundreds of posts on remote extensions and locking down the wan connections securing the PABX on the Wan…

I used to insist on managed switches and VLANs until I followed the advice on a Spiceworks discussion why create complexity on a small network VLANs do nothing. Today it seems I may be paying the price of following that post discussion.

Hopefully, we fix it in the morning as each who logs on, we will monitor traffic and see what happens.

like to hear how forum members have dealt with this has it only a matter of time before you encounter this if you already have not.


#2

between the fail to ban security settings and the http server whitelist, I am not sure what else you need to keep people out and banned from the ucm. if a user has a virus, that needs to be fixed. you should be able to capture the login attempts and track it back to the user, wireshark is your best friend


#3

thanks
wireshark showing session id owner address 192.168.1.81
only one subnet on lan which is 192.168.0.0/24

someone pc is definitely infected but its proving hard to find it ,


#4

it should also show the mac which will help id the model of the device. filter all of its traffic in wireshark, ip.addr == 192.168.1.81, paw thru the packets to id the culprit. can you access the switches arp table to id what port the mac address is on? if you cant access the switches arp table, i would open up a steady ping to the ip and start unplugging things until i cant ping it, if nothings labeled, then just wait until someone complains about it


#5

1 Use VLAN for phones
2 USe separate network (ip) for teleco + admin unit access to this network.

In short separate it and block traffic on switch/router.


#6

Just an update

Unplugged the UCM from the network so its UCM<=======Flylead=======> into my linux machine ( which is 100% clean

Alert logs still showing login attempts for external IP how is that even possible ??? time time was current with just the fly lead to my machine and I could see it has if its was live if when I refreshed I noticed it was the same set of the 5 external foreign Ips that kept on repeating. had to be something stuck in memory.

Anyway IT company resolved the issue with lan network , I factory reset UCM and all seems well know.