[Freeswitch-users] Question about SIP security
Mike van Lammeren
mike at van.lammeren.net
Fri Jul 30 08:56:06 PDT 2010
We haven't published any SRV records. I assume that they found us by a port
scan. Our servers are open to the internet.
It turns out that the attackers did not gain entry to our system at all. At
first, I was a little freaked because there was nothing in the FreeSWITCH
logs to indicate what all the traffic was for. When I cranked up the log
level in the FreeSWITCH console, I could see that it was an endless series
of attempts to make a SIP connection, to which FreeSWITCH was responding
with a 401. We've since blocked that IP at our layer 3 switch.
The only reason we noticed was because these boxes should have had zero
traffic. Once these go into production, it would be much more difficult to
spot the attack.
This is probably not the forum for it, but anyone reading this might want to
check their traffic for this IP: 61.164.41.144
Mike van Lammeren
On Thu, Jul 29, 2010 at 5:38 PM, Tony Graziano <tgraziano at myitdepartment.net
> wrote:
> Does it have published SRV records? If so did you look to see if it was
> sipvicous? What is the UA?
>
> On Thu, Jul 29, 2010 at 5:21 PM, Mike van Lammeren <mike at van.lammeren.net>wrote:
>
>> I'm running FreeSWITCH version 1.0.6 on a box that is live on the
>> internet, but is not yet in use by us. Over the last 48 hours, someone from
>> an IP in China has been connected to our server. We observed about 36 Kbps
>> of UDP traffic. According to the cdr-csv logs, it looks like they were
>> sequentially dialing extension numbers. They were not able to get any calls
>> through to termination, due to the nature of our system.
>>
>> I'm reasonably certain that I removed all the default accounts.
>>
>> What should I be looking for?
>>
>> Mike van Lammeren
>>
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
>
> --
> ======================
> Tony Graziano, Manager
> Telephone: 434.984.8430
> sip: tgraziano at voice.myitdepartment.net
> Fax: 434.984.8431
>
> Email: tgraziano at myitdepartment.net
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> sip: helpdesk at voice.myitdepartment.net
> Fax: 434.984.8427
>
> Helpdesk Contract Customers:
> http://www.myitdepartment.net/gethelp/
>
> Why do mathematicians always confuse Halloween and Christmas?
> Because 31 Oct = 25 Dec.
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100730/a8e5c8b4/attachment.html
More information about the FreeSWITCH-users
mailing list