This is an important notice regarding our security policy. Please read carefully.
It is imperative that these guidelines are followed to prevent any fraudulent calls being made from your system due to weak passwords.
This includes passwords below 9 characters, that are either all letters or numbers i.e. 1234 or ABCD, or identical passwords for all phone extensions.
Orbtalk have secure systems setup to detect fraudulent registrations to our gateways and secure passwords are used on the systems that we supply. However, it is the customer’s responsibility to ensure that they use secure passwords on their own VOIP systems as many people do get their account compromised at some point. This is a frightening but true fact and you must be doing everything you can to prevent this from happening, as we do on our own network.
Orbtalk Ltd will not be held responsible for fraud occurring due to customers maintaining inappropriate password standards. Please make your password secure or you may risk losing money.
Therefore, we strongly advise all customers to modify their passwords in line with the instructions below. We believe that customers who choose not to follow these guidelines are running the risk of serious fraud on their systems.
Most importantly, Phone handset or Softphone device passwords must be secure. Please do not leave your password as the default, please do not set your password as something generic. It is surprising how many systems we check that have '1234' OR 'password' set by the IT department. Below we have detailed how customers on Orbtalk PBXes can maintain secure device passwords.
Logins to the administration panel of PBXes must be secure otherwise hackers can change your device passwords. If Orbtalk system customers require new administration login details, please contact support@orbtalk.com and we will arrange.
Network access and VPN remote access are obviously the responsibility of your company's IT department or resource, but please ensure that they are secure.
Orbtalk Password Guidelines
Orbtalk has a set of password guidelines (detailed below) that will result in industry standard secure passwords. We strongly advise customers to follow these guidelines, we will provide assistance where required.
Modifying the passwords for your PBX/Gateway extensions
The passwords should have the following minimum values:
- 10 characters long, minimum 9;
- uppercase letters such as A, B, C;
- lowercase letters such as a, b, c;
- numerals such as 1, 2, 3;
- special characters such as $, ?, &;
With PBX/VoIP Gateway systems, the password changes should be enforced on all extensions (whether they are in use or not).
Once the passwords have been modified following our guidelines below, there will be a significantly reduced risk of your passwords being broken.
How do I change my passwords?
There are plenty of websites out there now that will allow you to easily generate a password from your web browser. It's probably best to use one provided by a security company, such as https://lastpass.com/generatepassword.php. You can NB. In some cases, passwords containing punctuation cannot be used. If you have difficulties in setting these new passwords on your phone, run the utility again, but omit the punctuation check box.
Please use a password strength meter, such as www.passwordmeter.com and ensure that your password strength is greater than 80%.
The next step is to log into your PBX/VoIP Gateway system, browse each extension and change the passwords generated with the password tool as above.
Once this is changed, the phones associated to the extensions will also need their passwords adjusted.
It is strongly advisable to use different passwords for each extension.
Secure your PBX/VoIP Gateway with a Firewall
It is strongly advised that your PBX/VoIP gateway is secured with a firewall where possible.
Orbtalk VoIP services operate on the following network addresses.
Allow these addresses in your firewall along with your trusted IPs and block VoIP access for rest of the world.
All ports to enable for signalling and media for VTM and OS trunks
Orbtalk PBXes
- Signalling (UDP port 5060)
- The PBX Domain Name used for Primary and Failover
- Media IP’s (UDP ports 10000 up to 20000)
- The PBX Domain Name used for Primary and Failover
- If your router/firewall does not allow you to specify a domain name in the QOS rules please create two rules for each port range.
- One should specify your primary PBX IP of 217.xxx.xxx.xxx or 193.xxx.xxx.xxx and the other should not specify an IP.
Trunks
Gateway sip.orbtalk.co.uk
Signalling (UDP port 5060)
- sip.orbtalk.co.uk
- 217.20.39.101 / pop1.orbtalk.co.uk
- 193.104.131.73 / pop2.orbtalk.co.uk
Media IPs (UDP ports 10000 up to 65535)
- 217.20.39.102
- 217.20.39.103
- 193.104.131.76
- 193.104.131.77
- 212.54.143.201
Gateways sipgw1.orbtalk.co.uk & sipgw3.orbtalk.co.uk
Signalling (UDP port 5060)
- Primary Signalling sipgw3.orbtalk.co.uk / 193.104.103.6
- Secondary Signalling sipgw1.orbtalk.co.uk / 208.76.18.119
Media IPs (UDP ports 10000 to 65535)
Primary Media IP
- 193.104.103.2
Secondary Media IPs
- 208.76.16.141
- 208.76.16.142
- 208.76.16.144
- 208.76.16.145
If you have any questions or queries regarding the above, please contact the support team by logging a ticket at https://support.orbtalk.com
Measures that you can take in addition to securing passwords are as follows (please refer to your system specific vendor manuals OR if the system is supplied by Orbtalk, contact support):
- Set Operational Hours for users on your system if possible, or disable the system out of hours.
- Block costly destinations for example '09' Premium Rate Numbers or expensive International numbers using dial plans, or allowing individual users to only dial required destination countries.
- Protect your phone system server or network from so called 'dictionary' attacks where hackers attempt to register to your PBX as users or extensions. This can be done with software, for example 'fail2ban' allows the blocking of IP addresses that exceed a set number of failed registration attempts. (Available online).
Thank you for taking the time to read this information.
Kind regards, the Orbtalk Support Team.