Login data guess is one of the most common attacks on a Private Branch Exchange (PBX). In Kerio Operator, attackers try to guess extension numbers and SIP passwords. This type of attack is defined by many unsuccessful attempts to enter extension number and SIP password during a login. Kerio Operator security settings enable you to limit the number of attempts of a phone (both software and hardware) to connect to the PBX.
- On the Kerio Operator administration interface, click on Configuration (Gear Icon) > Security.
- Set the limit of unsuccessful attempts.
- Under Rule definition section, set your desired limit in the Number of unsuccessful SIP Logins box (usually 3 to 10 attempts) (1)
- Set the time period during which attempts will be counted under the Per time period box. Setting the time period protects real users who have forgotten their password or who have made mistakes during several logins. When the time limit expires, they can try to login to the PBX again. (2)
- Set the time during which Kerio Operator will block the source IP address under the Actions section, in the Block source IP address for box. (3)
- You can also enter an email address that will be used for sending warnings about blocked IP addresses.
- Click Apply on the lower right corner of the interface to save the settings.
- Go to Logs > Security.
- Look for the Authentication failed string. If there are too many messages of this kind, somebody is trying to use a dictionary attack.
- Take note of the extension of the account being attacked. The extension appears after SIP.
In case of an attack, apply the following instructions as soon as possible:
- Go to Configuration (Gear Icon) > Extensions > Status and select the extension which has been potentially abused (based on the information found in security logs).
- Change the SIP password of this account.
- Click OK and Apply.
- Instruct users about handling their login details and secure behavior on the Internet.
- The PBX is blocked, so it needs to be unlocked again.