[Freeswitch-users] Question about SIP security
Rupa Schomaker
rupa at rupa.com
Fri Jul 30 09:52:49 PDT 2010
You may wish to review and implement:
http://wiki.freeswitch.org/wiki/Fail2ban
On Fri, Jul 30, 2010 at 10:56 AM, Mike van Lammeren
<mike at van.lammeren.net>wrote:
> We haven't published any SRV records. I assume that they found us by a port
> scan. Our servers are open to the internet.
>
> It turns out that the attackers did not gain entry to our system at all. At
> first, I was a little freaked because there was nothing in the FreeSWITCH
> logs to indicate what all the traffic was for. When I cranked up the log
> level in the FreeSWITCH console, I could see that it was an endless series
> of attempts to make a SIP connection, to which FreeSWITCH was responding
> with a 401. We've since blocked that IP at our layer 3 switch.
>
> The only reason we noticed was because these boxes should have had zero
> traffic. Once these go into production, it would be much more difficult to
> spot the attack.
>
> This is probably not the forum for it, but anyone reading this might want
> to check their traffic for this IP: 61.164.41.144
>
> Mike van Lammeren
>
>
> On Thu, Jul 29, 2010 at 5:38 PM, Tony Graziano <
> tgraziano at myitdepartment.net> wrote:
>
>> Does it have published SRV records? If so did you look to see if it was
>> sipvicous? What is the UA?
>>
>> On Thu, Jul 29, 2010 at 5:21 PM, Mike van Lammeren <mike at van.lammeren.net
>> > wrote:
>>
>>> I'm running FreeSWITCH version 1.0.6 on a box that is live on the
>>> internet, but is not yet in use by us. Over the last 48 hours, someone from
>>> an IP in China has been connected to our server. We observed about 36 Kbps
>>> of UDP traffic. According to the cdr-csv logs, it looks like they were
>>> sequentially dialing extension numbers. They were not able to get any calls
>>> through to termination, due to the nature of our system.
>>>
>>> I'm reasonably certain that I removed all the default accounts.
>>>
>>> What should I be looking for?
>>>
>>> Mike van Lammeren
>>>
>>>
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>>
>> --
>> ======================
>> Tony Graziano, Manager
>> Telephone: 434.984.8430
>> sip: tgraziano at voice.myitdepartment.net
>> Fax: 434.984.8431
>>
>> Email: tgraziano at myitdepartment.net
>>
>> LAN/Telephony/Security and Control Systems Helpdesk:
>> Telephone: 434.984.8426
>> sip: helpdesk at voice.myitdepartment.net
>> Fax: 434.984.8427
>>
>> Helpdesk Contract Customers:
>> http://www.myitdepartment.net/gethelp/
>>
>> Why do mathematicians always confuse Halloween and Christmas?
>> Because 31 Oct = 25 Dec.
>>
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
--
-Rupa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100730/b1137925/attachment.html
More information about the FreeSWITCH-users
mailing list