[Freeswitch-users] (no subject)
Kamil Nigmatullin
kamil.nigmatullin at gmail.com
Wed Oct 22 07:31:02 MSD 2014
The password was lost by client. Not by brouteforce on other site and I
defenetly use fail2ban. That;s not the issue.
I don't have any transfers within meta bind app. I think it was some kind
of sip reffer attack.
2014-10-22 6:46 GMT+06:00 Steven Ayre <steveayre at gmail.com>:
> Also do you know how the password was gained? If it was brute-forced look
> at implementing a secure password policy and using fail2ban to detect and
> block brute forcing attacks
>
>
> On Wednesday, October 22, 2014, Stanislav Sinyagin <ssinyagin at gmail.com>
> wrote:
>
>> (now on a normal keyboard)
>> Kamil,
>>
>> when you use the "limit" application and increase the user's counter, it
>> keeps its value only within the context where it was originally called. If
>> you, for example, used pieces of the original (Vanilla) FreeSWITCH
>> configuration, there are bind_meta_app bindings which send the call into
>> another context ("features"). Once it's done, the user's limit counter is
>> lost, and you need to increment it again in the new context.
>>
>> Also, why don't you implement daily and monthly minute limits and block
>> the user as soon as these limits are reached?
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Oct 21, 2014 at 9:21 PM, Stanislav Sinyagin <ssinyagin at gmail.com>
>> wrote:
>>
>>> Limit resets as soon as the call leaves the context - could that be the
>>> reason?
>>> On Oct 21, 2014 8:44 PM, "Kamil Nigmatullin" <
>>> kamil.nigmatullin at gmail.com> wrote:
>>>
>>>> Dear all,
>>>>
>>>> Today we had an attack. One of our clients lost password to his SIP
>>>> account. So with this password attackers made calls on our client's behalf
>>>> to very expensive destinations.
>>>>
>>>> We have Opensips as a border controller and Freeswitch as a Softswitch.
>>>> This phone was confugured for 1 concurrent line using module limit of FS.
>>>> Howerver they somehow managed to make several concurrent calls per one
>>>> account. On CDR's we found that there was Attended transfer. Does anybody
>>>> knows what kind of attack was that and how I can protect us against this?
>>>> Is it sip refer attack when attacker set REFERED BY HEADER?
>>>>
>>>> When I check if limit works whith a sipphone, I see that it worked
>>>> 100%.
>>>>
>>>> Thanks in advance
>>>>
>>>> --
>>>> Kamil Nigmatullin
>>>> Tel: 77272323748
>>>> mob: 7 (707) 2517003
>>>> Skype: kamil.nigmatullin
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>>
>>>>
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
>
>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
--
Kamil Nigmatullin
Tel: 77272323748
mob: 7 (707) 2517003
Skype: kamil.nigmatullin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20141022/b5945bfd/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list