[Freeswitch-users] ERROR 404 BAD HEADER

Steven Ayre steveayre at gmail.com
Fri Apr 26 19:20:08 MSD 2013


>
> Within 24 hours of pasting to your pastebin, I get 3 to 10  hackers trying
> to login to my switch with common usernames and passwords as well as
> generated ones.  Granted that is not a true "port scan", but it conveys the
> seriousness of the problem.   I now have Class A 3 ip domains in the middle
> east complete blocked in my iptables because I have no customers there.


It's entirely possible (and likely) this is entirely unrelated to any
pastebins you might have posted.

I see such attempts every single day (which all get rejected)... it's
pretty standard given the number of botnets out there scanning for insecure
VoIP servers to exploit and abuse. Unless they're specifically targetting
someone they're just going to be trying random IPs, not checking out a list.

IPv4 address space is small enough that it's trivially easy for a botnet to
just pick a random IP to start from and then walk though every possible IP
from that point. CPU/bandwidth isn't an issue since it's not the attacker's
own, and the botnet means it's parallel enough that it doesn't take
prohibitively long either. While grabbing pastebins might get them a few
IPs which serve SIP they're not automatically going to be insecure, so
walking the address space is likely to be far more fruitful.

Sure you can sanitise your pastebins if you want to, but if your server is
insecure it's insecure and they're going to happen upon you anyway. I'd
spend the time you saved replacing IPs with 'x.x.x.x' by securing your
setup (never use default passwords, setup firewalls appropriately, etc) and
configuring fail2bin instead (I know you said you already have Sean - that
was more generic advice for anyone).

-Steve



On 26 April 2013 15:27, Sean Devoy <sdevoy at bizfocused.com> wrote:

> What kind of proof do you want?  I am sure I have some freeswitch logs
> showing authentication errors.  FAILTOBAN was well worth learning about and
> installing.  I even had an earlier post to discuss this.  Several people
> commented about the need to "sanitize" your posts and the name of the
> program frequently used to attempt the hack ins.
>
> Within 24 hours of pasting to your pastebin, I get 3 to 10  hackers trying
> to login to my switch with common usernames and passwords as well as
> generated ones.  Granted that is not a true "port scan", but it conveys the
> seriousness of the problem.   I now have Class A 3 ip domains in the middle
> east complete blocked in my iptables because I have no customers there.
>
> I am not saying your pastebin is at fault, only that SCUM can read too and
> this is a good source of targets to attack.
>
> -----Original Message-----
> From: freeswitch-users-bounces at lists.freeswitch.org
> [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Brian
> West
> Sent: Thursday, April 25, 2013 10:15 PM
> To: FreeSWITCH Users Help
> Subject: Re: [Freeswitch-users] ERROR 404 BAD HEADER
>
> Is this our pastebin you're speaking of? If so can you provide me some
> proof
> of this?
>
> On Apr 25, 2013, at 8:30 PM, Sean Devoy <sdevoy at bizfocused.com> wrote:
>
> > I will see if I can contribute.  First, if you have not yet, change the
> default passwords.  I get port scans everytime I post addresses in
> pastebin.
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130426/31ed3f3d/attachment.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list