[Freeswitch-users] Hacker Attack?

Frank Park frank at telonium.com
Sun Jan 30 04:48:35 MSK 2011


It's pretty normal to see a crawler every so often that tries to brute-force
the username/password combo on SIP servers. Most of them are kiddie scripts
online and shouldn't last long. If you want to make sure they don't even
talk to the FS, iptable is a good way, but you can only do so much by
banning 1 ip address. fail2ban is a much better solution for the future
Denial of Service (DoS) attacks.

Regardless of any preventative you go with, make sure you don't have any sip
accounts with easy to guess passwords. Depending on their script, it
wouldn't take too long to brute-force a dictionary-based passwords.

Frank



On Sat, Jan 29, 2011 at 7:45 PM, Madovsky <infos at madovsky.org> wrote:

>  fail2ban on wiki
>
> ----- Original Message -----
> *From:* Joao Leme <joaocarlosleme at gmail.com>
> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> *Sent:* Saturday, January 29, 2011 7:20 PM
> *Subject:* Re: [Freeswitch-users] Hacker Attack?
>
> How do I do that?
> Thanks!
>
> On Sat, Jan 29, 2011 at 4:12 PM, curriegrad2004 <curriegrad2004 at gmail.com>wrote:
>
>> Try using iptables and block all incoming traffic from this specific host?
>>
>> On Sat, Jan 29, 2011 at 3:39 PM, Joao Leme <joaocarlosleme at gmail.com>
>> wrote:
>> > I just downloaded and compiled the latest Git and a little after
>> starting
>> > freeswitch I'm getting non stop the following:
>> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> profile
>> > ‘internal’ for [140 at 76.XXX.XX.XXX] from ip 212.224.71.236
>> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> profile
>> > ‘internal’ for [140 at 76.XXX.XX.XXX] from ip 212.224.71.236
>> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> profile
>> > ‘internal’ for [thomas at 76.XXX.XX.XXX] from ip 212.224.71.236
>> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> profile
>> > ‘internal’ for [thomas at 76.XXX.XX.XXX] from ip 212.224.71.236
>> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> profile
>> > ‘internal’ for [140 at 76.XXX.XX.XXX] from ip 212.224.71.236
>> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> profile
>> > ‘internal’ for [140 at 76.XXX.XX.XXX] from ip 212.224.71.236
>> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> profile
>> > ‘internal’ for [thomas at 76.XXX.XX.XXX] from ip 212.224.71.236
>> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> profile
>> > ‘internal’ for [thomas at 76.XXX.XX.XXX] from ip 212.224.71.236
>> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> profile
>> > ‘internal’ for [140 at 76.XXX.XX.XXX] from ip 212.224.71.236
>> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> profile
>> > ‘internal’ for [140 at 76.XXX.XX.XXX] from ip 212.224.71.236
>> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> profile
>> > ‘internal’ for [thomas at 76.XXX.XX.XXX] from ip 212.224.71.236
>> > [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia
>> profile
>> > ‘internal’ for [thomas at 76.XXX.XX.XXX] from ip 212.224.71.236
>> > it's non-stop and doesn't let me do nothing else. After the first time I
>> > went on to vars and changed the 1234 password....restarted and same
>> thing
>> > happened, I also try denying the ip on acl.conf (not sure if has
>> something
>> > to do with it but gave it a try):
>> >
>> > <configuration name="acl.conf" description="Network Lists">
>> >         <network-lists>
>> >           <list name="test2" default="allow">
>> >             <node type="deny" host="212.224.71.236"
>> mask="255.255.255.0"/>
>> >           </list>
>> >         </network-lists>
>> >       </configuration>
>> >
>> > Restarted the computer but nothing, he (thomas I guess) was back on my
>> > console.
>> >
>> > Any ideas??? p.s. My computer is on DMZ (I know DMZ is not ideal but is
>> the
>> > only way I got to be able to connect to the internal profile from out of
>> the
>> > office etc).
>> > _______________________________________________
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>> >
>> >
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>  ------------------------------
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>


-- 

----=======================----
Frank Park
Telonium Communications, LLC
frank at telonium.com
http://www.telonium.com
Follow Us on Twitter: @GetTelonium
404-566-8888 x1001 Office
404-939-4242 Cell
----=======================----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110129/284482bb/attachment-0001.html 


More information about the FreeSWITCH-users mailing list