You may wish to review and implement:<div><br></div><div><a href="http://wiki.freeswitch.org/wiki/Fail2ban">http://wiki.freeswitch.org/wiki/Fail2ban</a><br><br><div class="gmail_quote">On Fri, Jul 30, 2010 at 10:56 AM, Mike van Lammeren <span dir="ltr"><<a href="mailto:mike@van.lammeren.net">mike@van.lammeren.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">We haven't published any SRV records. I assume that they found us by a port scan. Our servers are open to the internet.<div>
<br></div><div>It turns out that the attackers did not gain entry to our system at all. At first, I was a little freaked because there was nothing in the FreeSWITCH logs to indicate what all the traffic was for. When I cranked up the log level in the FreeSWITCH console, I could see that it was an endless series of attempts to make a SIP connection, to which FreeSWITCH was responding with a 401. We've since blocked that IP at our layer 3 switch.</div>
<div><br></div><div>The only reason we noticed was because these boxes should have had zero traffic. Once these go into production, it would be much more difficult to spot the attack.</div><div><br></div><div>This is probably not the forum for it, but anyone reading this might want to check their traffic for this IP: 61.164.41.144 </div>
<div><br></div><font color="#888888"><div>Mike van Lammeren</div></font><div><div></div><div class="h5"><div><br><br><div class="gmail_quote">On Thu, Jul 29, 2010 at 5:38 PM, Tony Graziano <span dir="ltr"><<a href="mailto:tgraziano@myitdepartment.net" target="_blank">tgraziano@myitdepartment.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Does it have published SRV records? If so did you look to see if it was sipvicous? What is the UA?<br><br><div class="gmail_quote">
<div><div></div><div>On Thu, Jul 29, 2010 at 5:21 PM, Mike van Lammeren <span dir="ltr"><<a href="mailto:mike@van.lammeren.net" target="_blank">mike@van.lammeren.net</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"><div><div></div><div>I'm running FreeSWITCH version 1.0.6 on a box that is live on the internet, but is not yet in use by us. Over the last 48 hours, someone from an IP in China has been connected to our server. We observed about 36 Kbps of UDP traffic. According to the cdr-csv logs, it looks like they were sequentially dialing extension numbers. They were not able to get any calls through to termination, due to the nature of our system.<div>
<br></div><div>I'm reasonably certain that I removed all the default accounts.</div><div><br></div><div><div>What should I be looking for?</div><div><br></div><div>Mike van Lammeren</div><div><br></div></div>
<br></div></div>_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>======================<br>Tony Graziano, Manager<br>Telephone: 434.984.8430<br>sip: <a href="mailto:tgraziano@voice.myitdepartment.net" target="_blank">tgraziano@voice.myitdepartment.net</a><br>
Fax: 434.984.8431<br><br>Email: <a href="mailto:tgraziano@myitdepartment.net" target="_blank">tgraziano@myitdepartment.net</a><br><br>LAN/Telephony/Security and Control Systems Helpdesk:<br>Telephone: 434.984.8426<br>sip: <a href="mailto:helpdesk@voice.myitdepartment.net" target="_blank">helpdesk@voice.myitdepartment.net</a><br>
Fax: 434.984.8427<br><br>Helpdesk Contract Customers:<br><a href="http://www.myitdepartment.net/gethelp/" target="_blank">http://www.myitdepartment.net/gethelp/</a><br><br>Why do mathematicians always confuse Halloween and Christmas?<br>
Because 31 Oct = 25 Dec.<br><br>
<br>_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>-Rupa<br>
</div>