Linux kernel TCP sequence number generation security weakness

[mike@ciconi.co.uk]

We have been Cyber Essentials tested, whilst we passed, the have recommended that we look into:-

"Linux kernel TCP sequence number generation security weakness"

This is on our Mitel 5000 IP address, we have VOIP with the following ports open

3998-4000     TCP
443               TCP
4000             TCP
4444             TCP
20001           UDP
50098-50508 UDP
44000           TCP
69                 UDP
6004-6261    UDP
6800-6802    TCP
22                 TCP

Have we got any not required, could this cause this, or this this just one of those things.

[Tech Electronics]

Mike,

There are a few of those that you don't want to open up to the Internet; which is where the attack is most likely to come from.

22
69
443
4000
4400
3998-4000

The remainder would need to be open to the Internet if you have Teleworker phones. If this is a concern you could always implement an MBG to sit inbetween the Internet and your MiVO-250.

Thanks,

TE

[acejavelin]

Do you have remote phones? Many of those ports are required for NAT'd remote phones, most of them in fact. 443 and 44000 are for remote administration, although we often change 443 to 8443.

The only one that seriously concerns me is port 22, it should only be forwarded if used with a source IP mask restriction for your vendor, and make sure your admin password is of sufficient complexity and length. 69 is not required and is a common port, I would close it and any remote phones will fail over to 20001. I can't for the life of me remember what 4444 is for though.

[mike@ciconi.co.uk]

Thanks, yes we have in the past had remote phones, not currently but may again in the future, so ideally want to keep this available.