[Freeswitch-users] Security Issue

[Ahmed Habiba]

Thank you  really Michael,David and Brian,

I did a simple change to the external sip profile which resolved the issue from my point of view.

what I did is I add the below line to the external sip profile, which inform it to valid any request from external system against ACL list.

<param name="apply-inbound-acl" value="domains"/>

From: Michael Collins <msc at freeswitch.org <mailto:msc at freeswitch.org>>
To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org <mailto:freeswitch-users at lists.freeswitch.org>>
Date: January 15, 2015 at 7:19:07 AM GMT+3
Reply-To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org <mailto:freeswitch-users at lists.freeswitch.org>>
Subject: Re: [Freeswitch-users] Security Issue




On Wed, Jan 14, 2015 at 9:40 AM, Ahmed Habiba <ahabiba at gmail.com <mailto:ahabiba at gmail.com>> wrote:
Thank you really David,

Here is my point, the sip-trace in the first mail shows that, the call comes to public context mainly through port 5080, and however the originator IP was not defined in my ACL list Freeswitch continue to process the call for some reason.
Just an FYI, the external profile does not have auth-calls param set to true, so FS simply tries to route the call in the public context without sending back an auth challenge. Since the public context is pretty paranoid it's not exactly easy to dial out. Also, just because FS tries to route the call does not mean that FS considers the call to be "authenticated." 

If you want all traffic coming in to your server to be authenticated then either send it all to the internal profile (i.e. port 5060) or add auth-calls to your external profile.

The bigger question you may want to ask is: why are these random IP even getting to your server? Do you allow public access to your system? If so, why? If not, then you need a firewall (iptables or whatnot) to block those SIP messages from ever getting to your FreeSWITCH. You may also be interested in something like fail2ban and voipbl.org <http://voipbl.org/>.

-MC
 

even if it come to 5060, I was expecting some request for digest authentication, which is not shown in the log.

From: David Villasmil Govea <david.villasmil at gmail.com <mailto:david.villasmil at gmail.com>>
To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org <mailto:freeswitch-users at lists.freeswitch.org>>
Date: January 14, 2015 at 8:30:35 PM GMT+3
Reply-To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org <mailto:freeswitch-users at lists.freeswitch.org>>
Subject: Re: [Freeswitch-users] Security Issue


Authorization is done if you configure your sip profile to do it. By default 5060 (internal) requires authentication,  5080 (external) doesn't but it does use the ACL to allow or not calls.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150115/863df20d/attachment.html