[Freeswitch-users] Need help to stop this hack into FreeSwitch!
Mario G
mario_fs at mgtech.com
Wed May 21 00:10:10 MSD 2014
Thanks for the suggestions, I will do a PCAP in the router next time to see what is happening. It was suggested that the IP address could be a proxy, also I did not block TCP SIP ports, only UDP so that is now set. Will post when I have more info in case someone else runs into this.
Mario G
On May 20, 2014, at 12:28 PM, Oz Mortimer <omortimer at gmail.com> wrote:
> At a guess, check the cli they are sending from. Then have a look at your user acl.
> Could it be you have id=123 cidr=...
> If the caller sends with cli 123, depending on your setup the call will pass and go to the associated context.
> Just a wild stab in the dark , but I've seen this happen and fail2ban obviously wouldn't capture it.
>
>> On 20 May 2014, at 19:29, Mario G <mario_fs at mgtech.com> wrote:
>>
>> I am on OS X, no iptables, show registrations only show internal phones nothing else. I am sure they are not registered. Just looks like an incoming call trying to dial out.
>> Mario G
>>
>>> On May 20, 2014, at 11:12 AM, Sean Devoy <sdevoy at bizfocused.com> wrote:
>>>
>>> Mario,
>>>
>>> Assuming you are not on windows, You need to run this line
>>> iptables -A INPUT -s 85.25.198.0/24 -j DROP
>>>
>>> That will block that class C subnet from your system completely. That is the subnet their traffic is coming from. But I am not sure they have not authenticated (registered) on your server. If you are on windows let me know, I can help there too.
>>>
>>> Please send the output from:
>>> iptables -L -v
>>>
>>> and from the FS console:
>>> show registrations
>>>
>>> Sean.
>>>
>>> -----Original Message-----
>>> From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
>>> Sent: Tuesday, May 20, 2014 12:57 PM
>>> To: FreeSWITCH Users Help
>>> Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
>>>
>>> Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don't know what is going on. Next I'll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
>>> Mario G
>>>
>>> * Started May 19 8am, goes through all 7 sip accounts every 10 seconds
>>> * Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
>>>
>>> * My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
>>> * 1.2.3.4 is my public wan address.
>>> * They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
>>> * The "processing 4003 <4003>->+972592406392" is baffling.
>>>
>>> This is a short/reduced snippet from the log:
>>> 2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>>> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
>>> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
>>> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6210 Remote SDP:
>>> v=0
>>> o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
>>> t=0 0
>>> m=audio 5075 RTP/AVP 18 0 8 101
>>> a=rtpmap:18 G729/8000
>>> a=rtpmap:0 PCMU/8000
>>> a=rtpmap:8 PCMA/8000
>>> a=rtpmap:101 telephone-event/8000
>>> a=fmtp:101 0-15
>>> a=ptime:20
>>>
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
>>> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
>>> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
>>> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
>>> 2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false .......... deleted lines
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
>>> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
>>> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
>>> 2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
>>> 2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
>>> 2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
>>> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
>>> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
>>> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
>>> 2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
>>> 2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
>>> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
>>> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
>>> 2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
>>> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>>> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
>>> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
>>> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
>>> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
>>> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6210 Remote SDP:
>>> v=0
>>> o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
>>> t=0 0
>>> m=audio 5085 RTP/AVP 18 0 8 101
>>> a=rtpmap:18 G729/8000
>>> a=rtpmap:0 PCMU/8000
>>> a=rtpmap:8 PCMA/8000
>>> a=rtpmap:101 telephone-event/8000
>>> a=fmtp:101 0-15
>>> a=ptime:20
>>>
>>> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>>
>>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list