[Freeswitch-users] Freeswitch server itself generating unwanted calls (Ghost calls)

Marcel Haldemann marcel.haldemann at convercom.ch
Wed Feb 22 11:56:51 MSK 2017 

Hi,

Additionally tot he Mentioned Measures I would recommend the following:

(Since I did 1 I never ever saw an attack on out server again, previously there was permanent attacks)


1.       If possible use a non-default port on all public IPs for SIP. Use a very high port > 60K.

2.       Ensure that if u do a outbound call in your dialplan <condition field="${sip_authorized}" expression="^true$"/> is part of the conditions, example:

<extension name="public_outbound_call">

                <condition field="${sip_authorized}" expression="^true$"/>

                <condition field="${Username}" expression="^4[5-7]$|^[24578]$">

                            <action application="log" data="auth user: ${sip_authorized} $${sip_authorized} / ${Username}" />

                            <action application="set" data="call_timeout=60"/>

                            <action application="bridge" data="x/y/yb at a" />

      </condition>

    </extension>



You must ensure that you got set  “auth-calls” to true in the profile for users that make outbound calls.

Von: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] Im Auftrag von jay binks
Gesendet: Montag, 20. Februar 2017 12:09
An: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
Betreff: Re: [Freeswitch-users] Freeswitch server itself generating unwanted calls (Ghost calls)

your username / passwords are probably compromised, if not your box entirely.


  *   Change ALL your passwords and enforce strong password policies.
  *   Make sure all your SIP Profiles require auth, or have strong ACL's
  *   Implement fail2ban
  *   BLOCK THE KNOWN ATTACKER IP with Iptables.
Im sorry to sound like an ass, but if you havnt done one of the above or dont think you can do them all then you probably need to pay someone who knows what they are doing.






On 20 February 2017 at 20:38, Shisheer Teli <telishisheer at gmail.com<mailto:telishisheer at gmail.com>> wrote:
all my users are connected from office outside. so I can't block any IP.

is there any configuration in FreeSWITCH to block them.. ?

On Mon, Feb 20, 2017 at 4:02 PM, Борисов, Дмитрий / Dmitriy Borisov <bordmi at rarus.ru<mailto:bordmi at rarus.ru>> wrote:
Hi!
This call is not self generated. It`s was generated by 23.239.85.20 (in most cases). Do you have properli configurated firewall?

пн, 20 февр. 2017 г. в 13:29, Shisheer Teli <telishisheer at gmail.com<mailto:telishisheer at gmail.com>>:
Dear Team,

from last few days my FreeSWITCH server generating some logs itself.

I don't know how to stop this .. please help  .. it's urgent.

Please see the attached logs.


--
Regards,
Shisheer T
Save paper, save trees.... Please do not print this e-mail unless it is absolutely necessary.

_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
--
--
С уважением,
Борисов Дмитрий
Отдел облачных технологий 1С-Рарус
Тел. +7 (495) 231-20-02<tel:+7%20495%20231-20-02> доб.: 15-94
--
with best regards,
Dmitriy Borisov
1C-Rarus Cloud Services
tel.: +7 (495) 231-20-02<tel:+7%20495%20231-20-02> add.: 15-94

_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org



--
Regards,
Shisheer T
Save paper, save trees.... Please do not print this e-mail unless it is absolutely necessary.


_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org



--
Sincerely

Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170222/b84a0303/attachment-0001.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list