[Freeswitch-users] Hello hackers!

Brian Foster bdfoster at endigotech.com
Sun Dec 9 04:29:05 MSK 2012


The 'bad apple' in which I was referring to was using the same IP as a client of ours. He was trying to DOS the honeypot from an IP I posted on the mailing list when doing some testing for someone. I have no idea if he read the post on the mailing list or not. It's not really of my concern.

If you got on the wiki and searched for fail2ban, you would be setting up your server to jail the same IP's we are under the same circumstances. The only difference is we log who gets caught by fail2ban and distribute the list internally.

We do not release this information per company policy. We also do not gather this information from other sources. We only use the information we gather through the processes we put in to place.

My comment on the 180K IP's was mostly sarcastic, however. It probably wasn't appropriate and I do apologize for that. 

I'm not exactly up to date on the legalities of releasing that type of information so we rather not release it. It's nothing against the freeswitch community or the open source community. We just don't like getting in trouble.

If we did spend the resources into making sure everything was legal on the information regarding the 180K IP's, we would certainly release these free of charge. It's not something I would be interested in making money from.

As far as telling this story on a public mailing list, it won't stop anyone from trying to hack into anyone's server. It does frustrate me that I have to do any of this stuff at all, but there's always going to be someone out there trying to screw it up for the rest of us. These servers are also set up for testing, which is why I use them when trying to help people on the mailing list. There is really nothing you can do to these machines to 'screw them up'. They are VPS's. There are no accounts tied to them. We can change those IP's in a heartbeat. There's really no risk. Besides, hackers can't read ;)

The biggest thing you should take away from this post is that I'm pissed off that I have to go through all of this. Even though it makes our lives easier in the long run, it's still an expense we could live without. 

Believe it or not the whole reason why I started doing honeypots is that about 8 months ago I DID release IP's that I shouldn't have, by accident. Since then I have added more resources to help curve the attacks on other servers we have contracts on.



-BDF
Sent from my iPhone

On Dec 8, 2012, at 7:28 PM, "Cal Leeming [Simplicity Media Ltd]" <cal.leeming at simplicitymedialtd.co.uk> wrote:

> Hi Brian,
> 
> I had contemplated replying off-list, but was interested to hear other peoples thoughts on this too.
> 
> First - could you elaborate further on the 'bad apple' that you found, exactly what justifies an attempt to 'hack into our phone systems', and why this person in your story has been fired because of it?
> 
> Second, in reference to the 180k IPs.. There are other companies out there that share abusive IP information from a variety of sources. Why do they share? Because it's nice to share. If the FreeSWITCH developers took the same attitude as your post here, then you wouldn't have FreeSWITCH.
> 
> Third, why are you telling us this on a public mailing list? If the honeypots are designed to catch people unwittingly, then this post does the exact opposite. This leads me to think that a more probable story is that you actually don't have any honey pots (or the story is slightly exaggerated), and when you realised you gave out potentially damaging information, you panic'd and tried to discourage by asserting this email. If this is the case, then you are taking the lay approach of security through obscurity.
> 
> Fourth, if someone is wanting to break into your phone system, they probably don't care about losing their job.. and if they do, then this post will just give them more reason to be careful about hiding themselves.
> 
> I apologise in advance if this reply is inappropriate in anyway.
> 
> Cal
> 
> On Sat, Dec 8, 2012 at 11:05 PM, Brian Foster <bdfoster at endigotech.com> wrote:
>> Regarding a recent mailing list posting that included some of my IP addresses, most of you don't know that I do set up honeypots in hopes of catching some of the bad apples that try and hack into our phone systems. We have a centralized list of Bad IP's that end up getting sent to all of our other servers. Today, one of those servers was an IT guy that works for one of my clients. He has since been fired. If anyone is interested in the 180,000 IP's I've collected...sorry you can't have 'em.
>> 
>> -BDF
>> 
>> Sent from my iPhone
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>> 
>> 
>> 
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20121208/c84c964a/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list