[Freeswitch-users] Call Without Authorization

Shahzad Bhatti shahzad.bhatti at g-r-v.com
Tue Mar 4 20:51:03 MSK 2014


>
> Thanks for such support and reply.
>

Regards

Shahzad Bhatti


>
> ---------- Forwarded message ----------
> From: Donny Hardyanto <hardyanto.donny at gmail.com>
> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> Cc:
> Date: Tue, 4 Mar 2014 10:21:51 +0700
> Subject: Re: [Freeswitch-users] Call Without Authorization
> Hi Shahzad,
>
> 1. Dont expose you SIP port on internet. If only for testing or local use,
> dont open it on internet. If you have to, use VPN.
>
> 2. Make sure all SIP/H.323 ALG on all Routers (they have one!) in your
> network is turn off. They can mask the intruder from outside and look like
> from local IP.
>
> 3. Change your default password! The one on vars.xml and every password on
> directory!
>
> 4. If you in control of your SIP client/ip phone, it good to change the
> default port 5060 and 5080 to some thing random (like 61351 etc). It make
> it harder for hacker to find your ports. Usually the SIP hacker is time and
> money oriented (not achivement-oriented), so most of the time it does not
> bother to find SIP port other than the default ports. They will quickly
> find another server IP to probe. They have organization behind them that
> can stream international phone call to the hacked servers. They usually
> test the softswitch first by sending alot of registration (some sip id is
> John etc). I think some show they can break the password using this because
> SIP authorization only using hash to check. So because hash has collision,
> they can calculate your password.
>
> 5. They usually try to break on weekdays (check your cdr) and use your
> hacked line on weekends! Please be carefull if you connected to PSTN line
> or operator! You can lose thousand of dollars in 1 day!
>
> 6. You can use SBC but you need very through on configuring. Unconfigured
> SBC same as no protection at all.
>
> Lastly, the SIP world is VERY CRUEL. Honest mistake can destroy your life.
> Be EXTRA careful.
>
> Donny
>
>
>
> On Sun, Mar 2, 2014 at 9:25 AM, Shahzad Bhatti <shahzad.bhatti at g-r-v.com>wrote:
>
>> Hi Everybody,
>> i am rephrasing my question that
>>
>> i got a legal registered sip account 1001 on freeswitch
>>
>> but some hacker who is not registered on my freeswitch
>> but use same 1001 account and make call.
>>
>> i put condition in xml_dialplan to verify and allow only register sip
>> accounts to call
>> as
>>
>> *<condition field=*
>>
>> *"${sofia_contact */1001 at freeswitchIP}" expression="^[^@]+@(.+)">> *but
>> hacker find someway to pass the regex through some back whole in my script
>> and make calls
>>
>> *dialplan xml is *
>> http://pastebin.freeswitch.org/22054
>> *fs_cli log as *
>> http://pastebin.freeswitch.org/22050
>> *xml_cdr is*
>> http://pastebin.freeswitch.org/22052
>>
>> i also try to generate the scenario but got no success, but now want to
>> know
>> how hacker made successful call in the above scenario and what is the
>> best way to prevent from hacking in future
>>
>> Regards
>>
>> Shahzad Bhatti
>>
>>
>> ---------- Forwarded message ----------
>> From: Shahzad Bhatti <shahzad.bhatti at g-r-v.com>
>> Date: Fri, Feb 28, 2014 at 11:51 PM
>> Subject: Call Without Authorization
>> To: freeswitch-users at lists.freeswitch.org
>>
>>
>> Hi everybody,
>>
>> i create my xml_curl script as that don't allow unregistered calls with
>> the following condition
>> *<condition field=\"\${sofia_contact */{$sipuser}@$domain}\"
>> expression=\"^[^@]+@(.+)\">*
>> and its working but yesterday a call is originated from having
>>
>> *fs_cli log as *
>> http://pastebin.freeswitch.org/22050
>>
>> *xml_cdr is*
>> http://pastebin.freeswitch.org/22052
>>
>> *dialplan xml is *
>> http://pastebin.freeswitch.org/22054
>>
>> this is only example that how the hacker breached
>>
>> i want to know that
>> *1.  how it is possible that this call is originated as i check condition
>> that allow to call only  registered sip accounts.*
>> *2.  how to prevent that this would not happened in future. *
>> *3. if there any better way to do that do inform me;*
>>
>> i check about 500 calls placed under the given scenario and many of them
>> also answered
>>
>> Regards
>>
>> Shahzad Bhatti
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140304/b6a69af3/attachment.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list