[Freeswitch-users] Hacking FS issue

Michael Collins msc at freeswitch.org
Thu Sep 27 20:57:58 MSD 2012 

FYI, don't forget this:
$src/scripts/perl/randomize_passwords.pl

It's useful if you're stuck using static XML files and you want a quick and
easy way to mix things up. Also, if you are using static XML you may find
this handy:
$src/scripts/perl/add_user

Simple way to add users with longer vm passwords and scrambled SIP auth
passwords.

-MC

On Thu, Sep 27, 2012 at 7:55 AM, BookBag <asaad2 at gmail.com> wrote:

> I had the same issue. There are hackers continuously scanning public ip's
> for known ports then trying to register devices using the default
> extensions and passwords "1234". After noticing this in my logs I just
> changed the default external sip port from 5080 to something else.
>
> Security through obscurity if you will.
> P.S. I was also using fail2ban
> On Sep 26, 2012 7:11 PM, "Lawrence Conroy" <lconroy at insensate.co.uk>
> wrote:
>
>> Hi There,
>>  welcome to our world; hope it didn't cost too much.
>> Frontier were pro-active, which is very good. Don't forget to thank them.
>> I'd guess that this particular bunch are coming from IP addresses
>> provided in the West bank and/or Gaza; that's from where my "visitors"
>> appeared to originate.
>>
>> 1st rule of fight club: Firewalls are no use for a server that is going
>> to listen for requests from the Internet and allow authenticated calls to
>> be placed from any IP address.
>>
>> You MUST have reasonable passwords, plus fail2ban is easy to set up and
>> works just fine [unless you're using Windoz, in which case God hates you**].
>>
>> For more refined control (if you know where your external contacts are
>> coming from) ...
>>
>> Consider setting up ACLs (nailing down the IP address ranges from which
>> you'll accept incalls) in autoload/acl.conf.xml -- the "domains" definition
>> there is one place to add in your external correspondents.
>>
>> Also, consider using cidr= parameters in your directory folder for each
>> of your users (if they will only attempt to register or place calls from
>> given address ranges).
>> Then enable ACLs for incalls in your sip profile(s).
>>
>> This is all covered on wiki.freeswitch.org -- search for ACLs and take
>> it from there.
>>
>> BTW, you WILL be confused by setting explicit ACLs on registration --
>> leave that one commented out until you know what it actually does, as it's
>> probably not what you expect. Several strong cups of coffee and protracted
>> meditation may help.
>>
>> Main message:
>> -- Immediately - fix the passwords so they're not easy to guess [as the
>> bad guys *will* try again and again until they get it right].
>> -- set up fail2ban (which has its own page on the wiki) exactly as
>> proposed. <======= MOST IMPORTANT
>> -- lose the belief that firewalls are going to help protect an
>> Internet-listening server as, logically, they can't
>> Finally, be amazed at the occasional "block" reports in the fail2ban
>> logfile, and wonder how you got away with it for so long.
>>
>> all the best,
>>   Lawrence
>> ** There was apparently a talk on how Windows users could get something
>> close to a fail2ban-style setup (IIRC, it was on the weekly conf call a
>> while back)
>>
>> On 26 Sep 2012, at 19:54, Nelson Luiz Ferraz de Camargo Penteado wrote:
>> > I really think that people give way too much importance to firewalls,
>> > specially stateless ones, blocking ports isn't going to do much for you
>> > unless you are trying to hide vulnerable services behind it.
>> >
>> > They used the extension 1000 to make the calls so I would say: activate
>> > log-auth-failures on your profile, setup a fail2ban and get stronger
>> > passwords.
>> >
>> > If you want to go further you can use a stateful firewall limiting
>> > connections and setup a IDS(recommend snort)
>> > On Sep 26, 2012 8:29 PM, "Todd Bailey" <toddb at toddbailey.net> wrote:
>> >
>> >>
>> >> Hey All,
>> >>
>> >>
>> >> I just got an email from Frontier that there were several attempts to
>> >> make international calls.
>> >>
>> >>
>> >> I checked the log file and verified that somehow someone was able to
>> get
>> >> access to FS from the internet.
>> >>
>> >>
>> >> here is a sample of the log
>> >>
>> >> [m [36m2012-09-23 16:30:29.916821 [NOTICE] switch_channel.c:941 New
>> >> Channel sofia/internal/1000 at 50.47.85.167
>> >> [af778857-0188-4ed2-a82a-94ae749a02cb]
>> >> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>> >> Processing 1000 <1000>->01137168521352 in context default
>> >> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
>> >> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>> >> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>> >> sofia/internal/01137168521352 at 192.168.1.5:5061!
>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready
>> >> sofia/internal/1000 at 50.47.85.167!
>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
>> >> Ring Ready sofia/internal/1000 at 50.47.85.167!
>> >> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>> >> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer
>> >> sofia/internal/1000 at 50.47.85.167!
>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303
>> >> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>> >> [m [36m2012-09-23 16:30:52.356865 [N [m [36m2012-09-23 16:30:29.916821
>> >> [NOTICE] switch_channel.c:941 New Channel
>> >> sofia/internal/1000 at 50.47.85.167[af778857-0188-4ed2-a82a-94ae749a02cb]
>> >> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>> >> Processing 1000 <1000>->01137168521352 in context default
>> >> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
>> >> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>> >> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>> >> sofia/internal/01137168521352 at 192.168.1.5:5061!
>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready
>> >> sofia/internal/1000 at 50.47.85.167!
>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
>> >> Ring Ready sofia/internal/1000 at 50.47.85.167!
>> >> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>> >> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer
>> >> sofia/internal/1000 at 50.47.85.167!
>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303
>> >> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>> >> [m [36m2012-09-23 16:30:52.356865 [NOTICE] switch_channel.c:941 New
>> >> Channel sofia/internal/1000 at 50.47.85.167
>> >> [4576bc76-144a-4f6f-8915-871b511c374d]
>> >> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>> >> Processing 1000 <1000>->01137168905352 in context defaultOTICE]
>> >> switch_channel.c:941 New Channel sofia/internal/1000 at 50.47.85.167
>> >> [4576bc76-144a-4f6f-8915-871b511c374d]
>> >> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>> >> Processing 1000 <1000>->01137168905352 in context default
>> >>
>> >>
>> >> At this point I'm at a loss how this is happening as I have multiple
>> >> firewalls in place that limit port access.
>> >>
>> >> Can someone provide a few pointers on how to better secure FS running
>> on
>> >> Linux systems?
>> >>
>> >>
>> >> thanks
>> >>
>> >>
>> >> --
>> >> -
>> >> -
>> >> -    Best Regards,
>> >> -
>> >> -            Todd Bailey
>> >> -
>> >> -
>> >>
>> >>
>> >>
>> _________________________________________________________________________
>> >> Professional FreeSWITCH Consulting Services:
>> >> consulting at freeswitch.org
>> >> http://www.freeswitchsolutions.com
>> >>
>> >> 
>> >> 
>> >>
>> >> Official FreeSWITCH Sites
>> >> http://www.freeswitch.org
>> >> http://wiki.freeswitch.org
>> >> http://www.cluecon.com
>> >>
>> >> FreeSWITCH-users mailing list
>> >> FreeSWITCH-users at lists.freeswitch.org
>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >> UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> >> http://www.freeswitch.org
>> >>
>> >
>> _________________________________________________________________________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org
>> > http://www.freeswitchsolutions.com
>> >
>> > 
>> > 
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org
>> > http://wiki.freeswitch.org
>> > http://www.cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>


-- 
Michael S Collins
Twitter: @mercutioviz
http://www.FreeSWITCH.org
http://www.ClueCon.com
http://www.OSTAG.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120927/150614fb/attachment-0001.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list