Installing

Login

Update

Configuring

How To

User Features

Security Issues

Documentation bullet Security Issues regarding FreeSentral

Documentation.SecurityIssues History

Hide minor edits - Show changes to markup

February 23, 2012, at 12:50 AM by monica -
Added lines 23-24:

To see the protections added in Freesentral for this issues and how you can protect your network continue reading the below points.

February 23, 2012, at 12:43 AM by monica -
Added lines 52-56:

Denial of service attacks

To cope with DOS attacks a global script: banbrutes.php was added that drops traffic from ip address that send to many requests. In order to use it you need to run yate as root and have iptables installed on the server.

February 23, 2012, at 12:31 AM by monica -
Changed lines 44-45 from:

In case an user account was breached, the majority of the theft of service attacks result in a high number of international/expensive calls being made from that account. Freesentral includes protection for this attacks. In case specified limits for international calls are passed international calls are disabled and all international calls are rejected until administrator enables them again. Read more about this here

to:

In case an user account was breached, the majority of the theft of service attacks result in a high number of international/expensive calls being made from that account. Freesentral includes protection for this attacks. In case specified limits for international calls are passed international calls are disabled and all international calls are rejected until administrator enables them again. Read more about this here.

Added lines 50-51:

For better security, support for TLS connections between Freesentral and SIP gateways was added. To use it, set Transport to TLS when defining a gateway.

February 23, 2012, at 12:14 AM by monica -
Added lines 40-44:

International calls protection

In case an user account was breached, the majority of the theft of service attacks result in a high number of international/expensive calls being made from that account. Freesentral includes protection for this attacks. In case specified limits for international calls are passed international calls are disabled and all international calls are rejected until administrator enables them again. Read more about this here

April 22, 2010, at 05:36 PM by cristina -
Changed line 3 from:

(:order_number: 5:)

to:

(:order_number: 8:)

April 05, 2010, at 01:15 PM by 85.204.142.178 -
Changed lines 9-10 from:
to:

IP PBX

April 05, 2010, at 01:14 PM by 85.204.142.178 -
Changed line 7 from:

(:toc anchors=visible:)

to:

(:toc:)

April 05, 2010, at 01:13 PM by 85.204.142.178 -
Changed lines 9-10 from:

IP PBX

to:
April 05, 2010, at 01:05 PM by 85.204.142.178 -
Changed line 7 from:

(:#toc:)

to:

(:toc anchors=visible:)

April 05, 2010, at 01:02 PM by 85.204.142.178 -
Changed line 7 from:

(:toc:)

to:

(:#toc:)

April 05, 2010, at 12:59 PM by 85.204.142.178 -
Changed line 7 from:

(:tocportion TableOfContents:)

to:

(:toc:)

April 05, 2010, at 12:30 PM by 85.204.142.178 -
Changed lines 28-29 from:

To prevent unauthorized login attempts, the admin has access to a login history. He/she can see the user's name and the number of failed login attempts. Below is a screen capture of the “Logs” section in FreeSentral:

to:

You can see the failed attempts in the Logs section.

Changed lines 37-40 from:
  1. Admin's password is very important when wanting to properly secure the system. If the admin's account is broken into, then the hacker can easily create new accounts and/or use Impersonate for existing accounts.
  2. Passwords for SIP calls are encrypted using the MD5 algorithm. This ensures that the users' passwords can not be deciphered by anyone. Of course, this advantage fades if the password is not strong enough and a determined hacker reviles its' value.
to:
  1. Admin's password is very important when wanting to properly secure the system. If the admin's account is broken into, then the hacker can easily create new accounts and/or use Impersonate for existing accounts. The first thing you should do it's to change the admin password.
Changed line 49 from:

Supporting modules such as “Rmanager” and the “Logs” section gives the admin adequate visibility into how FreeSentral works.

to:

Supporting modules such as “RManager” and the “Logs” section gives the admin adequate visibility into how FreeSentral works.

Changed line 82 from:

The security package of the OS distribution can be improperly configured. For instance, msec is Mandriva 2009.1's security package for controlling and managing the system security. If, by mistake, you set the level as “none”, msec will not protect your server and the system will be vulnerable to attacks. Same thing can happen if you improperly define your own custom security level.

to:

The security package of the OS distribution can be improperly configured. For instance, msec is Mandriva 2010's security package for controlling and managing the system security. If, by mistake, you set the level as “none”, msec will not protect your server and the system will be vulnerable to attacks. Same thing can happen if you improperly define your own custom security level.

Deleted lines 97-103:

SSH

Hackers can use SSH for “man-in-the-middle”(MITM) attacks if the unknown public key is not properly verified and is considered valid. A MITM attack can succeed if the hacker is able to impersonate each end point to the satisfaction of the other.

Besides “man-in-the-middle” attacks, hackers can use SSH to engage “brute force” attacks. These actions can be somehow impossible to carry out only if the admins' passwords are strong enough. Also changing the default SSH port is a good battle tactic. Because There are software applications that can scan your system and find what ports are used. You can image the default ports are checked first.

April 05, 2010, at 12:23 PM by 85.204.142.178 -
Added lines 1-113:

(:title Security Issues regarding FreeSentral:)

(:order_number: 5:)

This article gives you insight to some VoIP problems for an IP PBX such as theft of services, denial of services and eavesdropping and presents specific security problems that may happen in FreeSentral.

(:tocportion TableOfContents:)

IP PBX

Problems such as those mentioned above have a great probability to occur in every IP PBX. These problems are severe security issues and their consequences affect the functionality of the IP PBX.

http://www.freesentral.com/uploads/Documentation/security_issues_FS.jpg A network attack that keep users or devices from accessing the network is a denial of service(DoS). Such attacks are inevitable and are almost impossible to avoid because of their changing nature.

Eavesdropping is a form of hacking for obtaining names, passwords and telephone numbers. This leads to gaining control over the voice mail, call plans and other features. The theft of services is a direct consequence of eavesdropping.

Service theft is another serious security issue that implies hacking the system and using IP PBX services by unauthorized users and/or stealing its' services.

The issues above are just few of the IP PBX security problems. You can avoid some of them by increasing the network security level. The first step is to verify the extension and/or the IP. If those are recognized by the IP PBX as belonging to the network, then the call is authorized. But if you need, for some reason, to allow anonymous calls, FreeSentral will check if the caller ID or IP is recognized by the server (known extension, group or DID). This is a useful technique when wanting to prevent DoS or service theft.

User Access

Web access for users is secured by using https. The number of failed logins is unlimited so they can try to login until they succeed. To prevent unauthorized login attempts, the admin has access to a login history. He/she can see the user's name and the number of failed login attempts. Below is a screen capture of the “Logs” section in FreeSentral:

http://www.freesentral.com/uploads/Documentation/logs.jpg

Passwords

Here are some facts about passwords in FreeSentral:

  1. Admin's password is very important when wanting to properly secure the system. If the admin's account is broken into, then the hacker can easily create new accounts and/or use Impersonate for existing accounts.
  2. Passwords for SIP calls are encrypted using the MD5 algorithm. This ensures that the users' passwords can not be deciphered by anyone. Of course, this advantage fades if the password is not strong enough and a determined hacker reviles its' value.
  3. When exporting extensions the passwords are exported unencrypted. It is very important that the files containing these informations not to fall in the hackers' hands. This could break in a major security problem.

Gateways

Another possible attack uses the IP PBX's gateways. Malicious hackers can take control of the gateways and use them to make free phone calls. This situation can occur if “Trusted” is enabled for the VoIP provider.

Visibility into “what's going on”

Supporting modules such as “Rmanager” and the “Logs” section gives the admin adequate visibility into how FreeSentral works. By using telnet and appropriate debugging commands you can notice what calls are handled, the caller ID and/or phone number and other useful information. You can see a part of a SIP message when using debugging as shown in the next frame:

 
 ------ 
 <sip:INFO> Received 525 bytes SIP message from 10.0.0.1:5060 
 ------ 
 SIP/2.0 401 Unauthorized 
 Via: SIP/2.0/UDP 10.0.0.17:5060;rport=5060;branch=z9hG4bK1128016479;received=10.0.0.17 
 From: <sip:091@elder.null.ro>;tag=816519612 
 To: <sip:091@elder.null.ro> 
 Call-ID: 529868862@elder.null.ro 
 CSeq: 1567 REGISTER 
 WWW-Authenticate: Digest realm="Yate", nonce="578c75c4dac3859a4ce169a9e585aa0e.1266844943", 
                   stale=FALSE, algorithm=MD5 
 Server: YATE/2.1.0 
 Allow: ACK, INVITE, BYE, CANCEL, REGISTER, REFER, OPTIONS, PRACK, INFO, SUBSCRIBE, MESSAGE, 
        NOTIFY, PUBLISH 
 Content-Length: 0 

The “Logs” section lists the users' names, their actions and also the changes made by admins and users. See the screen shot in “User access”.

OS Distribution

A common mistake when analyzing existing security problems is to overlook problems created by the OS distribution. If the operating system is vulnerable then the IP PBX is vulnerable. A weak OS security system will surely be easy to pass when a laborious hacker has just that in plan.

Security Package

The security package of the OS distribution can be improperly configured. For instance, msec is Mandriva 2009.1's security package for controlling and managing the system security. If, by mistake, you set the level as “none”, msec will not protect your server and the system will be vulnerable to attacks. Same thing can happen if you improperly define your own custom security level. Msec has a graphical user interface(msecgui) or one can use the command line “msec -f” to configure security levels:

using msecgui command:

http://www.freesentral.com/uploads/Documentation/msecgui_command.jpg

As you can see, msec detects the security level. Setting the level is directly connecting to enabling/disabling msec.

In the capture below notice the MSEC tool is disabled.

http://www.freesentral.com/uploads/Documentation/msecgui.jpg

using msec -f command:

http://www.freesentral.com/uploads/Documentation/msec_f_command.jpg

SSH

Hackers can use SSH for “man-in-the-middle”(MITM) attacks if the unknown public key is not properly verified and is considered valid. A MITM attack can succeed if the hacker is able to impersonate each end point to the satisfaction of the other.

Besides “man-in-the-middle” attacks, hackers can use SSH to engage “brute force” attacks. These actions can be somehow impossible to carry out only if the admins' passwords are strong enough. Also changing the default SSH port is a good battle tactic. Because There are software applications that can scan your system and find what ports are used. You can image the default ports are checked first.

Keep in mind

The network architecture, the security protocols used, the users interaction and the OS distribution have a huge impact on the way FreeSentral works. You may as well give free access to everybody if just one of these is ignored, inaccurate analyzed or improperly configured.

Documentation

March 10, 2010, at 04:39 PM by cristina -
Deleted lines 0-112:

(:title Security Issues regarding FreeSentral:)

(:order_number: 5:)

This article gives you insight to some VoIP problems for an IP PBX such as theft of services, denial of services and eavesdropping and presents specific security problems that may happen in FreeSentral.

(:tocportion TableOfContents:)

IP PBX

Problems such as those mentioned above have a great probability to occur in every IP PBX. These problems are severe security issues and their consequences affect the functionality of the IP PBX.

http://www.freesentral.com/uploads/Documentation/security_issues_FS.jpg A network attack that keep users or devices from accessing the network is a denial of service(DoS). Such attacks are inevitable and are almost impossible to avoid because of their changing nature.

Eavesdropping is a form of hacking for obtaining names, passwords and telephone numbers. This leads to gaining control over the voice mail, call plans and other features. The theft of services is a direct consequence of eavesdropping.

Service theft is another serious security issue that implies hacking the system and using IP PBX services by unauthorized users and/or stealing its' services.

The issues above are just few of the IP PBX security problems. You can avoid some of them by increasing the network security level. The first step is to verify the extension and/or the IP. If those are recognized by the IP PBX as belonging to the network, then the call is authorized. But if you need, for some reason, to allow anonymous calls, FreeSentral will check if the caller ID or IP is recognized by the server (known extension, group or DID). This is a useful technique when wanting to prevent DoS or service theft.

User Access

Web access for users is secured by using https. The number of failed logins is unlimited so they can try to login until they succeed. To prevent unauthorized login attempts, the admin has access to a login history. He/she can see the user's name and the number of failed login attempts. Below is a screen capture of the “Logs” section in FreeSentral:

http://www.freesentral.com/uploads/Documentation/logs.jpg

Passwords

Here are some facts about passwords in FreeSentral:

  1. Admin's password is very important when wanting to properly secure the system. If the admin's account is broken into, then the hacker can easily create new accounts and/or use Impersonate for existing accounts.
  2. Passwords for SIP calls are encrypted using the MD5 algorithm. This ensures that the users' passwords can not be deciphered by anyone. Of course, this advantage fades if the password is not strong enough and a determined hacker reviles its' value.
  3. When exporting extensions the passwords are exported unencrypted. It is very important that the files containing these informations not to fall in the hackers' hands. This could break in a major security problem.

Gateways

Another possible attack uses the IP PBX's gateways. Malicious hackers can take control of the gateways and use them to make free phone calls. This situation can occur if “Trusted” is enabled for the VoIP provider.

Visibility into “what's going on”

Supporting modules such as “Rmanager” and the “Logs” section gives the admin adequate visibility into how FreeSentral works. By using telnet and appropriate debugging commands you can notice what calls are handled, the caller ID and/or phone number and other useful information. You can see a part of a SIP message when using debugging as shown in the next frame:

 
 ------ 
 <sip:INFO> Received 525 bytes SIP message from 10.0.0.1:5060 
 ------ 
 SIP/2.0 401 Unauthorized 
 Via: SIP/2.0/UDP 10.0.0.17:5060;rport=5060;branch=z9hG4bK1128016479;received=10.0.0.17 
 From: <sip:091@elder.null.ro>;tag=816519612 
 To: <sip:091@elder.null.ro> 
 Call-ID: 529868862@elder.null.ro 
 CSeq: 1567 REGISTER 
 WWW-Authenticate: Digest realm="Yate", nonce="578c75c4dac3859a4ce169a9e585aa0e.1266844943", 
                   stale=FALSE, algorithm=MD5 
 Server: YATE/2.1.0 
 Allow: ACK, INVITE, BYE, CANCEL, REGISTER, REFER, OPTIONS, PRACK, INFO, SUBSCRIBE, MESSAGE, 
        NOTIFY, PUBLISH 
 Content-Length: 0 

The “Logs” section lists the users' names, their actions and also the changes made by admins and users. See the screen shot in “User access”.

OS Distribution

A common mistake when analyzing existing security problems is to overlook problems created by the OS distribution. If the operating system is vulnerable then the IP PBX is vulnerable. A weak OS security system will surely be easy to pass when a laborious hacker has just that in plan.

Security Package

The security package of the OS distribution can be improperly configured. For instance, msec is Mandriva 2009.1's security package for controlling and managing the system security. If, by mistake, you set the level as “none”, msec will not protect your server and the system will be vulnerable to attacks. Same thing can happen if you improperly define your own custom security level. Msec has a graphical user interface(msecgui) or one can use the command line “msec -f” to configure security levels:

using msecgui command:

http://www.freesentral.com/uploads/Documentation/msecgui_command.jpg

As you can see, msec detects the security level. Setting the level is directly connecting to enabling/disabling msec.

In the capture below notice the MSEC tool is disabled.

http://www.freesentral.com/uploads/Documentation/msecgui.jpg

using msec -f command:

http://www.freesentral.com/uploads/Documentation/msec_f_command.jpg

SSH

Hackers can use SSH for “man-in-the-middle”(MITM) attacks if the unknown public key is not properly verified and is considered valid. A MITM attack can succeed if the hacker is able to impersonate each end point to the satisfaction of the other.

Besides “man-in-the-middle” attacks, hackers can use SSH to engage “brute force” attacks. These actions can be somehow impossible to carry out only if the admins' passwords are strong enough. Also changing the default SSH port is a good battle tactic. Because There are software applications that can scan your system and find what ports are used. You can image the default ports are checked first.

Keep in mind

The network architecture, the security protocols used, the users interaction and the OS distribution have a huge impact on the way FreeSentral works. You may as well give free access to everybody if just one of these is ignored, inaccurate analyzed or improperly configured.

Documentation

March 10, 2010, at 04:22 PM by cristina -
Changed line 84 from:

The security package of the OS distribution can be improperly configured. For instance, msec is Mandriva 2009.1's security package for controlling and managing the security's system. If, by mistake, you set the level as “none”, msec will not protect your server and the system will be vulnerable to attacks. Same thing can happen if you improperly define your own custom security level.

to:

The security package of the OS distribution can be improperly configured. For instance, msec is Mandriva 2009.1's security package for controlling and managing the system security. If, by mistake, you set the level as “none”, msec will not protect your server and the system will be vulnerable to attacks. Same thing can happen if you improperly define your own custom security level.

March 10, 2010, at 04:17 PM by cristina -
Changed line 12 from:

Problems such as those mentioned above have a great probability to occur in every IP PBX. These problems are severe security issues and their consequences affect the proper functioning of the IP PBX.

to:

Problems such as those mentioned above have a great probability to occur in every IP PBX. These problems are severe security issues and their consequences affect the functionality of the IP PBX.

March 10, 2010, at 04:16 PM by cristina -
Changed line 99 from:

http://www.freesentral.com/uploads/Documentation/msec-f_command.jpg

to:

http://www.freesentral.com/uploads/Documentation/msec_f_command.jpg

March 10, 2010, at 04:10 PM by cristina -
Added lines 89-90:

http://www.freesentral.com/uploads/Documentation/msecgui_command.jpg

Changed lines 95-115 from:
to:

http://www.freesentral.com/uploads/Documentation/msecgui.jpg

Changed lines 99-113 from:
to:

http://www.freesentral.com/uploads/Documentation/msec-f_command.jpg

March 10, 2010, at 04:02 PM by cristina -
Changed lines 37-41 from:

Admin's password is very important when wanting to properly secure the system. If the admin's account is broken into, then the hacker can easily create new accounts and/or use Impersonate for existing accounts.

Passwords for SIP calls are encrypted using the MD5 algorithm. This ensures that the users' passwords can not be deciphered by anyone. Of course, this advantage fades if the password is not strong enough and a determined hacker reviles its' value.

When exporting extensions the passwords are exported unencrypted. It is very important that the files containing these informations not to fall in the hackers' hands. This could break in a major security problem.

to:
  1. Admin's password is very important when wanting to properly secure the system. If the admin's account is broken into, then the hacker can easily create new accounts and/or use Impersonate for existing accounts.
  2. Passwords for SIP calls are encrypted using the MD5 algorithm. This ensures that the users' passwords can not be deciphered by anyone. Of course, this advantage fades if the password is not strong enough and a determined hacker reviles its' value.
  3. When exporting extensions the passwords are exported unencrypted. It is very important that the files containing these informations not to fall in the hackers' hands. This could break in a major security problem.
March 10, 2010, at 04:01 PM by cristina -
Changed lines 68-69 from:
 Allow: ACK, INVITE, BYE, CANCEL, REGISTER, REFER, OPTIONS, PRACK, INFO, SUBSCRIBE, MESSAGE, NOTIFY, PUBLISH 
to:
 Allow: ACK, INVITE, BYE, CANCEL, REGISTER, REFER, OPTIONS, PRACK, INFO, SUBSCRIBE, MESSAGE, 
        NOTIFY, PUBLISH 
March 10, 2010, at 04:01 PM by cristina -
Changed lines 65-66 from:
 WWW-Authenticate: Digest realm="Yate", nonce="578c75c4dac3859a4ce169a9e585aa0e.1266844943", stale=FALSE, algorithm=MD5 
to:
 WWW-Authenticate: Digest realm="Yate", nonce="578c75c4dac3859a4ce169a9e585aa0e.1266844943", 
                   stale=FALSE, algorithm=MD5 
March 10, 2010, at 04:00 PM by cristina -
Changed lines 55-69 from:
to:
 
 ------ 
 <sip:INFO> Received 525 bytes SIP message from 10.0.0.1:5060 
 ------ 
 SIP/2.0 401 Unauthorized 
 Via: SIP/2.0/UDP 10.0.0.17:5060;rport=5060;branch=z9hG4bK1128016479;received=10.0.0.17 
 From: <sip:091@elder.null.ro>;tag=816519612 
 To: <sip:091@elder.null.ro> 
 Call-ID: 529868862@elder.null.ro 
 CSeq: 1567 REGISTER 
 WWW-Authenticate: Digest realm="Yate", nonce="578c75c4dac3859a4ce169a9e585aa0e.1266844943", stale=FALSE, algorithm=MD5 
 Server: YATE/2.1.0 
 Allow: ACK, INVITE, BYE, CANCEL, REGISTER, REFER, OPTIONS, PRACK, INFO, SUBSCRIBE, MESSAGE, NOTIFY, PUBLISH 
 Content-Length: 0 

March 10, 2010, at 03:56 PM by cristina -
Deleted line 14:
Added lines 29-30:

http://www.freesentral.com/uploads/Documentation/logs.jpg

March 10, 2010, at 03:33 PM by cristina -
Changed line 14 from:
to:

http://www.freesentral.com/uploads/Documentation/security_issues_FS.jpg

March 10, 2010, at 03:10 PM by cristina -
Added lines 2-3:

(:order_number: 5:)

March 10, 2010, at 03:09 PM by cristina -
Added lines 1-139:

(:title Security Issues regarding FreeSentral:)

This article gives you insight to some VoIP problems for an IP PBX such as theft of services, denial of services and eavesdropping and presents specific security problems that may happen in FreeSentral.

(:tocportion TableOfContents:)

IP PBX

Problems such as those mentioned above have a great probability to occur in every IP PBX. These problems are severe security issues and their consequences affect the proper functioning of the IP PBX.

A network attack that keep users or devices from accessing the network is a denial of service(DoS). Such attacks are inevitable and are almost impossible to avoid because of their changing nature.

Eavesdropping is a form of hacking for obtaining names, passwords and telephone numbers. This leads to gaining control over the voice mail, call plans and other features. The theft of services is a direct consequence of eavesdropping.

Service theft is another serious security issue that implies hacking the system and using IP PBX services by unauthorized users and/or stealing its' services.

The issues above are just few of the IP PBX security problems. You can avoid some of them by increasing the network security level. The first step is to verify the extension and/or the IP. If those are recognized by the IP PBX as belonging to the network, then the call is authorized. But if you need, for some reason, to allow anonymous calls, FreeSentral will check if the caller ID or IP is recognized by the server (known extension, group or DID). This is a useful technique when wanting to prevent DoS or service theft.

User Access

Web access for users is secured by using https. The number of failed logins is unlimited so they can try to login until they succeed. To prevent unauthorized login attempts, the admin has access to a login history. He/she can see the user's name and the number of failed login attempts. Below is a screen capture of the “Logs” section in FreeSentral:

Passwords

Here are some facts about passwords in FreeSentral:

Admin's password is very important when wanting to properly secure the system. If the admin's account is broken into, then the hacker can easily create new accounts and/or use Impersonate for existing accounts.

Passwords for SIP calls are encrypted using the MD5 algorithm. This ensures that the users' passwords can not be deciphered by anyone. Of course, this advantage fades if the password is not strong enough and a determined hacker reviles its' value.

When exporting extensions the passwords are exported unencrypted. It is very important that the files containing these informations not to fall in the hackers' hands. This could break in a major security problem.

Gateways

Another possible attack uses the IP PBX's gateways. Malicious hackers can take control of the gateways and use them to make free phone calls. This situation can occur if “Trusted” is enabled for the VoIP provider.

Visibility into “what's going on”

Supporting modules such as “Rmanager” and the “Logs” section gives the admin adequate visibility into how FreeSentral works. By using telnet and appropriate debugging commands you can notice what calls are handled, the caller ID and/or phone number and other useful information. You can see a part of a SIP message when using debugging as shown in the next frame:

The “Logs” section lists the users' names, their actions and also the changes made by admins and users. See the screen shot in “User access”.

OS Distribution

A common mistake when analyzing existing security problems is to overlook problems created by the OS distribution. If the operating system is vulnerable then the IP PBX is vulnerable. A weak OS security system will surely be easy to pass when a laborious hacker has just that in plan.

Security Package

The security package of the OS distribution can be improperly configured. For instance, msec is Mandriva 2009.1's security package for controlling and managing the security's system. If, by mistake, you set the level as “none”, msec will not protect your server and the system will be vulnerable to attacks. Same thing can happen if you improperly define your own custom security level. Msec has a graphical user interface(msecgui) or one can use the command line “msec -f” to configure security levels:

using msecgui command:

As you can see, msec detects the security level. Setting the level is directly connecting to enabling/disabling msec.

In the capture below notice the MSEC tool is disabled.

using msec -f command:

SSH

Hackers can use SSH for “man-in-the-middle”(MITM) attacks if the unknown public key is not properly verified and is considered valid. A MITM attack can succeed if the hacker is able to impersonate each end point to the satisfaction of the other.

Besides “man-in-the-middle” attacks, hackers can use SSH to engage “brute force” attacks. These actions can be somehow impossible to carry out only if the admins' passwords are strong enough. Also changing the default SSH port is a good battle tactic. Because There are software applications that can scan your system and find what ports are used. You can image the default ports are checked first.

Keep in mind

The network architecture, the security protocols used, the users interaction and the OS distribution have a huge impact on the way FreeSentral works. You may as well give free access to everybody if just one of these is ignored, inaccurate analyzed or improperly configured.

Documentation