[Freeswitch-users] Hacker Attack?

Tue Feb 1 14:22:08 MSK 2011

If you are not sure how to secure a box like this down - I sure hope for
your sake that your telephony provider has some good anti-fraud measures in
place or you have deep pockets and don't mind sending great wads of cash off
to your provider(s).

You might want to spend a good amount of time coming up to speed with best
practice security for boxes which do SIP and are connected to the public
Internet.

Brent

On Mon, Jan 31, 2011 at 1:54 AM, Joao Leme <joaocarlosleme at gmail.com> wrote:

> I figured. Same for Fail2Ban I guess. Any suggestions for Windows?
>
> Also I was wondering why it never happened on my 1.0.4 (14460) version
> (precompiled version)? I had it running for a month 24hrs and had never seen
> this before. And after starting the Git Head (below) from Yesterday it
> happened in seconds all 3 times I restarted (restarted the computer to be
> sure). Maybe something wrong with the current version? To be safe I went
> back to my stable 1.0.4 version and haven't had any problems.
>
> 49a5effcdf2cea9e0ddcf146cf3fe85d1872e654
> mod_callcenter: Add error response for queue load and queue reload
> (FS-2988)
> Marc Olivier Chouinard
>  2011-01-29 00:09:06
>
>
> On Sun, Jan 30, 2011 at 2:10 AM, Peter Olsson <
> peter.olsson at visionutveckling.se> wrote:
>
>> iptables is a Linux command.
>>
>> /Peter
>>
>>
>> ----- Reply message -----
>> Från: "Joao Leme" <joaocarlosleme at gmail.com>
>> Datum: sön, jan 30, 2011 13:56
>> Rubrik: [SPAM] - Re: [Freeswitch-users] Hacker Attack?
>> Till: "FreeSWITCH Users Help" <freeswitch-users at lists.freeswitch.org>
>>
>> I tried "iptables -I INPUT -s [212.224.71.236] -j DROP" and got " Unknown
>> command: iptables...". Do I must install fail2ban to issue iptables command?
>> I'm on windows 7.
>> Thanks
>>
>> On Sat, Jan 29, 2011 at 4:26 PM, curriegrad2004 <curriegrad2004 at gmail.com
>> <mailto:curriegrad2004 at gmail.com>> wrote:
>> iptables -I INPUT -s [hackerip] -j DROP
>>
>> A better solution is searching the wiki for fail2ban with FreeSwitch.
>>
>> On Sat, Jan 29, 2011 at 4:20 PM, Joao Leme <joaocarlosleme at gmail.com
>> <mailto:joaocarlosleme at gmail.com>> wrote:
>> > How do I do that?
>> > Thanks!
>> > On Sat, Jan 29, 2011 at 4:12 PM, curriegrad2004 <
>> curriegrad2004 at gmail.com<mailto:curriegrad2004 at gmail.com>>
>> > wrote:
>> >>
>> >> Try using iptables and block all incoming traffic from this specific
>> host?
>> >>
>> >> On Sat, Jan 29, 2011 at 3:39 PM, Joao Leme <joaocarlosleme at gmail.com
>> <mailto:joaocarlosleme at gmail.com>>
>> >> wrote:
>> >> > I just downloaded and compiled the latest Git and a little after
>> >> > starting
>> >> > freeswitch I'm getting non stop the following:
>> >> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> >> > profile
>> >> > ‘internal’ for [140 at 76.XXX.XX.XXX] from ip 212.224.71.236
>> >> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> >> > profile
>> >> > ‘internal’ for [140 at 76.XXX.XX.XXX] from ip 212.224.71.236
>> >> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> >> > profile
>> >> > ‘internal’ for [thomas at 76.XXX.XX.XXX] from ip 212.224.71.236
>> >> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> >> > profile
>> >> > ‘internal’ for [thomas at 76.XXX.XX.XXX] from ip 212.224.71.236
>> >> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> >> > profile
>> >> > ‘internal’ for [140 at 76.XXX.XX.XXX] from ip 212.224.71.236
>> >> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> >> > profile
>> >> > ‘internal’ for [140 at 76.XXX.XX.XXX] from ip 212.224.71.236
>> >> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> >> > profile
>> >> > ‘internal’ for [thomas at 76.XXX.XX.XXX] from ip 212.224.71.236
>> >> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> >> > profile
>> >> > ‘internal’ for [thomas at 76.XXX.XX.XXX] from ip 212.224.71.236
>> >> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> >> > profile
>> >> > ‘internal’ for [140 at 76.XXX.XX.XXX] from ip 212.224.71.236
>> >> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> >> > profile
>> >> > ‘internal’ for [140 at 76.XXX.XX.XXX] from ip 212.224.71.236
>> >> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> >> > profile
>> >> > ‘internal’ for [thomas at 76.XXX.XX.XXX] from ip 212.224.71.236
>> >> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> >> > profile
>> >> > ‘internal’ for [thomas at 76.XXX.XX.XXX] from ip 212.224.71.236
>> >> > it's non-stop and doesn't let me do nothing else. After the first
>> time I
>> >> > went on to vars and changed the 1234 password....restarted and same
>> >> > thing
>> >> > happened, I also try denying the ip on acl.conf (not sure if has
>> >> > something
>> >> > to do with it but gave it a try):
>> >> >
>> >> > <configuration name="acl.conf" description="Network Lists">
>> >> >         <network-lists>
>> >> >           <list name="test2" default="allow">
>> >> >             <node type="deny" host="212.224.71.236"
>> >> > mask="255.255.255.0"/>
>> >> >           </list>
>> >> >         </network-lists>
>> >> >       </configuration>
>> >> >
>> >> > Restarted the computer but nothing, he (thomas I guess) was back on
>> my
>> >> > console.
>> >> >
>> >> > Any ideas??? p.s. My computer is on DMZ (I know DMZ is not ideal but
>> is
>> >> > the
>> >> > only way I got to be able to connect to the internal profile from out
>> of
>> >> > the
>> >> > office etc).
>> >> > _______________________________________________
>> >> > FreeSWITCH-users mailing list
>> >> > FreeSWITCH-users at lists.freeswitch.org<mailto:
>> FreeSWITCH-users at lists.freeswitch.org>
>> >> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >> > http://www.freeswitch.org
>> >> >
>> >> >
>> >>
>> >> _______________________________________________
>> >> FreeSWITCH-users mailing list
>> >> FreeSWITCH-users at lists.freeswitch.org<mailto:
>> FreeSWITCH-users at lists.freeswitch.org>
>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >> UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >> http://www.freeswitch.org
>> >
>> >
>> > _______________________________________________
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org<mailto:
>> FreeSWITCH-users at lists.freeswitch.org>
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>> >
>> >
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org<mailto:
>> FreeSWITCH-users at lists.freeswitch.org>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>> !DSPAM:4d450b3232767678720833!
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>

-- 
--
Brent Paddon

Director | Over the Wire Pty Ltd brent.paddon at overthewire.com.au |
www.overthewire.com.au
Phone: 07 3847 9292 | Fax: 07 3847 9696 | Mobile: 0400 2400 54
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110201/1a4448a6/attachment.html 