UCM 6204 Hacked Analog Ports Outbound International Calls


#21

Thanks, but this string was/is not correct for the US market (NANPA - North America Numbering Plan) -
“NxxNxxNxxx”

it would have worked for most calls, but -

A NANPA number is comprised of:

  1. “1” used to indicate long distance calling and is not always required depending on provider/call type
  2. NXX - area code where the leading digit is 2-9
  3. NXX - exchange where the leading digit is 2-9
  4. XXXX - number where any number is allowed in any position. (your have NXXX)
    Special dial strings comprised of 3 digits are also allowed with such examples being 211, 411, 811, 911, etc.

However, using the X in all locations is a safe bet, as if not correct, the provider will let you know.
I limit the dial plan occasionally, but not always. I have not noticed the issue nor have any clients complained and all are updated, but I guess I will have to try and see what happens. 99.9% of my clients are on SIP.


#22

Thank you for clarifying that. Essentially, I must change the dial strings to _NXXXXXX, _NXXNXXXXXX, and _1NXXNXXXXXX. In our area code, we must provide the 1 for certain numbers, but not for others depending on the location. It’s weird, really.


#23

Weird, not really. The call pattern is a standard that has evolved over time.

Do a google search for NANPA.


#24

I think you misunderstand. The call pattern is a standard I am used to. The 434 area code is what I find unusual. To make a call in that area code, sometimes it has to be dialed as a local 7 digit number, sometimes as a 10 digit number, and sometimes as an 11 digit number when you are calling from within the 434 area code area.


#25

Sorry, you’re right i did misunderstand. There are several areas in the country that do this. If you went SIP, it would not be an issue as all dial strings other then like 911 are typically either 10 or 11 digits regardless.


#26

Right. We’ll likely keep the 2 analog lines as a fallback in case we lose internet connectivity, the business can still be contacted. When we add any additional lines, they will definitely be SIP in addition to the already existing SIP channel. Internet providers here are notorious for not being able to restore connectivity for several days sometimes so we’re hanging on to the 2 analog lines for that reason.


#27

Hello Mr. Ken,
I hope your problem has been resolved properly. Actually there are 3 things that I forgot when my client tried this port forward system.

First, I forgot to set “static defense” on the ucm firewall but I set it on my client UCM a few days ago
Secondly, I forgot to set the “ip address access control strategy” in the extension number on the client as mentioned by Mr. Oliver in his second post.
Third, I forgot to set an “outbound blacklist”. After I observe, these hackers try to contact foreign numbers where we have never been in contact with that country.

I know that my client’s ucm is an “eol” product, but my client is very happy with this product because my client is free from very expensive telephone charges before using this product and this product is still running smoothly.

I have got the conclusion about the port forward system. This port forward system is very easy to implement but has security vulnerabilities. Therefore the VPN system is very suitable for grandstream. I hope Grandstream’s technical support team can add this feature to UCM like they have added this VPN feature to GVC3200. If you want to use a secure port forward system, then there must be very strict security that must be made from both the ucm side and the router side used.

On the ucm side, what has been mentioned by @tiennk above is absolutely right, update the firmware and set the firewall on ucm. There are 3 firewall systems, but the main thing is static defense. This is what should have been made first, then set F2B and finally dynamic defense. For dynamic defense, this is adjusted to the network mode interface used (route mode). And set the “ip address access control strategy” in the extension number then set an “outbound blacklist

Then for the router side, a secure port forward system must be made that can only be accessed by certain people (by using MAC Address). I have seen this system on a mikrotik router. I am not a seller of this mikrotik router and my office does not use it but my client uses it. Unfortunately, I can’t access my client’s mikrotik router because it’s private and confidential. But I did not give up, I tried to find a demo of mikrotik software like that owned by UCM and I got it, and with the additional assistance of information from google about this mikrotik, then I have found a way for the system I mentioned above. But unfortunately I have not met with their I.T staff who handles the mikrotik to discuss whether my system can be successful or not on the mikrotik because they are so busy. I hope you has this system on your router.

Best Regards,
Ray


#28

every day post similar ones,
you mainly have to do two things

  • put NAT rules on the firewall in ACL (otherwise you will have UCM exposed to attacks from all over the world)
  • update fw of phones and UCM
  • also manage the exit rules with security levels
    Until you do this, you don’t resolve…