We have recently had one of our UC520's accessed from overseas and thay have managed to create over $4000 of fraudulent calls on our VOIP account.
The UC does PPPOE connection to the internet . The WAN port of the UC has a public IP address and in the access list we have is below.
access-list 104 permit TCP host 220.127.116.11 host 203.206.XXX.XXX eq 5060
access-list 104 permit UDP host 18.104.22.168 host 203.206.XXX.XXX eq 5060
access-list 104 deny TCP any any eq 5060
access-list 104 deny UDP any any eq 5060
(XXX justs hides our IP address)
We have also configured cor lists on the UC to stop this happening again.
Our ISP says that we do not need to have port 5060 open for SIP to work, can anyone advise on this ?
If there are any other advice / ideas in how to guarantee that the system is now locked down would be much appreciated.
And as a last note i am still confused as to how they have accessed the system in the first place if the above access-lists were in place.