Securing Kerio Operator

Issues to address

The following sections describe these settings in detail.

Configuring firewall in local network

Kerio Operator is usually protected by firewall (in your local network or in the Internet). Certain ports need to be opened (or mapped) on firewall.

Service (default port) Outbound connection Inbound connection
SIPSession Initiation Protocol - A communication protocol used for voice and video calls in Internet telephony or private IP telephone systems. (5060) allow allow for SIP servers of your provider
IMAP (143) allow if integration with Kerio Connect is enabled and there is a firewall between Kerio Connect and Kerio Operator. deny
LDAPLightweight Directory Access Protocol enables users to access centrally managed contacts. (389) allow deny
LDAPS (636) allow allow if you use mapping from Active Directory or Open Directory and there is a firewall between the directory service and Kerio Operator.
HTTP (80) allow deny
HTTPS (443) allow allow if you wish users to be able to connect to Kerio Phone from the Internet.
HTTPS (4021) allow allow if you wish users to be able to connect to the administration interface from the Internet.
STUN/TURN (3478) allow allow
STUN/TURN (3479) allow allow

Configuring firewall integrated in Kerio Operator

Prepare groups of IP addresses which you wish to allow for individual services (create them in Definitions > IP Address Groups).

You can configure the integrated firewall in section Network > Firewall.

Service Recommendation
Web server If you want to restrict connections to Kerio Operator administration and softphone, check this option and select an IP group with addresses from which access will be allowed. Bear in mind that all the PBXPrivate Branch Exchange - System that connects telephone extensions and switches calls. users should be allowed to connect to Kerio Phone at least from their own workstation.
SIP We recommend to restrict the SIP protocol solely to your internal network and external IP addresses of your SIP provider.
Phone provisioning For security reasons, we recommend to restrict automatic phone provisioning solely to your internal network because TFTPTrivial File Transfer Protocol - A simple protocol for transferring files. sends configuration data as plain text.
CRMCustomer Relationship Management - Strategies and technologies for managing and analyzing customer relationships. integration For security reasons, we recommend to restrict communication solely to your internal network.
SNMPSimple Network Management Protocol - A protocol for gathering and organizing information about devices in IP networks, and changing devices behavior. monitoring For security reasons, we recommend to restrict communication solely to your internal network and IP adressess where monitoring servers are running.

NOTE

If the options are unchecked, no restrictions are set.

Configuring protection against password guessing

Login data guessing is one of the most common attacks on a PBX. In Kerio Operator, attackers try to guess extension numbers and SIP passwords. This type of attack is defined by many unsuccessful attempts to enter extension number and SIP passwordA password for authenticating provided by a SIP provider. during a login. Kerio Operator security settings enable you to limit the number of attempts of a phone (both software and hardware) to connect to the PBX. Apply settings as described below:

  1. In the administration interface, go to Security.
  2. Set the limit of unsuccessful attempts (usually 3 to 10 attempts) and set the time period during which attempts will be counted. Setting the time period protects real users who have forgotten their password or who have made mistakes during several logins. When the time limit expires, they can try to login to the PBX again.
  3. Set the time during which Kerio Operator will block the source IP address.
  4. You can also enter an email address that will be used for sending warnings about blocked IP addresses.

How to recognize there has been an attack attempt

In log Security look for the Authentication failed string. If there are many messages of this kind, somebody is trying to use a dictionary attack.

What to do in case of an attack

In case of an attack, apply the following instructions as soon as possible:

  1. In section Status > Calls and in logs, look for information on which account has been abused.
  2. Change the SIP password of this account.
  3. Instruct users about handling their login details and secure behavior on the Internet.
  4. The PBX is blocked, so it needs to be unlocked again.