[Freeswitch-users] Phones registered to internal profile hit external profile when calling
hcoin
hcoin at quietfountain.com
Wed Oct 23 20:00:37 MSD 2013
For 'bad guys using SIP' I added the package 'fail2ban'. And then set
it up to watch for failed auth attempts and attempts to conenct without
the proper domain, then set it to ban those ips for a while.
When I get the time, I'm going to set it up to answer the vicious
person's call, then put them on hold for a long time, then ban them and
then also send an email. That way their systems get tied up. Hopefully
a group like 'spamhaus' or other will create a pool of sip spammers so
we can deny that traffic before it hits freeswitch.
I think some legislation is in order so the police can arrest chronic
bad actors and fine them to offset the cost of 'spamhaus' type setups
and confiscate their gear.
On 10/23/2013 10:26 AM, Donny Hardyanto wrote:
>
> The problem is there were some SIP port scanner constantly scanning ip
> address for SIP known port in internet, when they found they
> automatically and systematically try to break SIP authentification and
> try to make routing. It very vicious world out there for SIP. Changing
> the port is the least defense we can do very minimaly. Of course they
> other solution like put on sbc or something but in depend on
> circumstances. So what ever that we can control such as our deployed
> softphone or ip phone, we change its the default SIP port listener.
>
> My own solution is always open source. In the hacking case I was put
> our solution in the partner network. I cannot control my partner what
> hardware they are using. And in sip/netwotk world we do
> interconnecting with all kind of hardware and software, whether
> commercial and oss.
>
> Donny
>
> On Oct 23, 2013 10:10 PM, "hcoin" <hcoin at quietfountain.com
> <mailto:hcoin at quietfountain.com>> wrote:
>
> Donny, It's a balancing act, people choose commercial routers
> because they want it all to 'just work' and not have to get into
> the guts of it. That's what please expect and pay for-- 'just
> working', you pay for not being forced to learn the guts and 'deal
> with it'.
>
> My policy has been that if the commercial router doesn't come with
> a staff member at the commercial company to make the problem go
> away, go to an open source solution. If you're going to be made
> to 'deal with it', then you might as well have access to all the
> guts, all the tools, the whole thing yourself. Otherwise you wind
> up working for free making someone else's commercial product
> better, and who knows if the next release will break your fix or
> not. No, if you are being forced to deal with a problem in the
> guts of commercial software yourself, you aren't getting any value
> and the answer is find out whether an open source version is solid
> enough and if it is go with that. Might was well learn
> 'everything' about something you can compile yourself if it comes
> down to that. You pick up a lot of dubious skills though, for
> example I can now edit freeswitch transport protocols and the sip
> stack. A thing I hope never to have to do.... Seriously whoever
> came up with RTP and SIP using a bezillion ports and the whole NAT
> nightmare.... arg. Look how much of freeswitch is not dealing
> with telephone and talk issues, but routing issues. It's half a
> router itself.
>
> This business of weaving together products made by various
> vendors: routers, soft phones, pstn-voip legacy boxen,
> freeswitch, routers, 'guis on top of X', it's every bit as tough
> as programming. In programming you control 'the world' and have a
> narrow focus. This business of integrating lots of work by lots
> of folks, not for the timid.
>
>
> On 10/23/2013 01:42 AM, Donny Hardyanto wrote:
>>
>> I am now practicing not using standard port because some hacks
>> couple month ago. It was quite bad, it cost thousand of dollars
>> and we cannot find the culprit IP address because the router ALG
>> rewrites them and there is no accessible log on the router.
>>
>> Donny
>>
>> On Oct 23, 2013 1:17 PM, "hcoin" <hcoin at quietfountain.com
>> <mailto:hcoin at quietfountain.com>> wrote:
>>
>> Anthony and Donny, thanks for replying.
>>
>> Putting a packet capture on the line revealed the problem to
>> be a combination of quirks in both linphone (windows version
>> ignores fs nonstandard destination port) and dns-forwarder
>> (override of foo.bar.com <http://foo.bar.com> fails if
>> foo..bar.com <http://foo.bar.com> is a cname on the public
>> internet, not an A record). The call was coming in on the
>> external profile because the dns forwarder was letting the
>> resolution go to the public internet and so the local systems
>> were sending out to the router, which sent it back in to...
>> the external interface. However, I do now know how to watch
>> calls pass through freeswitch and have read most of the
>> source code in the sofia endpoint, nta, nua, etc. etc... and
>> had lots of fun with gdb stepping around watching the packets
>> flow.
>>
>> The main lession I think is worth sharing is this: Use 5060
>> for sip. If you are thinking of various profiles using the
>> same address but different ports on the one hand, or on the
>> other hand using ip aliases so each profile uses the
>> 'standard' ports but a different ip--- go with the ip alias
>> approach. So in /etc/network/interfaces , supposing your
>> main nic is eth0:
>>
>> iface eth0 inet dhcp <-- or whatnot on your system>
>> ..
>> post-up ifup eth0:1
>> pre-down ifdown eth0:1
>> ..
>>
>>
>> iface eth0:1 inet static
>> address <something unique on the lan>
>> netmask <etc.>
>>
>> Problems all melted away as if they never were.
>>
>> Thanks again for trying to help! I even bought the
>> freeswitch book. Ka-Ching for someone on this list...
>>
>>
>>
>> On 10/22/2013 06:38 PM, Anthony Minessale wrote:
>>>
>>> Did you change all the fields in the new profile you
>>> duplicated that were relevant to the name like name...
>>>
>>> I usually cp internal.xml new.xml then edit new.xml and
>>> global replace internal with new right off the bat.
>>>
>>> You might find your mistake faster if you backup and revert
>>> to default sip profiles from sample and slowly make changes
>>> again.
>>>
>>> On Oct 22, 2013 1:04 AM, "hcoin" <hcoin at quietfountain.com
>>> <mailto:hcoin at quietfountain.com>> wrote:
>>>
>>>
>>> This has been a really frustrating problem, I'm sure the
>>> answer is
>>> simple but I just can't see it.
>>>
>>> I had several extensions registered to the internal
>>> profile, sending
>>> calls out the external profile to a sip-pstn gateway,
>>> all seemed fine.
>>>
>>> Then created another internal profile, using a different
>>> sip port on the
>>> same lan address, because of 'no device left behind' and
>>> NAT issues..
>>>
>>> All seemed well, all the phones register normally.
>>> Looking at the
>>> databases in FS they all show the proper ports, the
>>> proper domains, etc.
>>>
>>> However, every single call gets picked up as a new call via
>>> sophia/external/... and it hits the public dialplan
>>> normally -- except
>>> that's the wrong plan, it should hit the default plan
>>> and be identified
>>> as sofia/internal/.... and so forth.
>>> 2013-10-22 00:31:11.001600 [NOTICE]
>>> switch_channel.c:1034 New Channel
>>> sofia/external/hcoin at pbx.foobar.com
>>> <mailto:hcoin at pbx.foobar.com>
>>> [28ed125a-3adb-11e3-9cc1-cbb8efb09b83]
>>>
>>> What could possibly be the reason phones registered on
>>> the internal
>>> profile have their new calls identified as
>>> sophia/external and don't hit
>>> the correct plan? Both the phones and the freeswitch
>>> are on the same
>>> subnet. This should be so vanilla. What am I missing?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> http://www..freeswitchsolutions.com
>>> <http://www.freeswitchsolutions.com>
>>>
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> http://www...freeswitchsolutions.com <http://www.freeswitchsolutions.com>
>>>
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> http://www..freeswitchsolutions.com
>> <http://www.freeswitchsolutions.com>
>>
>>
>>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> http://www..freeswitchsolutions.com <http://www.freeswitchsolutions.com>
>>
>>
>>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www..freeswitchsolutions.com
> <http://www.freeswitchsolutions.com>
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20131023/cc0609bd/attachment-0001.html
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list