Home / Support / VOIP SECURITY ADVISORY
Modified on October 11, 2021
As a result of a recent increase in attempted network attacks and fraudulent activity, Kiwi VoIP recommends customers conduct a thorough review and update of their security policies. Best practices are to either:
1. Have your PBX/Device behind a firewall or router doing NAT and do not ‘port forward’ ports to the PBX or place the IP PBX in a DMZ so it is exposed to the Internet and open to being hacked. The vast majority of customers will be okay as they place their devices usually behind a router and rely on NAT to get packets in/out of their network to Kiwi VoIP, but a few people out there still insist on putting their PBX in a DMZ or set up port forwarding rules. Port forwarding should not be required for SIP or IAX2 registered devices.
2. If a customer is using ‘SIP peering’ to connect to Kiwi VoIP and your PBX is not behind NAT or SIP ports are forwarded then it is best to setup a firewall rule so that *only* Kiwi VoIP’s network is forwarded/open on the required ports e.g 126.96.36.199/24 can talk to the customers device. If you want to be even more specific you can lock this down to just the peering IP address E.g. 188.8.131.52. This means the rest of the Internet cannot connect to SIP port 5060 for example and start a hacking attempt.
3. Ensure that your phone system or device does not allow ‘Anonymous’ calling from unauthorized clients. Often PBX software such as Asterisk is setup to allow anonymous calls through the option ‘allowguest=yes’. Ensure that this is set to allowguest=no in the SIP General settings on an Asterisk based system. Other devices will have their own ways of controlling anonymous access to the system.
4. All passwords should be *strong* (8 characters, letters and numbers etc. and hard to guess) and it is advisable to make them different from extensions. This does not just apply to your Kiwi VoIP passwords but also to the passwords of any extensions connecting to your PBX.
5. If you are selling or discarding computer equipment and VoIP hardware, make sure all sensitive data has been erased including settings, usernames and passwords.
6. Block outbound dialing from your voicemail system to prevent Dial Through Fraud (DTF). At a minimum you should have strong passwords on voicemail.
7. Limit auto topup amounts on your account (Kiwi VoIP settings screen)
8. Block international calling on your account with a PIN code (Kiwi VoIP settings screen)
Failing to properly secure your systems or PBX can result in any of the following:
1. Toll fraud – utilising your systems or account details to make calls at your expense.
2. Unauthorized access to your system resources, information, privileges and/or listening to your calls and voicemail (through fuzzing, sniffing, or brute force attacks).
3. Denial of service – disabling your voice communication using packet floods