[Freeswitch-users] Hacking FS issue

Nelson Luiz Ferraz de Camargo Penteado bigx333 at gmail.com
Wed Sep 26 22:54:46 MSD 2012


I really think that people give way too much importance to firewalls,
specially stateless ones, blocking ports isn't going to do much for you
unless you are trying to hide vulnerable services behind it.

They used the extension 1000 to make the calls so I would say: activate
log-auth-failures on your profile, setup a fail2ban and get stronger
passwords.

If you want to go further you can use a stateful firewall limiting
connections and setup a IDS(recommend snort)
On Sep 26, 2012 8:29 PM, "Todd Bailey" <toddb at toddbailey.net> wrote:

>
> Hey All,
>
>
> I just got an email from Frontier that there were several attempts to
> make international calls.
>
>
> I checked the log file and verified that somehow someone was able to get
> access to FS from the internet.
>
>
> here is a sample of the log
>
>  [m [36m2012-09-23 16:30:29.916821 [NOTICE] switch_channel.c:941 New
> Channel sofia/internal/1000 at 50.47.85.167
> [af778857-0188-4ed2-a82a-94ae749a02cb]
>  [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
> Processing 1000 <1000>->01137168521352 in context default
>  [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>  [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
> sofia/internal/01137168521352 at 192.168.1.5:5061!
>  [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready
> sofia/internal/1000 at 50.47.85.167!
>  [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
> Ring Ready sofia/internal/1000 at 50.47.85.167!
>  [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>  [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer
> sofia/internal/1000 at 50.47.85.167!
>  [m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303
> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>  [m [36m2012-09-23 16:30:52.356865 [N [m [36m2012-09-23 16:30:29.916821
> [NOTICE] switch_channel.c:941 New Channel
> sofia/internal/1000 at 50.47.85.167 [af778857-0188-4ed2-a82a-94ae749a02cb]
>  [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
> Processing 1000 <1000>->01137168521352 in context default
>  [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>  [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
> sofia/internal/01137168521352 at 192.168.1.5:5061!
>  [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready
> sofia/internal/1000 at 50.47.85.167!
>  [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
> Ring Ready sofia/internal/1000 at 50.47.85.167!
>  [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>  [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer
> sofia/internal/1000 at 50.47.85.167!
>  [m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303
> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>  [m [36m2012-09-23 16:30:52.356865 [NOTICE] switch_channel.c:941 New
> Channel sofia/internal/1000 at 50.47.85.167
> [4576bc76-144a-4f6f-8915-871b511c374d]
>  [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
> Processing 1000 <1000>->01137168905352 in context defaultOTICE]
> switch_channel.c:941 New Channel sofia/internal/1000 at 50.47.85.167
> [4576bc76-144a-4f6f-8915-871b511c374d]
>  [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
> Processing 1000 <1000>->01137168905352 in context default
>
>
> At this point I'm at a loss how this is happening as I have multiple
> firewalls in place that limit port access.
>
> Can someone provide a few pointers on how to better secure FS running on
> Linux systems?
>
>
> thanks
>
>
> --
> -
> -
> -    Best Regards,
> -
> -            Todd Bailey
> -
> -
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120926/622603a5/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list