[Freeswitch-users] Hacking FS issue

Wed Sep 26 22:53:21 MSD 2012

NormT at VoiceNetwork has some good stuff for this on the VoiceNetwork.ca
wiki (check him out for Orig and Term also!)

Fail2Ban can stops brute force attempts
http://wiki.voicenetwork.ca/wiki/Main_Page#Fail2Ban

IPTables Rules to help mitigate some brute force and DDoS attacks
http://wiki.voicenetwork.ca/wiki/Iptables

On 9/26/12 1:28 PM, "Todd Bailey" <toddb at toddbailey.net> wrote:

> 
> Hey All,
> 
> 
> I just got an email from Frontier that there were several attempts to
> make international calls.
> 
> 
> I checked the log file and verified that somehow someone was able to get
> access to FS from the internet.
> 
> 
> here is a sample of the log
> 
> [m[36m2012-09-23 16:30:29.916821 [NOTICE] switch_channel.c:941 New
> Channel sofia/internal/1000 at 50.47.85.167
> [af778857-0188-4ed2-a82a-94ae749a02cb]
> [m[32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
> Processing 1000 <1000>->01137168521352 in context default
> [m[36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
> [d1243a78-c464-45fa-9215-e7b85e1221fc]
> [m[36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
> sofia/internal/01137168521352 at 192.168.1.5:5061!
> [m[36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready
> sofia/internal/1000 at 50.47.85.167!
> [m[36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
> Ring Ready sofia/internal/1000 at 50.47.85.167!
> [m[36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
> [m[36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer
> sofia/internal/1000 at 50.47.85.167!
> [m[36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303
> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
> [m[36m2012-09-23 16:30:52.356865 [N[m[36m2012-09-23 16:30:29.916821
> [NOTICE] switch_channel.c:941 New Channel
> sofia/internal/1000 at 50.47.85.167 [af778857-0188-4ed2-a82a-94ae749a02cb]
> [m[32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
> Processing 1000 <1000>->01137168521352 in context default
> [m[36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
> [d1243a78-c464-45fa-9215-e7b85e1221fc]
> [m[36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
> sofia/internal/01137168521352 at 192.168.1.5:5061!
> [m[36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready
> sofia/internal/1000 at 50.47.85.167!
> [m[36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
> Ring Ready sofia/internal/1000 at 50.47.85.167!
> [m[36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
> [m[36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer
> sofia/internal/1000 at 50.47.85.167!
> [m[36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303
> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
> [m[36m2012-09-23 16:30:52.356865 [NOTICE] switch_channel.c:941 New
> Channel sofia/internal/1000 at 50.47.85.167
> [4576bc76-144a-4f6f-8915-871b511c374d]
> [m[32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
> Processing 1000 <1000>->01137168905352 in context defaultOTICE]
> switch_channel.c:941 New Channel sofia/internal/1000 at 50.47.85.167
> [4576bc76-144a-4f6f-8915-871b511c374d]
> [m[32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
> Processing 1000 <1000>->01137168905352 in context default
> 
> 
> At this point I'm at a loss how this is happening as I have multiple
> firewalls in place that limit port access.
> 
> Can someone provide a few pointers on how to better secure FS running on
> Linux systems?
> 
> 
> thanks
> 

-- 
Ken
http://www.FreeSWITCH.org
http://www.ClueCon.com
http://www.OSTAG.org
irc.freenode.net #freeswitch