[Freeswitch-users] Need help to stop this hack into FreeSwitch!

Mario G mario_fs at mgtech.com
Tue May 20 22:02:42 MSD 2014


Will look into fail2ban, there is no activity for these calls on the ITSP so somehow they are coming in as my ITSP IP? If so, the ITSP should know about this. Yes, just happens the dial plan can’t handle that number. Yes, authentication is on, yes a nuisance but the router log show huge traffic spikes during these times. I am trying to figure out a rule for the FW so it can handle this from other IPs. Thanks,
Mario G

On May 20, 2014, at 10:32 AM, Lawrence Conroy <lconroy at insensate.co.uk> wrote:

> Hi Mario,
> +972 - Aha -- our friends in the Gaza Strip/Ramallah at work.
> Fail2Ban worked very nicely to deal with this excrescence for me.
> 
> I assume that you do require authentication before calling out.
> outside_calling is being set, so it's certainly armed (i.e., the dialplan knows that this is a non-local call).
> Thus I'd guess fS drops the call as it skips any outcalling originate command.
> 
> => Looks like you have a call in from what purports to be your ITSP with a destination number of +972... @ <your domain>, it hits 4003, and that context doesn't allow the call to proceed.
> So ... it's a nuisance, but at least it isn't costing you money.
> 
> Is this what you're seeing? The dialplan is simply not allowing the outside_call to go anywhere when it's to an external number.
> 
> all the best,
>  Lawrence
> 
> On 20 May 2014, at 17:57, Mario G <mario_fs at mgtech.com> wrote:
>> Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don’t know what is going on. Next I’ll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
>> Mario G
>> 
>> * Started May 19 8am, goes through all 7 sip accounts every 10 seconds
>> * Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
>> 
>> * My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
>> * 1.2.3.4 is my public wan address.
>> * They look like  85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
>> * The "processing 4003 <4003>->+972592406392” is baffling.
>> 
>> This is a short/reduced snippet from the log:
>> 2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
>> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
>> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6210 Remote SDP:
>> v=0
>> o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253
>> s=sipcli
>> c=IN IP4 85.25.198.253
>> t=0 0
>> m=audio 5075 RTP/AVP 18 0 8 101
>> a=rtpmap:18 G729/8000
>> a=rtpmap:0 PCMU/8000
>> a=rtpmap:8 PCMA/8000
>> a=rtpmap:101 telephone-event/8000
>> a=fmtp:101 0-15
>> a=ptime:20
>> 
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
>> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
>> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
>> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
>> 2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true) 
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)}) 
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false
>> ………. deleted lines
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
>> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE
>> EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
>> 2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true]
>> EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
>> 2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
>> 2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
>> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
>> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
>> 2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
>> 2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
>> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
>> 2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
>> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
>> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
>> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
>> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6210 Remote SDP:
>> v=0
>> o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253
>> s=sipcli
>> c=IN IP4 85.25.198.253
>> t=0 0
>> m=audio 5085 RTP/AVP 18 0 8 101
>> a=rtpmap:18 G729/8000
>> a=rtpmap:0 PCMU/8000
>> a=rtpmap:8 PCMA/8000
>> a=rtpmap:101 telephone-event/8000
>> a=fmtp:101 0-15
>> a=ptime:20
>> 
>> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
>> 
>> 
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>> 
>> 
>> 
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org




Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list