This solution applies to all Barracuda Phone Systems Running firmware version 2.1 and later.
The Barracuda Phone System employs a few methods to protect users from the most commonly used methods of gaining access illicitly.
Method 1 - Preventing known bad passwords
By default, the user will not be able to select the following passwords which are known to be very commonly guessed passwords:
- ANY password matching the extension to which it is assigned (user 2001 cannot choose 2001 as their password).
- Any selection of four same digits (0000,1111, 2222)
- Any Selection of four consecutive digits (1234, 2345, 3456)
- The admin user also cannot select the default password of admin.
Important Note - If a user had set their password to a restricted format prior to the upgrade to firmware 2.5 or later, the login message will fail with the alert "You are not logged in. Please reset password from phone." In this scenario, the user will be allowed to log into their voice mail using *98 from their phone in order to reset their password to a supported format from the voice mail menu.
Method 2 - Preventing brute force login attempts and Login-based DOS/DDOS
The Barracuda Phone System employs a timed lockout policy for failed attempts. Any failed login attempt will result in a failed login counter to be incremented by one. Once the failed login count reaches 5, Login attempts will be ignored for 15 minutes after each failed attempt, and will not increment the counters during the 15 minute waiting period. The User panel will also Once the login failure reaches 10 the account will be locked out, and no further login attempts will be checked. The failed login count is reset on successful login, or when an admin clicks "Reactivate Account" on the user panel after at least 5 failed login attempts.
Note - The admin account will not lock out, but will continue the 15 minute login delay after each invalid login attempt until successful login.
Method 3 - Session Expiration
The Barracuda Phone System will expire unused sessions to prevent accidental exposure from users not logging out. A session timer on the client and the Server determines session length.
Link to this page: