This is classic wardialing and is very common. Don&#39;t worry, your port change won&#39;t slow down people who really want to get in ;)<div>
<br><br><div class="gmail_quote">On 27 September 2012 11:55, BookBag <span dir="ltr">&lt;<a href="mailto:asaad2@gmail.com" target="_blank">asaad2@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p>I had the same issue. There are hackers continuously scanning public ip&#39;s for known ports then trying to register devices using the default extensions and passwords &quot;1234&quot;. After noticing this in my logs I just changed the default external sip port from 5080 to something else.  </p>


<p>Security through obscurity if you will. <br>
P.S. I was also using fail2ban</p><div class="HOEnZb"><div class="h5">
<div class="gmail_quote">On Sep 26, 2012 7:11 PM, &quot;Lawrence Conroy&quot; &lt;<a href="mailto:lconroy@insensate.co.uk" target="_blank">lconroy@insensate.co.uk</a>&gt; wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Hi There,<br>
 welcome to our world; hope it didn&#39;t cost too much.<br>
Frontier were pro-active, which is very good. Don&#39;t forget to thank them.<br>
I&#39;d guess that this particular bunch are coming from IP addresses provided in the West bank and/or Gaza; that&#39;s from where my &quot;visitors&quot; appeared to originate.<br>
<br>
1st rule of fight club: Firewalls are no use for a server that is going to listen for requests from the Internet and allow authenticated calls to be placed from any IP address.<br>
<br>
You MUST have reasonable passwords, plus fail2ban is easy to set up and works just fine [unless you&#39;re using Windoz, in which case God hates you**].<br>
<br>
For more refined control (if you know where your external contacts are coming from) ...<br>
<br>
Consider setting up ACLs (nailing down the IP address ranges from which you&#39;ll accept incalls) in autoload/acl.conf.xml -- the &quot;domains&quot; definition there is one place to add in your external correspondents.<br>


<br>
Also, consider using cidr= parameters in your directory folder for each of your users (if they will only attempt to register or place calls from given address ranges).<br>
Then enable ACLs for incalls in your sip profile(s).<br>
<br>
This is all covered on <a href="http://wiki.freeswitch.org" target="_blank">wiki.freeswitch.org</a> -- search for ACLs and take it from there.<br>
<br>
BTW, you WILL be confused by setting explicit ACLs on registration -- leave that one commented out until you know what it actually does, as it&#39;s probably not what you expect. Several strong cups of coffee and protracted meditation may help.<br>


<br>
Main message:<br>
-- Immediately - fix the passwords so they&#39;re not easy to guess [as the bad guys *will* try again and again until they get it right].<br>
-- set up fail2ban (which has its own page on the wiki) exactly as proposed. &lt;======= MOST IMPORTANT<br>
-- lose the belief that firewalls are going to help protect an Internet-listening server as, logically, they can&#39;t<br>
Finally, be amazed at the occasional &quot;block&quot; reports in the fail2ban logfile, and wonder how you got away with it for so long.<br>
<br>
all the best,<br>
  Lawrence<br>
** There was apparently a talk on how Windows users could get something close to a fail2ban-style setup (IIRC, it was on the weekly conf call a while back)<br>
<br>
On 26 Sep 2012, at 19:54, Nelson Luiz Ferraz de Camargo Penteado wrote:<br>
&gt; I really think that people give way too much importance to firewalls,<br>
&gt; specially stateless ones, blocking ports isn&#39;t going to do much for you<br>
&gt; unless you are trying to hide vulnerable services behind it.<br>
&gt;<br>
&gt; They used the extension 1000 to make the calls so I would say: activate<br>
&gt; log-auth-failures on your profile, setup a fail2ban and get stronger<br>
&gt; passwords.<br>
&gt;<br>
&gt; If you want to go further you can use a stateful firewall limiting<br>
&gt; connections and setup a IDS(recommend snort)<br>
&gt; On Sep 26, 2012 8:29 PM, &quot;Todd Bailey&quot; &lt;<a href="mailto:toddb@toddbailey.net" target="_blank">toddb@toddbailey.net</a>&gt; wrote:<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt; Hey All,<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; I just got an email from Frontier that there were several attempts to<br>
&gt;&gt; make international calls.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; I checked the log file and verified that somehow someone was able to get<br>
&gt;&gt; access to FS from the internet.<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; here is a sample of the log<br>
&gt;&gt;<br>
&gt;&gt; [m [36m2012-09-23 16:30:29.916821 [NOTICE] switch_channel.c:941 New<br>
&gt;&gt; Channel sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a><br>
&gt;&gt; [af778857-0188-4ed2-a82a-94ae749a02cb]<br>
&gt;&gt; [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485<br>
&gt;&gt; Processing 1000 &lt;1000&gt;-&gt;01137168521352 in context default<br>
&gt;&gt; [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New<br>
&gt;&gt; Channel sofia/internal/<a href="http://01137168521352@192.168.1.5:5061" target="_blank">01137168521352@192.168.1.5:5061</a><br>
&gt;&gt; [d1243a78-c464-45fa-9215-e7b85e1221fc]<br>
&gt;&gt; [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready<br>
&gt;&gt; sofia/internal/<a href="http://01137168521352@192.168.1.5:5061" target="_blank">01137168521352@192.168.1.5:5061</a>!<br>
&gt;&gt; [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready<br>
&gt;&gt; sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>!<br>
&gt;&gt; [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519<br>
&gt;&gt; Ring Ready sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>!<br>
&gt;&gt; [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel<br>
&gt;&gt; [sofia/internal/<a href="http://01137168521352@192.168.1.5:5061" target="_blank">01137168521352@192.168.1.5:5061</a>] has been answered<br>
&gt;&gt; [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer<br>
&gt;&gt; sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>!<br>
&gt;&gt; [m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303<br>
&gt;&gt; Channel [sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>] has been answered<br>
&gt;&gt; [m [36m2012-09-23 16:30:52.356865 [N [m [36m2012-09-23 16:30:29.916821<br>
&gt;&gt; [NOTICE] switch_channel.c:941 New Channel<br>
&gt;&gt; sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a> [af778857-0188-4ed2-a82a-94ae749a02cb]<br>
&gt;&gt; [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485<br>
&gt;&gt; Processing 1000 &lt;1000&gt;-&gt;01137168521352 in context default<br>
&gt;&gt; [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New<br>
&gt;&gt; Channel sofia/internal/<a href="http://01137168521352@192.168.1.5:5061" target="_blank">01137168521352@192.168.1.5:5061</a><br>
&gt;&gt; [d1243a78-c464-45fa-9215-e7b85e1221fc]<br>
&gt;&gt; [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready<br>
&gt;&gt; sofia/internal/<a href="http://01137168521352@192.168.1.5:5061" target="_blank">01137168521352@192.168.1.5:5061</a>!<br>
&gt;&gt; [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready<br>
&gt;&gt; sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>!<br>
&gt;&gt; [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519<br>
&gt;&gt; Ring Ready sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>!<br>
&gt;&gt; [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel<br>
&gt;&gt; [sofia/internal/<a href="http://01137168521352@192.168.1.5:5061" target="_blank">01137168521352@192.168.1.5:5061</a>] has been answered<br>
&gt;&gt; [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer<br>
&gt;&gt; sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>!<br>
&gt;&gt; [m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303<br>
&gt;&gt; Channel [sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a>] has been answered<br>
&gt;&gt; [m [36m2012-09-23 16:30:52.356865 [NOTICE] switch_channel.c:941 New<br>
&gt;&gt; Channel sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a><br>
&gt;&gt; [4576bc76-144a-4f6f-8915-871b511c374d]<br>
&gt;&gt; [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485<br>
&gt;&gt; Processing 1000 &lt;1000&gt;-&gt;01137168905352 in context defaultOTICE]<br>
&gt;&gt; switch_channel.c:941 New Channel sofia/internal/<a href="mailto:1000@50.47.85.167" target="_blank">1000@50.47.85.167</a><br>
&gt;&gt; [4576bc76-144a-4f6f-8915-871b511c374d]<br>
&gt;&gt; [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485<br>
&gt;&gt; Processing 1000 &lt;1000&gt;-&gt;01137168905352 in context default<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; At this point I&#39;m at a loss how this is happening as I have multiple<br>
&gt;&gt; firewalls in place that limit port access.<br>
&gt;&gt;<br>
&gt;&gt; Can someone provide a few pointers on how to better secure FS running on<br>
&gt;&gt; Linux systems?<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; thanks<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; --<br>
&gt;&gt; -<br>
&gt;&gt; -<br>
&gt;&gt; -    Best Regards,<br>
&gt;&gt; -<br>
&gt;&gt; -            Todd Bailey<br>
&gt;&gt; -<br>
&gt;&gt; -<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; _________________________________________________________________________<br>
&gt;&gt; Professional FreeSWITCH Consulting Services:<br>
&gt;&gt; <a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
&gt;&gt; <a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
&gt;&gt;<br>
&gt;&gt; FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
&gt;&gt; <a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
&gt;&gt;<br>
&gt;&gt; Official FreeSWITCH Sites<br>
&gt;&gt; <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
&gt;&gt; <a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
&gt;&gt; <a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
&gt;&gt;<br>
&gt;&gt; FreeSWITCH-users mailing list<br>
&gt;&gt; <a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
&gt;&gt; <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
&gt;&gt; UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
&gt;&gt; <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
&gt;&gt;<br>
&gt; _________________________________________________________________________<br>
&gt; Professional FreeSWITCH Consulting Services:<br>
&gt; <a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
&gt; <a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
&gt;<br>
&gt; FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
&gt; <a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
&gt;<br>
&gt; Official FreeSWITCH Sites<br>
&gt; <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
&gt; <a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
&gt; <a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
&gt;<br>
&gt; FreeSWITCH-users mailing list<br>
&gt; <a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
&gt; <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
&gt; UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
&gt; <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>