This article explains the recommended suggestions to secure your Grandstream UCM6200 IP PBX to help minimise the system being compromised.
- Upgrade the firmware.
This is the most important thing you can do with any IP/Network/Internet connected device. Vendors release firmware updates regularly with features and improvements and these also often include security patches for known vulnerabilities.
To upgrade your UCM firmware, make sure you read the upgrade procedure and backed up the configuration first! If you are multiple versions behind, you may need to perform a stepped upgrade. Firmware and upgrade information can be found here http://firmware.grandstream.com/.
Simply download the firmware file, extract it, and then upload in your UCM (Maintenance > Upgrade > Firmware File Path > Choose File to Upload). After a few minutes (this can take much longer if remotely uploading firmware or on a very complex system so please be patient) your UCM should prompt to reboot.
UCM62xx Release Notes:
- Change the default username and password.
Changing both the default username and password help minimise the brute force attacks. If the username is left as the default, a hacker already has half of your authentication information which is a simple, yet often overlooked change. Passwords should be difficult to guess, i.e. non dictionary passwords, the longer the better and including special characters, numbers and capital letters where possible. The Super Administrator username and password can be changed under Maintenance > Login Settings > Change Password / Email:
- Setup Login Security and Ban periods.
User Login Timeout refers to the time (in minutes) of idle logged in users. After the time of inactivity specified the user will be logged out of the UCM. Maximum number of login attempts can help reduce the number retries a user can make to login, after the number of attempts has been exceeded, the ip address that user failed to logged in from will be banned for the User ban period (in minutes). The login whitelist can be used to specify IP addresses excluded from the ban list (the ip address will never be put on the banned list even if the max login attempts is exceeded).
- Securing SIP Extensions and Consumer Logins.
The Permission Level you specify on the extension relates to the permission the extension has in the rest of the system. Specifically, extensions with International permission level can make calls through any route that has a permission level set as this is the highest level. If you have National and International permission level outbound call routes configured and this user does not need to use the international route - reduce the extension permission level (International Permission does not mean International Call Permission, unless you have configured your routes this way).
Always use a strong SIP Password just as you would with any password. User Password is the password the user can log into the UCM web interface to manage Voicemail, DND and some other functions. You can also manage these automatically created consumer accounts under Maintenance > User Management.
Restrict Concurrent Registrations to 1 unless you need multiple SIP devices to register to a single SIP Extension.
Restrict SIP Registrations to Local or specified networks only with the ACL Policy, this will mean any device trying to register outside of the subnets specified will be rejected.
Disable WebRTC Support if you are not using it (this is commonly used for applications such as GSWave and remote login apps, if your extensions are all local and do not allow remote login or use GSWave this can be disabled).
- Enable Outbound Blacklist (Extension / Trunk > Outbound Routes > Outbound Blacklist).
Here you can restrict the countries that you can dial. If you never call 'Costa Rica' you could blacklist the country code entirely so that the UCM cannot dial any number in this Country). - Secure Inbound Routes that allow for outbound calls.
Some features of the UCM (like the IVR) can be configured to allow an inbound caller to make an outbound call. If you do not need this functionality please ensure it has not been enabled. These include the Dial Trunk and Dial Other Extensions features. If you require this functionality, please ensure you use this in conjunction with the IVR Blacklist/Whitelist feature. - Restrict Web Access.
Enable IP Address Whitelist, force Protocol Type to HTTPS and change the default access Port. These settings relate to the web interface of the UCM. Restricting access to HTTPS, changing the default port and allowing only certain IP addresses and subnets to access the web interface will help reduce access from anywhere on default ports. - Enable Fail2Ban.
Fail2Ban will Blacklist any IP addresses that have exceeded the Max Retry Duration and Attempts. Ensure you add the subnets and IP addresses of any devices that register extensions on the UCM. You will also want to add your SIP Trunk provider IP addresses here as well. - Setup UCM behind a Firewall and minimise or eliminate port forwarding where possible.
If your UCM does not have users logging in or registering remotely (i.e. remote extensions) their is no need to have any port forwarding open to the UCM. VPN's or Remote Access software like Teamviewer and ConnectWise Control can be used to access the UCM web interface. If you are using SIP Registration for your SIP Trunks (as opposed to SIP Peering) then the UCM initiates an outbound registration request to your provider and there is no requirement to port forward 5060 through to your UCM. This is only required when using SIP Peering and in this case should be locked to your SIP Providers IP ranges.
If remote extensions are a requirement, please ensure all the previous steps are setup prior to configuring port forwarding through to your UCM.
Additionally, it is also recommended you change the SIP Port away from the default 5060 to minimise internet bots running port scans for common device/port combinations however this may affect device registrations to extensions so please configure with care.