[Freeswitch-users] Hacking FS issue

Ben Langfeld ben at langfeld.co.uk
Thu Sep 27 23:39:03 MSD 2012


nmap is not a wardialer. If I want to know if you're running SIP, I'll just
try and talk SIP to you on every port that's open, and see if I get
something that's not garbage back. It's brute force, nothing more, and can
be done very performantly.

Regards,
Ben Langfeld


On 27 September 2012 16:27, BookBag <asaad2 at gmail.com> wrote:

> when nmap finds a port open, it looks in its database of what protocol is
> likely to be running on that port. It doesnt actually test if the standard
> protocol is running on that port.
>
>
>
>
>
> On Thu, Sep 27, 2012 at 12:11 PM, Nelson Camargo <bigx333 at gmail.com>wrote:
>
>> Ever heard about nmap? lol
>> On 27 Sep 2012, at 5:52 PM, BookBag wrote:
>>
>> How will they know what protocol I'm running on that port?
>> On Sep 27, 2012 11:42 AM, "Ben Langfeld" <ben at langfeld.co.uk> wrote:
>>
>>> This is classic wardialing and is very common. Don't worry, your port
>>> change won't slow down people who really want to get in ;)
>>>
>>>
>>> On 27 September 2012 11:55, BookBag <asaad2 at gmail.com> wrote:
>>>
>>>> I had the same issue. There are hackers continuously scanning public
>>>> ip's for known ports then trying to register devices using the default
>>>> extensions and passwords "1234". After noticing this in my logs I just
>>>> changed the default external sip port from 5080 to something else.
>>>>
>>>> Security through obscurity if you will.
>>>> P.S. I was also using fail2ban
>>>> On Sep 26, 2012 7:11 PM, "Lawrence Conroy" <lconroy at insensate.co.uk>
>>>> wrote:
>>>>
>>>>> Hi There,
>>>>>  welcome to our world; hope it didn't cost too much.
>>>>> Frontier were pro-active, which is very good. Don't forget to thank
>>>>> them.
>>>>> I'd guess that this particular bunch are coming from IP addresses
>>>>> provided in the West bank and/or Gaza; that's from where my "visitors"
>>>>> appeared to originate.
>>>>>
>>>>> 1st rule of fight club: Firewalls are no use for a server that is
>>>>> going to listen for requests from the Internet and allow authenticated
>>>>> calls to be placed from any IP address.
>>>>>
>>>>> You MUST have reasonable passwords, plus fail2ban is easy to set up
>>>>> and works just fine [unless you're using Windoz, in which case God hates
>>>>> you**].
>>>>>
>>>>> For more refined control (if you know where your external contacts are
>>>>> coming from) ...
>>>>>
>>>>> Consider setting up ACLs (nailing down the IP address ranges from
>>>>> which you'll accept incalls) in autoload/acl.conf.xml -- the "domains"
>>>>> definition there is one place to add in your external correspondents.
>>>>>
>>>>> Also, consider using cidr= parameters in your directory folder for
>>>>> each of your users (if they will only attempt to register or place calls
>>>>> from given address ranges).
>>>>> Then enable ACLs for incalls in your sip profile(s).
>>>>>
>>>>> This is all covered on wiki.freeswitch.org -- search for ACLs and
>>>>> take it from there.
>>>>>
>>>>> BTW, you WILL be confused by setting explicit ACLs on registration --
>>>>> leave that one commented out until you know what it actually does, as it's
>>>>> probably not what you expect. Several strong cups of coffee and protracted
>>>>> meditation may help.
>>>>>
>>>>> Main message:
>>>>> -- Immediately - fix the passwords so they're not easy to guess [as
>>>>> the bad guys *will* try again and again until they get it right].
>>>>> -- set up fail2ban (which has its own page on the wiki) exactly as
>>>>> proposed. <======= MOST IMPORTANT
>>>>> -- lose the belief that firewalls are going to help protect an
>>>>> Internet-listening server as, logically, they can't
>>>>> Finally, be amazed at the occasional "block" reports in the fail2ban
>>>>> logfile, and wonder how you got away with it for so long.
>>>>>
>>>>> all the best,
>>>>>   Lawrence
>>>>> ** There was apparently a talk on how Windows users could get
>>>>> something close to a fail2ban-style setup (IIRC, it was on the weekly conf
>>>>> call a while back)
>>>>>
>>>>> On 26 Sep 2012, at 19:54, Nelson Luiz Ferraz de Camargo Penteado wrote:
>>>>> > I really think that people give way too much importance to firewalls,
>>>>> > specially stateless ones, blocking ports isn't going to do much for
>>>>> you
>>>>> > unless you are trying to hide vulnerable services behind it.
>>>>> >
>>>>> > They used the extension 1000 to make the calls so I would say:
>>>>> activate
>>>>> > log-auth-failures on your profile, setup a fail2ban and get stronger
>>>>> > passwords.
>>>>> >
>>>>> > If you want to go further you can use a stateful firewall limiting
>>>>> > connections and setup a IDS(recommend snort)
>>>>> > On Sep 26, 2012 8:29 PM, "Todd Bailey" <toddb at toddbailey.net> wrote:
>>>>> >
>>>>> >>
>>>>> >> Hey All,
>>>>> >>
>>>>> >>
>>>>> >> I just got an email from Frontier that there were several attempts
>>>>> to
>>>>> >> make international calls.
>>>>> >>
>>>>> >>
>>>>> >> I checked the log file and verified that somehow someone was able
>>>>> to get
>>>>> >> access to FS from the internet.
>>>>> >>
>>>>> >>
>>>>> >> here is a sample of the log
>>>>> >>
>>>>> >> [m [36m2012-09-23 16:30:29.916821 [NOTICE] switch_channel.c:941 New
>>>>> >> Channel sofia/internal/1000 at 50.47.85.167
>>>>> >> [af778857-0188-4ed2-a82a-94ae749a02cb]
>>>>> >> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>>>>> >> Processing 1000 <1000>->01137168521352 in context default
>>>>> >> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
>>>>> >> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>>>>> >> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>>>>> >> sofia/internal/01137168521352 at 192.168.1.5:5061!
>>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572
>>>>> Ring-Ready
>>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE]
>>>>> switch_ivr_originate.c:519
>>>>> >> Ring Ready sofia/internal/1000 at 50.47.85.167!
>>>>> >> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>>>>> >> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176
>>>>> Pre-Answer
>>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE]
>>>>> switch_ivr_originate.c:3303
>>>>> >> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>>>>> >> [m [36m2012-09-23 16:30:52.356865 [N [m [36m2012-09-23
>>>>> 16:30:29.916821
>>>>> >> [NOTICE] switch_channel.c:941 New Channel
>>>>> >> sofia/internal/1000 at 50.47.85.167[af778857-0188-4ed2-a82a-94ae749a02cb]
>>>>> >> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>>>>> >> Processing 1000 <1000>->01137168521352 in context default
>>>>> >> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
>>>>> >> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>>>>> >> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>>>>> >> sofia/internal/01137168521352 at 192.168.1.5:5061!
>>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572
>>>>> Ring-Ready
>>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE]
>>>>> switch_ivr_originate.c:519
>>>>> >> Ring Ready sofia/internal/1000 at 50.47.85.167!
>>>>> >> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>>>>> >> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176
>>>>> Pre-Answer
>>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE]
>>>>> switch_ivr_originate.c:3303
>>>>> >> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>>>>> >> [m [36m2012-09-23 16:30:52.356865 [NOTICE] switch_channel.c:941 New
>>>>> >> Channel sofia/internal/1000 at 50.47.85.167
>>>>> >> [4576bc76-144a-4f6f-8915-871b511c374d]
>>>>> >> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>>>>> >> Processing 1000 <1000>->01137168905352 in context defaultOTICE]
>>>>> >> switch_channel.c:941 New Channel sofia/internal/1000 at 50.47.85.167
>>>>> >> [4576bc76-144a-4f6f-8915-871b511c374d]
>>>>> >> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>>>>> >> Processing 1000 <1000>->01137168905352 in context default
>>>>> >>
>>>>> >>
>>>>> >> At this point I'm at a loss how this is happening as I have multiple
>>>>> >> firewalls in place that limit port access.
>>>>> >>
>>>>> >> Can someone provide a few pointers on how to better secure FS
>>>>> running on
>>>>> >> Linux systems?
>>>>> >>
>>>>> >>
>>>>> >> thanks
>>>>> >>
>>>>> >>
>>>>> >> --
>>>>> >> -
>>>>> >> -
>>>>> >> -    Best Regards,
>>>>> >> -
>>>>> >> -            Todd Bailey
>>>>> >> -
>>>>> >> -
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> _________________________________________________________________________
>>>>> >> Professional FreeSWITCH Consulting Services:
>>>>> >> consulting at freeswitch.org
>>>>> >> http://www.freeswitchsolutions.com
>>>>> >>
>>>>> >> 
>>>>> >> 
>>>>> >>
>>>>> >> Official FreeSWITCH Sites
>>>>> >> http://www.freeswitch.org
>>>>> >> http://wiki.freeswitch.org
>>>>> >> http://www.cluecon.com
>>>>> >>
>>>>> >> FreeSWITCH-users mailing list
>>>>> >> FreeSWITCH-users at lists.freeswitch.org
>>>>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> >> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> >> http://www.freeswitch.org
>>>>> >>
>>>>> >
>>>>> _________________________________________________________________________
>>>>> > Professional FreeSWITCH Consulting Services:
>>>>> > consulting at freeswitch.org
>>>>> > http://www.freeswitchsolutions.com
>>>>> >
>>>>> > 
>>>>> > 
>>>>> >
>>>>> > Official FreeSWITCH Sites
>>>>> > http://www.freeswitch.org
>>>>> > http://wiki.freeswitch.org
>>>>> > http://www.cluecon.com
>>>>> >
>>>>> > FreeSWITCH-users mailing list
>>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> > UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> > http://www.freeswitch.org
>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> 
>>>>> 
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://wiki.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120927/bf95dd89/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list