Ucm 6204 security issue


#1

Hi, i have a question. I have been find in operation log login from name of admin unknown IPs. It’s not showing any log like system event log, login log itc.

example of log:
|09-30-2018 11:24:11 AM|admin|192.168.xxx.xxx|Operation successful|Login: Login|User Name: admin.|Click to modify notes.
|09-30-2018 10:37:16 AM|admin|173.78.131.194|Operation successful|Login: Login|User Name: admin.|Click to modify notes.|
|09-30-2018 10:00:28 AM|admin|173.78.131.194|Operation successful|Login: Login|User Name: admin.|Click to modify notes.|
|09-30-2018 09:47:25 AM|admin|45.55.8.60|Operation successful|Login: Login|User Name: admin.|Click to modify notes.|
|09-30-2018 09:42:19 AM|admin|173.78.131.194|Operation successful|Login: Login|User Name: admin.|Click to modify notes.|
|09-30-2018 09:31:15 AM|admin|173.78.131.194|Operation successful|Login: Login|User Name: admin.|Click to modify notes.|
|09-30-2018 09:08:15 AM|admin|173.78.131.194|Operation successful|Login: Login|User Name: admin.|Click to modify notes.|
|09-30-2018 08:17:26 AM|admin|173.78.131.194|Operation successful|Login: Login|User Name: admin.|Click to modify notes.|
|09-30-2018 08:06:57 AM|admin|45.55.8.60|Operation successful|Login: Login|User Name: admin.|Click to modify notes.|
|09-30-2018 07:40:51 AM|admin|173.78.131.194|Operation successful|Login: Login|User Name: admin.|Click to modify notes.|
Could you please tell me what is could be is this, IP with 192.168.xxx.xxx - it;s my local IP. Password changed every week. Firmware 1.0.18.12 last for 9/29/2018


#2

If you really need to have the admin page open to the Internet without filters, then I recommend changing its public port. If you don’t want to mess with the UCM settings, then do a port forward on your router with different port numbers. That will help a lot.


#3

Turn on Fail2ban and it should start banning these IPs that are trying to log in.


#4

Do you have an any recommendation for ports numbers?


#5

LOL, thank you, that was funny!)))


#6

Any port (higher than 1024 recommended) will do. There is no technical reason to choose one number over another. Remember that it’s just for the web interface.

And like lstutesman said, enabling the Fail2ban will help. It works wonders.


#7

Thank you.

Of course all settings was turning on, Fail2ban, dynamic itc. i guess it was quiet clear. and my question was for security of this protocols, not how setup pbx, problem with security protocols, Fail2ban not working on this way, not for this guy, changes of password has stop him/her for 6 seconds or 3 try (but settings max. for 2 and password 16 random letters, digits, symbols) port changes also was useless for 10 random ports he/she was delayed for 3 second for each port.

Just one guess, factory has back door, and someone using it.

And no access to root, I can’t do anything.
Is there programers from Grandstream? Please I need your help!


#8

Is SSH enabled. Also, what firmware version is running and have you also looked at these:



#9

No, SSH disabled.
All settings more harder that recommended.
firmware - 1.0.18.12


#10

Could you please check if there is some unusual login credentials created in User Management.

Earlier our UCM was also hacked and someone named j2ck was created which had access to administrator.

regards,
romush


#11

I got a collection in Login Banned User List from staff like this:
ja2ck
ja3ck
ja4ck
omegax
from IPs:
5.79.66.122
37.49.231.104
45.55.8.60
173.78.131.194
166.171.248.158


#12

So prior to firmware 1.0.14.24 there was a security hole that allowed a hacker to create their own admin user and then log in as it. As long as you are on firmware 1.0.18.12 as you indicated, all you will see are attempts. Do make sure these usernames do not exist on your system along with any others that are not familiar to you.


#13

No any accounts was created.
just login with name admin, but that login i see only in operation log.


#14

Hi everyone after I was change phone numbers in the bpx to 7 digit numbers, I don’t know how, why, this is unexplainable but firewall decide to move Ip to black list, finally, and login was blocked. I can’t say that this is solution, but for some reason somehow it worked.

P.S. I willing to try make numbers shorter, I don’t like so long numbers, and everyone blame me, but…