[Freeswitch-users] Hacking FS issue

Avi Marcus avi at avimarcus.net
Wed Sep 26 22:37:05 MSD 2012


It looks like 50.47.85.167 auth'ed as user 1000. Seemingly, the internal
profile is exposed to the internet.

1) If you are purely running internal calls, then explicitly set the local
IP in the sofia profile so that it doesn't listen externally.
2) Did they auth as user 1000? Do you have that user set up?
3) Firewalls are best set up opposite, as blocking ALL inbound traffic then
explicitly punching hole to allow some. Are you allowing anything to do
with port 5060, 5061, etc or however you set up your sofia internal profile?

We need more info to tell you anything more...

-Avi


On Wed, Sep 26, 2012 at 8:28 PM, Todd Bailey <toddb at toddbailey.net> wrote:

>
> Hey All,
>
>
> I just got an email from Frontier that there were several attempts to
> make international calls.
>
>
> I checked the log file and verified that somehow someone was able to get
> access to FS from the internet.
>
>
> here is a sample of the log
>
>  [m [36m2012-09-23 16:30:29.916821 [NOTICE] switch_channel.c:941 New
> Channel sofia/internal/1000 at 50.47.85.167
> [af778857-0188-4ed2-a82a-94ae749a02cb]
>  [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
> Processing 1000 <1000>->01137168521352 in context default
>  [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>  [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
> sofia/internal/01137168521352 at 192.168.1.5:5061!
>  [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready
> sofia/internal/1000 at 50.47.85.167!
>  [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
> Ring Ready sofia/internal/1000 at 50.47.85.167!
>  [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>  [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer
> sofia/internal/1000 at 50.47.85.167!
>  [m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303
> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>  [m [36m2012-09-23 16:30:52.356865 [N [m [36m2012-09-23 16:30:29.916821
> [NOTICE] switch_channel.c:941 New Channel
> sofia/internal/1000 at 50.47.85.167 [af778857-0188-4ed2-a82a-94ae749a02cb]
>  [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
> Processing 1000 <1000>->01137168521352 in context default
>  [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>  [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
> sofia/internal/01137168521352 at 192.168.1.5:5061!
>  [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready
> sofia/internal/1000 at 50.47.85.167!
>  [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
> Ring Ready sofia/internal/1000 at 50.47.85.167!
>  [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>  [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer
> sofia/internal/1000 at 50.47.85.167!
>  [m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303
> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>  [m [36m2012-09-23 16:30:52.356865 [NOTICE] switch_channel.c:941 New
> Channel sofia/internal/1000 at 50.47.85.167
> [4576bc76-144a-4f6f-8915-871b511c374d]
>  [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
> Processing 1000 <1000>->01137168905352 in context defaultOTICE]
> switch_channel.c:941 New Channel sofia/internal/1000 at 50.47.85.167
> [4576bc76-144a-4f6f-8915-871b511c374d]
>  [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
> Processing 1000 <1000>->01137168905352 in context default
>
>
> At this point I'm at a loss how this is happening as I have multiple
> firewalls in place that limit port access.
>
> Can someone provide a few pointers on how to better secure FS running on
> Linux systems?
>
>
> thanks
>
>
> --
> -
> -
> -    Best Regards,
> -
> -            Todd Bailey
> -
> -
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120926/caa5aa74/attachment.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list