<p>I really think that people give way too much importance to firewalls, specially stateless ones, blocking ports isn't going to do much for you unless you are trying to hide vulnerable services behind it. </p>
<p>They used the extension 1000 to make the calls so I would say: activate log-auth-failures on your profile, setup a fail2ban and get stronger passwords.</p>
<p>If you want to go further you can use a stateful firewall limiting connections and setup a IDS(recommend snort) </p>
<div class="gmail_quote">On Sep 26, 2012 8:29 PM, "Todd Bailey" <<a href="mailto:toddb@toddbailey.net" target="_blank">toddb@toddbailey.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Hey All,<br>
<br>
<br>
I just got an email from Frontier that there were several attempts to<br>
make international calls.<br>
<br>
<br>
I checked the log file and verified that somehow someone was able to get<br>
access to FS from the internet.<br>
<br>
<br>
here is a sample of the log<br>
<br>
[m [36m2012-09-23 16:30:29.916821 [NOTICE] switch_channel.c:941 New<br>
Channel sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a><br>
[af778857-0188-4ed2-a82a-94ae749a02cb]<br>
[m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485<br>
Processing 1000 <1000>-><a href="tel:01137168521352" value="+37168521352" target="_blank">01137168521352</a> in context default<br>
[m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New<br>
Channel sofia/internal/<a href="http://01137168521352@192.168.1.5:5061" target="_blank">01137168521352@192.168.1.5:5061</a><br>
[d1243a78-c464-45fa-9215-e7b85e1221fc]<br>
[m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready<br>
sofia/internal/<a href="http://01137168521352@192.168.1.5:5061" target="_blank">01137168521352@192.168.1.5:5061</a>!<br>
[m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready<br>
sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>!<br>
[m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519<br>
Ring Ready sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>!<br>
[m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel<br>
[sofia/internal/<a href="http://01137168521352@192.168.1.5:5061" target="_blank">01137168521352@192.168.1.5:5061</a>] has been answered<br>
[m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer<br>
sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>!<br>
[m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303<br>
Channel [sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>] has been answered<br>
[m [36m2012-09-23 16:30:52.356865 [N [m [36m2012-09-23 16:30:29.916821<br>
[NOTICE] switch_channel.c:941 New Channel<br>
sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a> [af778857-0188-4ed2-a82a-94ae749a02cb]<br>
[m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485<br>
Processing 1000 <1000>-><a href="tel:01137168521352" value="+37168521352" target="_blank">01137168521352</a> in context default<br>
[m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New<br>
Channel sofia/internal/<a href="http://01137168521352@192.168.1.5:5061" target="_blank">01137168521352@192.168.1.5:5061</a><br>
[d1243a78-c464-45fa-9215-e7b85e1221fc]<br>
[m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready<br>
sofia/internal/<a href="http://01137168521352@192.168.1.5:5061" target="_blank">01137168521352@192.168.1.5:5061</a>!<br>
[m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready<br>
sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>!<br>
[m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519<br>
Ring Ready sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>!<br>
[m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel<br>
[sofia/internal/<a href="http://01137168521352@192.168.1.5:5061" target="_blank">01137168521352@192.168.1.5:5061</a>] has been answered<br>
[m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer<br>
sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>!<br>
[m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303<br>
Channel [sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>] has been answered<br>
[m [36m2012-09-23 16:30:52.356865 [NOTICE] switch_channel.c:941 New<br>
Channel sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a><br>
[4576bc76-144a-4f6f-8915-871b511c374d]<br>
[m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485<br>
Processing 1000 <1000>-><a href="tel:01137168905352" value="+37168905352" target="_blank">01137168905352</a> in context defaultOTICE]<br>
switch_channel.c:941 New Channel sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a><br>
[4576bc76-144a-4f6f-8915-871b511c374d]<br>
[m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485<br>
Processing 1000 <1000>-><a href="tel:01137168905352" value="+37168905352" target="_blank">01137168905352</a> in context default<br>
<br>
<br>
At this point I'm at a loss how this is happening as I have multiple<br>
firewalls in place that limit port access.<br>
<br>
Can someone provide a few pointers on how to better secure FS running on<br>
Linux systems?<br>
<br>
<br>
thanks<br>
<br>
<br>
--<br>
-<br>
-<br>
- Best Regards,<br>
-<br>
- Todd Bailey<br>
-<br>
-<br>
<br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div>