[Freeswitch-users] Outgoing calls from unknown users

David Villasmil david.villasmil.work at gmail.com
Fri Feb 22 20:28:55 MSK 2013


Also,

I always completely remove ALL sample routing in the default dialplans, always.

When i need an extension, I add it.

There's another thread a about a user who left the external dialplan and got hacked... 

So always remove ALL routing!

David

On Feb 22, 2013, at 18:23, David Villasmil <david.villasmil.work at gmail.com> wrote:

> Since a long time ago i NEVER use ports 5060/5061/5080/5081...
> 
> Security by obscurity also helps (in my experience), in addition to fail2ban... 
> You must ALWAYS setup fail2ban if you don't know the IPs of your customers and so a firewall won't do much good.
> 
> But firewall+fail2ban+non-standard-ports is pretty safe (of course in addition to authenticating)
> 
> 
> David
> On Feb 22, 2013, at 17:03, Ken Rice <krice at freeswitch.org> wrote:
> 
>> If you were seeing a billtime of 0 that means the calls were blocked... Some one was probably hitting the “external” interface then hitting the public context... This is allowed in the default example configs for freeswitch, but calls coming in that way are only allowed to actually do something if a) they hit one of the pre-defined local extensions or you have modified it to allow other calling.
>> 
>> Why is it like this? This is so you can define your local extensions and DIDs in the public context then say hey you can just call me via sip to SIP:mynumber_or_extension at hostname.or.ip.of.my.FS.box.com
>> 
>> Bots will scan the internet (the entire internet) and find your public profile is not doing sip challenge response, then they will try to place calls. In your logs they were trying to call a number in what appears to be Palestine, this is very comon, as they are probing to see if you let the calls pass by trying various prefixes...
>> 
>> As long as you are configuring the unauthenticated interfaces to only allow calls for your local extensions this is not a big dead, they will give up and go away.
>> 
>> 
>> 
>> On 2/22/13 9:48 AM, "Frederick Pruneau" <frederick at targointernet.com> wrote:
>> 
>>   
>> PB 20618
>>  
>>  Everytime, it is a 0 billsec. For now, international calls are not authorized. But in a near future, I want to authorized them.
>>  
>>  I verified what Ken wrote:
>>  
>>  A) make sure you are not using the default username and passwords for
>>  registered sip users (not using default username and password. All default users/extensions have been removed)
>> B) don't allow unauthenticated calls to go back out to the PSTN (I don't have PSTN lines)
>> C) Use appropriate firewall rules to only allow places you should be getting
>>  calls from (Already done)
>> D) use something like Fail2Ban to block people attempting to make repeated
>>  failed calls/registration attempts in a short period of time... 
>>  
>>  Actually, I have fail2ban that blocks registration attemps. I don't know how to block failed calls. Can you guide me to a web site or help me to ban failed calls?
>>  
>>  Thank you for your quick replies!
>>  
>>  Fred
>>  
>>  Le 2013-02-22 09:01, Christian Benke a écrit :
>>  
>>  
>> 
>> Do you have a logfile of these calls? Can you please paste it to
>> http://pastebin.freeswitch.org/. Otherwise, please paste your
>> dialplans to pastebin so we can figure out what's really happening
>> with your calls, the csv has too little information. Do all of these
>> calls have 0 billsec?
>> 
>> If possible, you should turn off FreeSWITCH till you know the reason
>> for this calls, it looks very much like your system is not safe.
>> 
>> Best regards,
>> Christian
>> 
>> --
>> Central Asia by bike, starting May 2013 - http://poab.org
>> 
>> 
>> On 22 February 2013 14:26, Frederick Pruneau
>> <frederick at targointernet.com> <mailto:frederick at targointernet.com>  wrote:
>>  
>> 
>> Hi everyone!
>> 
>> I have found in the log files some international calls from unknown
>> extensions. These extensions don't exist in my configuration. I tried to
>> block them in my firewall (iptables on my freeswitch server) but they
>> always use random IP adresses. Here is a short part of my Master.csv:
>> 
>> "1001","1001","0015972595646444","2013-02-22 02:05:27","","2013-02-22
>> 02:05:27","0","NORMAL_CLEARING","3c876eae-7cbe-11e2-877f-b791adff5763","","","",""
>> "1001","1001","9011972595646444","2013-02-22 02:05:28","","2013-02-22
>> 02:05:28","0","NORMAL_CLEARING","3d0d058c-7cbe-11e2-8783-b791adff5763","","","",""
>> "1001","1001","2011972595646444","2013-02-22 02:05:29","","2013-02-22
>> 02:05:29","0","NORMAL_CLEARING","3da55576-7cbe-11e2-8787-b791adff5763","","","",""
>> "1001","1001","3011972595646444","2013-02-22 02:05:30","","2013-02-22
>> 02:05:30","0","NORMAL_CLEARING","3e4727ca-7cbe-11e2-878b-b791adff5763","","","",""
>> "1001","1001","4011972595646444","2013-02-22 02:05:31","","2013-02-22
>> 02:05:31","0","NORMAL_CLEARING","3eecc2e8-7cbe-11e2-878f-b791adff5763","","","",""
>> "1001","1001","5011972595646444","2013-02-22 02:05:32","","2013-02-22
>> 02:05:32","0","NORMAL_CLEARING","3f633b94-7cbe-11e2-8793-b791adff5763","","","",""
>> "1001","1001","6011972595646444","2013-02-22 02:05:33","","2013-02-22
>> 02:05:33","0","NORMAL_CLEARING","3fc49902-7cbe-11e2-8797-b791adff5763","","","",""
>> "1001","1001","7011972595646444","2013-02-22 02:05:33","","2013-02-22
>> 02:05:33","0","NORMAL_CLEARING","403c0622-7cbe-11e2-879b-b791adff5763","","","",""
>> "1001","1001","8011972595646444","2013-02-22 02:05:34","","2013-02-22
>> 02:05:34","0","NORMAL_CLEARING","40e61ef0-7cbe-11e2-879f-b791adff5763","","","",""
>> 
>> With my configuration, I need to be registered to make a call. I tried
>> to call with an unregistered phone and I was not able to make a call. I
>> don't know how they are able to do this but I need to block them. Is
>> there something that I am missing in my configuration to block unwanted
>> extensions to make calls?
>> 
>> Thanks in advance!
>> 
>> 
>> Fred
>> 
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>> 
>> 
>> 
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>  
>> 
>> 
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>> 
>> 
>> 
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>  
>> 
>>  
>>  
>> 
>> -- 
>> Ken
>> http://www.FreeSWITCH.org
>> http://www.ClueCon.com
>> http://www.OSTAG.org
>> irc.freenode.net #freeswitch
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>> 
>> 
>> 
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130222/35e7d54d/attachment.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list