When installing and configuring SMG, you should pay attention to security settings – access organization to PBX management and monitoring, as well as call processing security. You should also pay attention to configuration backup.

Organization of access implies:

• changing standard passwords for WEB and CLI;
• creating limited accounts for certain types of settings and monitoring;
• setting restrictions on IP addresses and/or subnets from which configuration and monitoring can be made;
• setting up a static firewall that restricts access to signaling interfaces and manage only trusted nodes;
• setting up a dynamic firewall, which will automatically cut off unwanted access attempts for public interfaces.

Changing passwords on WEB and CLI

Passwords are changed via the ‘Users: Management’ menu.

Changing the WEB password for the admin account is done in the ‘Set the administator password for web-interface’.  

Changing the CLI password for the admin account is done in the ‘Set the administrator password for telnet/ssh’. More detailed information on setting can be found in the «Management» section.

Changing the password for the root account is done through the shell. In order to change the password, you need connect to SMG via ssh/console and run the following commands:

SMG2016>

SMG2016> sh (выход из режима cli в режим shell)

/home/admin #

/home/admin #

/home/admin # passwd root (команда для смены пароля root)

Changing password for root

New password: (ввести новый пароль)

Retype password: (повторить новый пароль)

Password for root changed by root

/home/admin #

/home/admin #

/home/admin # save

tar: removing leading '/' from member names

***Saved successful

New image 0

Restored successful

/home/admin #

Creating restricted accounts

Creation of limited accounts for the web is done through the 'Users:Management' menu.

• In the 'Web-interface users' block, click 'Add';
• Set the user name and password;
• Select access permissions.

Creating restricted accounts is not supported for the CLI. More information on settings can be found in the «Management» section.

Restricting access to signaling and management interfaces

Restrictions are configured in the 'TCP/IP Settings' → 'Network Interfaces' menu.

• Go to the network interface settings.
• In the 'Services' block, disable all management protocols and alarms not used on the interface.
• For the management interface, it is recommended to allow access only to the web interface and ssh.

More detailed configuration information can be found in the Network interfaces section.

Telnet access to the device should be prohibited via the public IP address.

Management should be allowed NOT via public addresses. If it is still used management via public IP, then it is necessary to use a list of allowed IP addresses – you need to add to the white list the address from which connections will be allowed. For all the rest, the access should be denied.

CHANGING STANDARD PORTS FOR ACCESS TO THE DEVICE

The setting is made in the menu 'TCP/IP Settings' → 'Network Settings'

• Change the standard (22 for ssh and 23 for telnet) access ports to the device via ssh/ telnet protocols

• The standard port for accessing the device via the web (via the http protocol) can be changed via CLI. To do this, connect to SMG via ssh/console and do the following commands:

SMG2016>

SMG2016> config

Entering configuration mode.

SMG2016-[CONFIG]> network

Entering Network mode.

SMG2016-[CONFIG]-NETWORK>

PORT Number in the range 1-65535

SMG2016-[CONFIG]-NETWORK> set settings web (specify the necessary port in the 1–65535 range)

It is recommended to use the HTTPS protocol to access the web interface.

It can be configured in the 'Security' → 'SSL/TLS settings' section.  The 'HTTPS only' should be selected as the 'Protocol for WEB-interface' in the SSL/TLS settings. It is also possible to use authorization via PAM/RADIUS. More detailed information on setup can be found in the SSL/TLS settings section.

CONFIGURING A LIST OF ALLOWED IP ADDRESSES

The setting is made in the 'Security' → 'White addresses list' menu.

• Add to the white list addresses, from which access to the device is allowed via the web configurator and via telnet/ssh protocols;
• Enable the option 'Access only from allowed IP-addresses';
• Click the 'Apply' and 'Confirm' buttons.

More detailed configuration information can be found in White addresses list section.

Configuring a static firewall

A static firewall is used to restrict access to network interfaces according to a list of pre-defined rules.

The settings can be made in the ‘Security’ -> ‘Static Firewall’ menu.

• Go to the firewall settings;
• Create a firewall profile by clicking the ‘Add’ button;
• Set the profile name, click ‘Next’;
• Set filtering rules for incoming and outgoing traffic. At the same time, remember that if an incoming or outgoing packet did not fall under any filtering rule, then the ‘Accept’ action is applied for it (allow the packet to pass through). Therefore, if access should be allowed only to some nodes and denied to all others, then it is necessary to configure the firewall profile so that the last rule is a rule with source type and destination ‘Any’ and action ‘Reject’ or ‘Drop’ (drop a packet with notification via ICMP or discard without notification);
• In the ‘Interface’ block, select the network interfaces for which filtering will be applied;
• Click the ‘Save’ button located under the list of interfaces;
• Click the ‘Apply’ button located at the top of the page;
• Click the ‘Save’ button located above the filter tables.

More detailed configuration information can be found in the Static firewall section.

Configuring a dynamic firewall

A dynamic firewall is used to restrict access to network interfaces based on analysis of requests to various services. If repeated unsuccessful attempts to access service from the same IP address are detected, the dynamic firewall temporarily blocks it.

If an address is temporarily blocked several times, it is permanently blocked in the black list of addresses.

The settings can be made in the ‘Security’ → ‘Dynamic Firewall’ menu.

• Go to the firewall settings;
• Add addresses of trusted hosts and subnets to the white list;
• Check the ‘Enable’ checkbox;
• Click the ‘Apply’

More detailed configuration information can be found in the Dinamic firewall section.

It is not recommended to use standard port 5060 for SIP signaling.

It is necessary to periodically check the information in the ‘Security’ → ‘Blocked addresses list’ section. It displays a list of addresses blocked by the dynamic firewall from which an unsuccessful attempt was made to gain access to the device.

It is recommended to periodically change passwords for accessing the device via web/ssh. The Policy of shifting passwords should be determined by your security team.