[Freeswitch-users] Outgoing calls from unknown users
Frederick Pruneau
frederick at targointernet.com
Fri Feb 22 21:01:28 MSK 2013
Thanks guys for all your help!
Le 2013-02-22 12:28, David Villasmil a écrit :
> Also,
>
> I always completely remove ALL sample routing in the default
> dialplans, always.
>
> When i need an extension, I add it.
>
> There's another thread a about a user who left the external dialplan
> and got hacked...
>
> So always remove ALL routing!
>
> David
>
> On Feb 22, 2013, at 18:23, David Villasmil
> <david.villasmil.work at gmail.com
> <mailto:david.villasmil.work at gmail.com>> wrote:
>
>> Since a long time ago i NEVER use ports 5060/5061/5080/5081...
>>
>> Security by obscurity also helps (in my experience), in addition to
>> fail2ban...
>> You must ALWAYS setup fail2ban if you don't know the IPs of your
>> customers and so a firewall won't do much good.
>>
>> But firewall+fail2ban+non-standard-ports is pretty safe (of course in
>> addition to authenticating)
>>
>>
>> David
>> On Feb 22, 2013, at 17:03, Ken Rice <krice at freeswitch.org
>> <mailto:krice at freeswitch.org>> wrote:
>>
>>> Re: [Freeswitch-users] Outgoing calls from unknown users If you were
>>> seeing a billtime of 0 that means the calls were blocked... Some one
>>> was probably hitting the "external" interface then hitting the
>>> public context... This is allowed in the default example configs for
>>> freeswitch, but calls coming in that way are only allowed to
>>> actually do something if a) they hit one of the pre-defined local
>>> extensions or you have modified it to allow other calling.
>>>
>>> Why is it like this? This is so you can define your local extensions
>>> and DIDs in the public context then say hey you can just call me via
>>> sip to SIP:mynumber_or_extension at hostname.or.ip.of.my.FS.box.com
>>>
>>> Bots will scan the internet (the entire internet) and find your
>>> public profile is not doing sip challenge response, then they will
>>> try to place calls. In your logs they were trying to call a number
>>> in what appears to be Palestine, this is very comon, as they are
>>> probing to see if you let the calls pass by trying various prefixes...
>>>
>>> As long as you are configuring the unauthenticated interfaces to
>>> only allow calls for your local extensions this is not a big dead,
>>> they will give up and go away.
>>>
>>>
>>>
>>> On 2/22/13 9:48 AM, "Frederick Pruneau"
>>> <frederick at targointernet.com> wrote:
>>>
>>>
>>> PB 20618
>>>
>>> Everytime, it is a 0 billsec. For now, international calls are
>>> not authorized. But in a near future, I want to authorized them.
>>>
>>> I verified what Ken wrote:
>>>
>>> A) make sure you are not using the default username and
>>> passwords for
>>> registered sip users *(not using default username and password.
>>> All default users/extensions have been removed)
>>> * B) don't allow unauthenticated calls to go back out to the
>>> PSTN *(I don't have PSTN lines)
>>> * C) Use appropriate firewall rules to only allow places you
>>> should be getting
>>> calls from *(Already done)
>>> * D) use something like Fail2Ban to block people attempting to
>>> make repeated
>>> failed calls/registration attempts in a short period of time...
>>>
>>> Actually, I have fail2ban that blocks registration attemps. I
>>> don't know how to block failed calls. Can you guide me to a web
>>> site or help me to ban failed calls?
>>>
>>> Thank you for your quick replies!
>>>
>>> Fred
>>>
>>> Le 2013-02-22 09:01, Christian Benke a écrit :
>>>
>>>
>>>
>>> Do you have a logfile of these calls? Can you please paste it to
>>> http://pastebin.freeswitch.org/. Otherwise, please paste your
>>> dialplans to pastebin so we can figure out what's really
>>> happening
>>> with your calls, the csv has too little information. Do all
>>> of these
>>> calls have 0 billsec?
>>>
>>> If possible, you should turn off FreeSWITCH till you know
>>> the reason
>>> for this calls, it looks very much like your system is not safe.
>>>
>>> Best regards,
>>> Christian
>>>
>>> --
>>> Central Asia by bike, starting May 2013 - http://poab.org
>>>
>>>
>>> On 22 February 2013 14:26, Frederick Pruneau
>>> <frederick at targointernet.com>
>>> <mailto:frederick at targointernet.com> wrote:
>>>
>>>
>>> Hi everyone!
>>>
>>> I have found in the log files some international calls
>>> from unknown
>>> extensions. These extensions don't exist in my
>>> configuration. I tried to
>>> block them in my firewall (iptables on my freeswitch
>>> server) but they
>>> always use random IP adresses. Here is a short part of
>>> my Master.csv:
>>>
>>> "1001","1001","0015972595646444","2013-02-22
>>> 02:05:27","","2013-02-22
>>> 02:05:27","0","NORMAL_CLEARING","3c876eae-7cbe-11e2-877f-b791adff5763","","","",""
>>> "1001","1001","9011972595646444","2013-02-22
>>> 02:05:28","","2013-02-22
>>> 02:05:28","0","NORMAL_CLEARING","3d0d058c-7cbe-11e2-8783-b791adff5763","","","",""
>>> "1001","1001","2011972595646444","2013-02-22
>>> 02:05:29","","2013-02-22
>>> 02:05:29","0","NORMAL_CLEARING","3da55576-7cbe-11e2-8787-b791adff5763","","","",""
>>> "1001","1001","3011972595646444","2013-02-22
>>> 02:05:30","","2013-02-22
>>> 02:05:30","0","NORMAL_CLEARING","3e4727ca-7cbe-11e2-878b-b791adff5763","","","",""
>>> "1001","1001","4011972595646444","2013-02-22
>>> 02:05:31","","2013-02-22
>>> 02:05:31","0","NORMAL_CLEARING","3eecc2e8-7cbe-11e2-878f-b791adff5763","","","",""
>>> "1001","1001","5011972595646444","2013-02-22
>>> 02:05:32","","2013-02-22
>>> 02:05:32","0","NORMAL_CLEARING","3f633b94-7cbe-11e2-8793-b791adff5763","","","",""
>>> "1001","1001","6011972595646444","2013-02-22
>>> 02:05:33","","2013-02-22
>>> 02:05:33","0","NORMAL_CLEARING","3fc49902-7cbe-11e2-8797-b791adff5763","","","",""
>>> "1001","1001","7011972595646444","2013-02-22
>>> 02:05:33","","2013-02-22
>>> 02:05:33","0","NORMAL_CLEARING","403c0622-7cbe-11e2-879b-b791adff5763","","","",""
>>> "1001","1001","8011972595646444","2013-02-22
>>> 02:05:34","","2013-02-22
>>> 02:05:34","0","NORMAL_CLEARING","40e61ef0-7cbe-11e2-879f-b791adff5763","","","",""
>>>
>>> With my configuration, I need to be registered to make a
>>> call. I tried
>>> to call with an unregistered phone and I was not able to
>>> make a call. I
>>> don't know how they are able to do this but I need to
>>> block them. Is
>>> there something that I am missing in my configuration to
>>> block unwanted
>>> extensions to make calls?
>>>
>>> Thanks in advance!
>>>
>>>
>>> Fred
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Ken
>>> _http://www.FreeSWITCH.org
>>> http://www.ClueCon.com
>>> http://www.OSTAG.org
>>> _irc.freenode.net <http://irc.freenode.net> #freeswitch
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> http://www.freeswitchsolutions.com
>>>
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
--
Frédérick Pruneau
Administrateur réseau | Network administrator
Targo Communications
Ste-Clotilde : (450) 826-0031
Montréal : (514) 448-0773
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130222/1d1167da/attachment-0001.html
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list