[Freeswitch-users] Need help to stop this hack into FreeSwitch!
Lloyd Aloysius
lloyd.aloysius at gmail.com
Tue May 20 22:24:45 MSD 2014
Your firewall settings may have issues. Also check your freeswitch
settings.
https://confluence.freeswitch.org/display/FREESWITCH/Fail2Ban
Also check your profile parameter *auth-calls*
Lloyd
On Tue, May 20, 2014 at 2:12 PM, Sean Devoy <sdevoy at bizfocused.com> wrote:
> Mario,
>
> Assuming you are not on windows, You need to run this line
> iptables -A INPUT -s 85.25.198.0/24 -j DROP
>
> That will block that class C subnet from your system completely. That is
> the subnet their traffic is coming from. But I am not sure they have not
> authenticated (registered) on your server. If you are on windows let me
> know, I can help there too.
>
> Please send the output from:
> iptables -L -v
>
> and from the FS console:
> show registrations
>
> Sean.
>
> -----Original Message-----
> From: freeswitch-users-bounces at lists.freeswitch.org [mailto:
> freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
> Sent: Tuesday, May 20, 2014 12:57 PM
> To: FreeSWITCH Users Help
> Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
>
> Someone has gotten into my FreeSwitch, my firewall is set to only allow
> SIP traffic from my ITSP, and I added a rule to block the bad address but
> it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is
> making a call to me and trying to call out. I would really appreciate any
> ideas on what kind of general FW rule to add to prevent this, I don't know
> what is going on. Next I'll run PCAPs. I was thinking of a rule to block
> all outgoing SIP traffic except to the ITSP. Would appreciate help,
> especially an explanation of what they are trying to do in FS.
> Mario G
>
> * Started May 19 8am, goes through all 7 sip accounts every 10 seconds
> * Each time it starts at extension 1000, goes through all 7 accounts, then
> waits 10 seconds, the extension is incremented by 1 and goes through all 7
> accounts, this repeats until finally stopping at extension 9010, then
> starts at a different time of day hours later.
>
> * My account is itsp1 and itsp2, there are 5 more but I cut them out to
> reduce this.
> * 1.2.3.4 is my public wan address.
> * They look like 85.25.198.253, but blocking that in the FW does not
> help. Odd since I have done that before and it worked.
> * The "processing 4003 <4003>->+972592406392" is baffling.
>
> This is a short/reduced snippet from the log:
> 2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel
> sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal
> sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal
> sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4receiving invite from
> 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/
> 4003 at 1.2.3.4 entering state [received][100]
> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6210 Remote SDP:
> v=0
> o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli c=IN
> IP4 85.25.198.253
> t=0 0
> m=audio 5075 RTP/AVP 18 0 8 101
> a=rtpmap:18 G729/8000
> a=rtpmap:0 PCMU/8000
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-15
> a=ptime:20
>
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec
> Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec
> Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set
> telephone-event payload to 101
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec
> sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/
> 4003 at 1.2.3.4 Original read codec set to PCMU:0
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf
> send/recv payload to 101
> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4)
> State Change CS_NEW -> CS_INIT
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal
> sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486
> (sofia/itsp1/4003 at 1.2.3.4) State NEW
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
> (sofia/itsp1/4003 at 1.2.3.4) State INIT
> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4SOFIA INIT
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40
> sofia/itsp1/4003 at 1.2.3.4 Standard INIT
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48
> (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal
> sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
> (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/
> 4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
> (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/
> 4003 at 1.2.3.4 SOFIA ROUTING
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164
> sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
> 2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003
> <4003>->+972592406392 in context public
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop]
> ${unroll_loops}(true) =~ /^true$/ break=on-false
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop]
> ${sip_looped_call}() =~ /^true$/ break=on-false
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call]
> continue=true
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action
> export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug]
> continue=true
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug]
> ${call_debug}(false) =~ /^true$/ break=never
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions]
> continue=false
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions]
> destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false
> .......... deleted lines
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did]
> destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did]
> continue=false
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did]
> destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214
> (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal
> sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
> (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
> (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/
> 4003 at 1.2.3.4 SOFIA EXECUTE
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256
> sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE sofia/itsp1/4003 at 1.2.3.4set(outside_call=true)
> 2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/
> 4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE sofia/itsp1/4003 at 1.2.3.4export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT
> (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
> 2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313
> sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction,
> hanging up.
> 2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup
> sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal
> sofia/itsp1/4003 at 1.2.3.4 [KILL]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal
> sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
> (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730
> (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
> (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/
> 4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE
> with: 480
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58
> sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
> (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499
> (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal
> sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
> (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102
> sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
> (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493
> (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal
> sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234
> (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
> 2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234
> (sofia/itsp1/4003 at 1.2.3.4) Ended
> 2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close
> Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618
> (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
> (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/
> 4003 at 1.2.3.4 SOFIA DESTROY
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109
> sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
> (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
> 2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel
> sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal
> sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467
> (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal
> sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4receiving invite from
> 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/
> 4003 at 1.2.3.4 entering state [received][100]
> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6210 Remote SDP:
> v=0
> o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli c=IN
> IP4 85.25.198.253
> t=0 0
> m=audio 5085 RTP/AVP 18 0 8 101
> a=rtpmap:18 G729/8000
> a=rtpmap:0 PCMU/8000
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-15
> a=ptime:20
>
> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec
> Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140520/282d0b48/attachment-0001.html
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list