John Posted June 29, 2015 Report Share Posted June 29, 2015 Hello, as you know we operate the hosted edition. Two accounts in the default domain pbx.company.com (localhost) gotten hacked. We have never used these accounts, we didn't even knew the sip passwords until after the incident Are the sip passwords for the extensions in the default domain the same after each installation or are they generated randomly? Because it is unlikely the intruders acquired them through a brute force attack since we have set an ip to be blocked for a week after three unsuccesful registration attempts. Thanks John Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted June 29, 2015 Report Share Posted June 29, 2015 Yes by default the PBX generates a pretty random password. If the account got hacked, it would be highly unlikely that this was because the passwords were too weak. Maybe they were a left over from an old installation where passwords were like 40/40 and so on, which is pretty easy to hack. We strongly suggest to set the medium password policy; then you will be able to see what accounts have weak passwords and ask them to change it. Quote Link to comment Share on other sites More sharing options...
John Posted June 29, 2015 Author Report Share Posted June 29, 2015 This isn't the case for us, the base installation was 5.1.3 which already included password policy (and I think medium is the default value). Is there any other way we can find more info about the incident apart from the log in /var/log/snomONE? Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted June 29, 2015 Report Share Posted June 29, 2015 If you log to the file system (including the $ placeholder for the date), you would have a 3 day log history where you could try to dig out details. And if you receive emails on important events you might see that someone was blacklisted because of too many unauthorized attempts, containing more information. I would suggest that you at least set up the email reporting, because this is a cheap, focused reporting on important events and if you set up a rule in your email program then you can move it into the right folder for potential later follow-up. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.