[Freeswitch-users] Need help to stop this hack into FreeSwitch!

Oz Mortimer omortimer at gmail.com
Tue May 20 23:28:03 MSD 2014


At a guess, check the cli they are sending from. Then have a look at your user acl.
Could it be you have id=123 cidr=...
If the caller sends with cli 123, depending on your setup the call will pass and go to the associated context. 
Just a wild stab in the dark , but I've seen this happen and fail2ban obviously wouldn't capture it.

> On 20 May 2014, at 19:29, Mario G <mario_fs at mgtech.com> wrote:
> 
> I am on OS X, no iptables, show registrations only show internal phones nothing else. I am sure they are not registered. Just looks like an incoming call trying to dial out.
> Mario G 
> 
>> On May 20, 2014, at 11:12 AM, Sean Devoy <sdevoy at bizfocused.com> wrote:
>> 
>> Mario,
>> 
>> Assuming you are not on windows, You need to run this line
>> iptables -A INPUT -s 85.25.198.0/24 -j DROP
>> 
>> That will block that class C subnet from your system completely.  That is the subnet their traffic is coming from.  But I am not sure they have not authenticated (registered) on your server.  If you are on windows let me know, I can help there too.
>> 
>> Please send the output from:
>> iptables -L -v
>> 
>> and from the FS console:
>> show registrations
>> 
>> Sean.
>> 
>> -----Original Message-----
>> From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
>> Sent: Tuesday, May 20, 2014 12:57 PM
>> To: FreeSWITCH Users Help
>> Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
>> 
>> Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don't know what is going on. Next I'll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
>> Mario G
>> 
>> * Started May 19 8am, goes through all 7 sip accounts every 10 seconds
>> * Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
>> 
>> * My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
>> * 1.2.3.4 is my public wan address.
>> * They look like  85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
>> * The "processing 4003 <4003>->+972592406392" is baffling.
>> 
>> This is a short/reduced snippet from the log:
>> 2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
>> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
>> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6210 Remote SDP:
>> v=0
>> o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
>> t=0 0
>> m=audio 5075 RTP/AVP 18 0 8 101
>> a=rtpmap:18 G729/8000
>> a=rtpmap:0 PCMU/8000
>> a=rtpmap:8 PCMA/8000
>> a=rtpmap:101 telephone-event/8000
>> a=fmtp:101 0-15
>> a=ptime:20
>> 
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
>> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
>> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
>> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
>> 2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false .......... deleted lines
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
>> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
>> 2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
>> 2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
>> 2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
>> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
>> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
>> 2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
>> 2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
>> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
>> 2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
>> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
>> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
>> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
>> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6210 Remote SDP:
>> v=0
>> o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
>> t=0 0
>> m=audio 5085 RTP/AVP 18 0 8 101
>> a=rtpmap:18 G729/8000
>> a=rtpmap:0 PCMU/8000
>> a=rtpmap:8 PCMA/8000
>> a=rtpmap:101 telephone-event/8000
>> a=fmtp:101 0-15
>> a=ptime:20
>> 
>> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
>> 
>> 
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>> 
>>  
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>> 
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>> 
>> 
>> 
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org



Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list