[Freeswitch-users] freeswitch hack

Mario Karakanovski mario at ims.bg
Wed Feb 20 12:53:38 MSK 2013


Thanks Ken,

 

It is helpful, but I still think there is some security issue. I've double
check configuration. I've try to reproduce the issue trying to do direct
call (TCP and UDP) or authenticate with invalid user, but everything works
as expected - calls/authentication was rejected. I've decide to log the
traffic - maybe I will be able to see where is the problem.

 

Regards,

            Mario   

 

  _____  

From: freeswitch-users-bounces at lists.freeswitch.org
[mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Ken Rice
Sent: Wednesday, February 20, 2013 10:46 AM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] freeswitch hack

 

They are probably hitting the public/external interface which by default
accepts calls for any number but will reject them as the public dialplan
doesn't know what to do with them. I see this on a regular basis on my
PBX... The real question is, are you setup to allow anyone to call you, and
if you are, are you sure to block calls not destined for your box.

As a previous response pointed out this is a very common attack, I see it
several times a day from many different IPs as its just a bot.... There is
also sipvicious attacks which I don't see much of as I block them on the
firewall level (they almost always include the string 'friendly-scanner' and
a quick google with give you an iptables command to drop them).

These bots exist to exploit not just freeswitch, but any SIP server, and to
exploit sip users with bad/common passwords... 

Good System Admin practices and double checking your FreeSWITCH configs will
generally stop them in their tracks.

If you need assistance stop by the FreeSWITCH IRC channel on Freenode
#freeswitch and ask around... If you need professional help email
consulting at freeswitch.org and they will help you out.

K


On 2/20/13 2:35 AM, "Avi Marcus" <avi at avimarcus.net> wrote:

Personally, I've seen the last option -- CDRs for calls that have been
rejected.

They come in on the public profile, attempt to call a single number with
several prefix types... but they are indeed unauthenticated so FS just hangs
up on them.

-Avi

On Wed, Feb 20, 2013 at 10:14 AM, Steven Ayre <steveayre at gmail.com> wrote:

Not unusual at all, and not even clever... there are lots of bots that
just randomly search the net for IP addresses that're open to allowing
calls.

First, are you sure the profile is actually requiring authentication
(a simple packet trace will reveal that - the first INVITE should get
a 401 reply).

Second, do you have blind auth enabled, in which case it'd be
accepting any username/password?

Third, are they getting authenticated via an ACL or user CIDR?

Finally, is it possible that you're loading CDRs for calls which have
been rejected?

-Steve




On 20 February 2013 07:28, Mario Karakanovski <mario at ims.bg> wrote:
> Hi all,
>
>         For some days i noticed that somebody was able to register to my
> freeswitch and trying to call international numbers. The attack is very
> clever as the hacker logs at the night, trying to call international
number
> 10-15 times while changing the prefix and go away.
>
> The sip profile is connected directly to the internet and require
> authentication:
>         auth-calls = true
>         auth-all-packets = true
>
> There is no IP filtering as the service does not allow setting some.
> Firewall blokes all port except TCP and UDP 5060 and required UDP media
> ports. The authentication is made by directory.
> What I wonder is how ones can authenticated with extension that not exist
> and not described anywhere.
>
> Can it be some security issue with freeswitch? Any ideas how to solve the
> problem?
>
> Regards,
>         Mario
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com




Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

 

  _____  

_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com




Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org


-- 
Ken
http://www.FreeSWITCH.org
http://www.ClueCon.com
http://www.OSTAG.org
irc.freenode.net #freeswitch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130220/9870ed3c/attachment.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list