<HTML>
<HEAD>
<TITLE>Re: [Freeswitch-users] freeswitch hack</TITLE>
</HEAD>
<BODY>
<FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'>They are probably hitting the public/external interface which by default accepts calls for any number but will reject them as the public dialplan doesn’t know what to do with them. I see this on a regular basis on my PBX... The real question is, are you setup to allow anyone to call you, and if you are, are you sure to block calls not destined for your box.<BR>
<BR>
As a previous response pointed out this is a very common attack, I see it several times a day from many different IPs as its just a bot.... There is also sipvicious attacks which I don’t see much of as I block them on the firewall level (they almost always include the string ‘friendly-scanner’ and a quick google with give you an iptables command to drop them).<BR>
<BR>
These bots exist to exploit not just freeswitch, but any SIP server, and to exploit sip users with bad/common passwords... <BR>
<BR>
Good System Admin practices and double checking your FreeSWITCH configs will generally stop them in their tracks.<BR>
<BR>
If you need assistance stop by the FreeSWITCH IRC channel on Freenode #freeswitch and ask around... If you need professional help email <a href="consulting@freeswitch.org">consulting@freeswitch.org</a> and they will help you out.<BR>
<BR>
K<BR>
<BR>
<BR>
On 2/20/13 2:35 AM, "Avi Marcus" <<a href="avi@avimarcus.net">avi@avimarcus.net</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'>Personally, I've seen the last option -- CDRs for calls that have been rejected.<BR>
<BR>
They come in on the public profile, attempt to call a single number with several prefix types... but they are indeed unauthenticated so FS just hangs up on them.<BR>
<BR>
</SPAN></FONT><FONT SIZE="2"><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:10pt'>-Avi<BR>
</SPAN></FONT></FONT><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'><BR>
On Wed, Feb 20, 2013 at 10:14 AM, Steven Ayre <<a href="steveayre@gmail.com">steveayre@gmail.com</a>> wrote:<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'>Not unusual at all, and not even clever... there are lots of bots that<BR>
just randomly search the net for IP addresses that're open to allowing<BR>
calls.<BR>
<BR>
First, are you sure the profile is actually requiring authentication<BR>
(a simple packet trace will reveal that - the first INVITE should get<BR>
a 401 reply).<BR>
<BR>
Second, do you have blind auth enabled, in which case it'd be<BR>
accepting any username/password?<BR>
<BR>
Third, are they getting authenticated via an ACL or user CIDR?<BR>
<BR>
Finally, is it possible that you're loading CDRs for calls which have<BR>
been rejected?<BR>
<BR>
-Steve<BR>
<BR>
<BR>
<BR>
<BR>
On 20 February 2013 07:28, Mario Karakanovski <<a href="mario@ims.bg">mario@ims.bg</a>> wrote:<BR>
> Hi all,<BR>
><BR>
> For some days i noticed that somebody was able to register to my<BR>
> freeswitch and trying to call international numbers. The attack is very<BR>
> clever as the hacker logs at the night, trying to call international number<BR>
> 10-15 times while changing the prefix and go away.<BR>
><BR>
> The sip profile is connected directly to the internet and require<BR>
> authentication:<BR>
> auth-calls = true<BR>
> auth-all-packets = true<BR>
><BR>
> There is no IP filtering as the service does not allow setting some.<BR>
> Firewall blokes all port except TCP and UDP 5060 and required UDP media<BR>
> ports. The authentication is made by directory.<BR>
> What I wonder is how ones can authenticated with extension that not exist<BR>
> and not described anywhere.<BR>
><BR>
> Can it be some security issue with freeswitch? Any ideas how to solve the<BR>
> problem?<BR>
><BR>
> Regards,<BR>
> Mario<BR>
><BR>
><BR>
> _________________________________________________________________________<BR>
> Professional FreeSWITCH Consulting Services:<BR>
> <a href="consulting@freeswitch.org">consulting@freeswitch.org</a><BR>
> <a href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a><BR>
><BR>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server<BR>
> <a href="http://www.cudatel.com">http://www.cudatel.com</a><BR>
><BR>
> Official FreeSWITCH Sites<BR>
> <a href="http://www.freeswitch.org">http://www.freeswitch.org</a><BR>
> <a href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a><BR>
> <a href="http://www.cluecon.com">http://www.cluecon.com</a><BR>
><BR>
> FreeSWITCH-users mailing list<BR>
> <a href="FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><BR>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><BR>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><BR>
> <a href="http://www.freeswitch.org">http://www.freeswitch.org</a><BR>
<BR>
_________________________________________________________________________<BR>
Professional FreeSWITCH Consulting Services:<BR>
<a href="consulting@freeswitch.org">consulting@freeswitch.org</a><BR>
<a href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a><BR>
<BR>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<BR>
<a href="http://www.cudatel.com">http://www.cudatel.com</a><BR>
<BR>
Official FreeSWITCH Sites<BR>
<a href="http://www.freeswitch.org">http://www.freeswitch.org</a><BR>
<a href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a><BR>
<a href="http://www.cluecon.com">http://www.cluecon.com</a><BR>
<BR>
FreeSWITCH-users mailing list<BR>
<a href="FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><BR>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><BR>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><BR>
<a href="http://www.freeswitch.org">http://www.freeswitch.org</a><BR>
</SPAN></FONT></BLOCKQUOTE><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'><BR>
<BR>
<HR ALIGN=CENTER SIZE="3" WIDTH="95%"></SPAN></FONT><FONT SIZE="2"><FONT FACE="Consolas, Courier New, Courier"><SPAN STYLE='font-size:10pt'>_________________________________________________________________________<BR>
Professional FreeSWITCH Consulting Services:<BR>
<a href="consulting@freeswitch.org">consulting@freeswitch.org</a><BR>
<a href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a><BR>
<BR>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<BR>
<a href="http://www.cudatel.com">http://www.cudatel.com</a><BR>
<BR>
Official FreeSWITCH Sites<BR>
<a href="http://www.freeswitch.org">http://www.freeswitch.org</a><BR>
<a href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a><BR>
<a href="http://www.cluecon.com">http://www.cluecon.com</a><BR>
<BR>
FreeSWITCH-users mailing list<BR>
<a href="FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><BR>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><BR>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><BR>
<a href="http://www.freeswitch.org">http://www.freeswitch.org</a><BR>
</SPAN></FONT></FONT></BLOCKQUOTE><FONT SIZE="2"><FONT FACE="Consolas, Courier New, Courier"><SPAN STYLE='font-size:10pt'><BR>
</SPAN></FONT></FONT><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'>-- <BR>
Ken<BR>
<FONT COLOR="#0000FF"><U><a href="http://www.FreeSWITCH.org">http://www.FreeSWITCH.org</a><BR>
<a href="http://www.ClueCon.com">http://www.ClueCon.com</a><BR>
<a href="http://www.OSTAG.org">http://www.OSTAG.org</a><BR>
</U></FONT>irc.freenode.net #freeswitch<BR>
</SPAN></FONT>
</BODY>
</HTML>