[Freeswitch-users] Call Without Authorization

Donny Hardyanto hardyanto.donny at gmail.com
Tue Mar 4 06:21:51 MSK 2014


Hi Shahzad,

1. Dont expose you SIP port on internet. If only for testing or local use,
dont open it on internet. If you have to, use VPN.

2. Make sure all SIP/H.323 ALG on all Routers (they have one!) in your
network is turn off. They can mask the intruder from outside and look like
from local IP.

3. Change your default password! The one on vars.xml and every password on
directory!

4. If you in control of your SIP client/ip phone, it good to change the
default port 5060 and 5080 to some thing random (like 61351 etc). It make
it harder for hacker to find your ports. Usually the SIP hacker is time and
money oriented (not achivement-oriented), so most of the time it does not
bother to find SIP port other than the default ports. They will quickly
find another server IP to probe. They have organization behind them that
can stream international phone call to the hacked servers. They usually
test the softswitch first by sending alot of registration (some sip id is
John etc). I think some show they can break the password using this because
SIP authorization only using hash to check. So because hash has collision,
they can calculate your password.

5. They usually try to break on weekdays (check your cdr) and use your
hacked line on weekends! Please be carefull if you connected to PSTN line
or operator! You can lose thousand of dollars in 1 day!

6. You can use SBC but you need very through on configuring. Unconfigured
SBC same as no protection at all.

Lastly, the SIP world is VERY CRUEL. Honest mistake can destroy your life.
Be EXTRA careful.

Donny



On Sun, Mar 2, 2014 at 9:25 AM, Shahzad Bhatti <shahzad.bhatti at g-r-v.com>wrote:

> Hi Everybody,
> i am rephrasing my question that
>
> i got a legal registered sip account 1001 on freeswitch
>
> but some hacker who is not registered on my freeswitch
> but use same 1001 account and make call.
>
> i put condition in xml_dialplan to verify and allow only register sip
> accounts to call
> as
>
> *<condition field=*
>
> *"${sofia_contact */1001 at freeswitchIP}" expression="^[^@]+@(.+)">> *but
> hacker find someway to pass the regex through some back whole in my script
> and make calls
>
> *dialplan xml is *
> http://pastebin.freeswitch.org/22054
> *fs_cli log as *
> http://pastebin.freeswitch.org/22050
> *xml_cdr is*
> http://pastebin.freeswitch.org/22052
>
> i also try to generate the scenario but got no success, but now want to
> know
> how hacker made successful call in the above scenario and what is the best
> way to prevent from hacking in future
>
> Regards
>
> Shahzad Bhatti
>
>
> ---------- Forwarded message ----------
> From: Shahzad Bhatti <shahzad.bhatti at g-r-v.com>
> Date: Fri, Feb 28, 2014 at 11:51 PM
> Subject: Call Without Authorization
> To: freeswitch-users at lists.freeswitch.org
>
>
> Hi everybody,
>
> i create my xml_curl script as that don't allow unregistered calls with
> the following condition
> *<condition field=\"\${sofia_contact */{$sipuser}@$domain}\"
> expression=\"^[^@]+@(.+)\">*
> and its working but yesterday a call is originated from having
>
> *fs_cli log as *
> http://pastebin.freeswitch.org/22050
>
> *xml_cdr is*
> http://pastebin.freeswitch.org/22052
>
> *dialplan xml is *
> http://pastebin.freeswitch.org/22054
>
> this is only example that how the hacker breached
>
> i want to know that
> *1.  how it is possible that this call is originated as i check condition
> that allow to call only  registered sip accounts.*
> *2.  how to prevent that this would not happened in future. *
> *3. if there any better way to do that do inform me;*
>
> i check about 500 calls placed under the given scenario and many of them
> also answered
>
> Regards
>
> Shahzad Bhatti
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140304/a3ed848b/attachment-0001.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list