<div dir="ltr"><div>Personally, I've seen the last option -- CDRs for calls that have been rejected.</div><div><br></div><div>They come in on the public profile, attempt to call a single number with several prefix types... but they are indeed unauthenticated so FS just hangs up on them.</div>
<div><br clear="all"><div><div dir="ltr"><span style="font-family:Verdana,Arial,Helvetica,sans-serif;font-size:small">-Avi</span></div></div><br><div class="gmail_quote">On Wed, Feb 20, 2013 at 10:14 AM, Steven Ayre <span dir="ltr"><<a href="mailto:steveayre@gmail.com" target="_blank">steveayre@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Not unusual at all, and not even clever... there are lots of bots that<br>
just randomly search the net for IP addresses that're open to allowing<br>
calls.<br>
<br>
First, are you sure the profile is actually requiring authentication<br>
(a simple packet trace will reveal that - the first INVITE should get<br>
a 401 reply).<br>
<br>
Second, do you have blind auth enabled, in which case it'd be<br>
accepting any username/password?<br>
<br>
Third, are they getting authenticated via an ACL or user CIDR?<br>
<br>
Finally, is it possible that you're loading CDRs for calls which have<br>
been rejected?<br>
<br>
-Steve<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
<br>
On 20 February 2013 07:28, Mario Karakanovski <<a href="mailto:mario@ims.bg">mario@ims.bg</a>> wrote:<br>
> Hi all,<br>
><br>
> For some days i noticed that somebody was able to register to my<br>
> freeswitch and trying to call international numbers. The attack is very<br>
> clever as the hacker logs at the night, trying to call international number<br>
> 10-15 times while changing the prefix and go away.<br>
><br>
> The sip profile is connected directly to the internet and require<br>
> authentication:<br>
> auth-calls = true<br>
> auth-all-packets = true<br>
><br>
> There is no IP filtering as the service does not allow setting some.<br>
> Firewall blokes all port except TCP and UDP 5060 and required UDP media<br>
> ports. The authentication is made by directory.<br>
> What I wonder is how ones can authenticated with extension that not exist<br>
> and not described anywhere.<br>
><br>
> Can it be some security issue with freeswitch? Any ideas how to solve the<br>
> problem?<br>
><br>
> Regards,<br>
> Mario<br>
><br>
><br>
> _________________________________________________________________________<br>
> Professional FreeSWITCH Consulting Services:<br>
> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
> <a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
><br>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
> <a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
><br>
> Official FreeSWITCH Sites<br>
> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
> <a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
> <a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
><br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</div></div></blockquote></div><br></div></div>