This message also posted in security/network management:
cisco router 2651XM running a sip trunk (call manager express)
after having my sip account hacked I need to make my sip trunk secure. I'm fairly certain my sip details were hacked using packet sniffing but not 100% sure. My sip provider has changed my password but I'm reluctant to re-register with my sip provider because my new details will just get sniffed again. In the meantime I have changed all the router passwords to strong ones and set up a logging trap as well with delays to discourage brute force attacks.
How can I harden the encryption in my router or make my sip trunk resilient to packet sniffing? My sip-ua currently looks like this:
thanks for your feedback but are you sure about 'impossible via packet sniffing'? The phone company claims it is possible so I'm in a quandary, don't know what to do next. I also have to consider mail interception and router hack but I'm working on that. Appreciate for any further ideas...
someone has hacked my sip credentials and used up all the credit in two different sip accounts I've had - both with different companies so this isn't hypothetical. I'm trying to find how they did it (three times) so I have to look at all avenues, no matter how unlikely.
It's equally possible that the credentials were obtained another way - i.e. from your email (rare to see that encrypted in flight), maybe from your router config (that type 7 encoded password is a simple thing to decode if you have the config) - how many people have access?
No point worrying how good the locks are if the front door is open :-)
Surely the service provider should be able to limit access to your account to a particular set of IP addresses provided by yourself? One would think if they're happy to state to their customers that their credentials are unsafe and might be sniffed any time you use their service they would want to take measures to prevent it...
Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
yes I know there are several ways my credentials could have been obtained and believe me I'm trying to address every one of them, my packet sniffing query was just one. I'm not sure what to do if emails are being read, I've changed the password on my email but if they're sniffed in flight that's a different problem. No-one uses my computer but me, no-one has access to my router but me, no-one knows the passwords (all changed yesterday) except me. I did a hd scan and found a couple of trojans but whether they were connected I'm still investigating I've set up a logging trap-to-syslog to monitor router telnet attempts and it works and I've also set up a logon delay to prevent brute force attacks.
Thanks for your advice and I've sent an email to my sip provider about restricting access but I don't hold out much hope. I don't know if you've had experience with sip providers but my experience of them is not a pleasant one, they're unhelpful and frustrating.
it mentions SIPScan and this appears to be exactly what has happened to me, I've even seen calls to Africa and Cuba in my call log just like it says in the article. If sipscan isn't a sip trunk sniffer, what does it do?
You have reached the Cisco Logistics Support Center.. To Check Status of
your RMA, visit Product Returns & Replacements (RMA). Need help? Contact
us by Phone or Email. North Americas Phone: 1800 553 2447 Option 4
Email: firstname.lastname@example.org Europe Phone: +3...
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...