<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Re: [Freeswitch-users] freeswitch hack</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=BG link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'>Thanks Ken,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'>It is helpful, but I still
think there is some security issue. I’ve double check configuration. I’ve
try to reproduce the issue trying to do direct call (TCP and UDP) or
authenticate with invalid user, but everything works as expected – calls/authentication
was rejected. I’ve decide to log the traffic – maybe I will be able
to see where is the problem.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'> Mario
<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span lang=EN-US
style='font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</span></font></b><font
size=2 face=Tahoma><span lang=EN-US style='font-size:10.0pt;font-family:Tahoma'>
freeswitch-users-bounces@lists.freeswitch.org
[mailto:freeswitch-users-bounces@lists.freeswitch.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Ken Rice<br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, February 20, 2013
10:46 AM<br>
<b><span style='font-weight:bold'>To:</span></b> FreeSWITCH Users Help<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Freeswitch-users]
freeswitch hack</span></font><span lang=EN-US><o:p></o:p></span></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=2 face="Courier New"><span
style='font-size:11.0pt;font-family:"Courier New"'>They are probably hitting
the public/external interface which by default accepts calls for any number but
will reject them as the public dialplan doesn’t know what to do with
them. I see this on a regular basis on my PBX... The real question is, are you
setup to allow anyone to call you, and if you are, are you sure to block calls
not destined for your box.<br>
<br>
As a previous response pointed out this is a very common attack, I see it
several times a day from many different IPs as its just a bot.... There is also
sipvicious attacks which I don’t see much of as I block them on the
firewall level (they almost always include the string
‘friendly-scanner’ and a quick google with give you an iptables
command to drop them).<br>
<br>
These bots exist to exploit not just freeswitch, but any SIP server, and to
exploit sip users with bad/common passwords... <br>
<br>
Good System Admin practices and double checking your FreeSWITCH configs will
generally stop them in their tracks.<br>
<br>
If you need assistance stop by the FreeSWITCH IRC channel on Freenode
#freeswitch and ask around... If you need professional help email <a
href="consulting@freeswitch.org">consulting@freeswitch.org</a> and they will
help you out.<br>
<br>
K<br>
<br>
<br>
On 2/20/13 2:35 AM, "Avi Marcus" <<a href="avi@avimarcus.net">avi@avimarcus.net</a>>
wrote:</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:11.0pt;
font-family:"Courier New"'>Personally, I've seen the last option -- CDRs for
calls that have been rejected.<br>
<br>
They come in on the public profile, attempt to call a single number with
several prefix types... but they are indeed unauthenticated so FS just hangs up
on them.<br>
<br>
</span></font><font size=2 face=Verdana><span style='font-size:10.0pt;
font-family:Verdana'>-Avi<br>
</span></font><font size=2 face="Courier New"><span style='font-size:11.0pt;
font-family:"Courier New"'><br>
On Wed, Feb 20, 2013 at 10:14 AM, Steven Ayre <<a href="steveayre@gmail.com">steveayre@gmail.com</a>>
wrote:</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:11.0pt;
font-family:"Courier New"'>Not unusual at all, and not even clever... there are
lots of bots that<br>
just randomly search the net for IP addresses that're open to allowing<br>
calls.<br>
<br>
First, are you sure the profile is actually requiring authentication<br>
(a simple packet trace will reveal that - the first INVITE should get<br>
a 401 reply).<br>
<br>
Second, do you have blind auth enabled, in which case it'd be<br>
accepting any username/password?<br>
<br>
Third, are they getting authenticated via an ACL or user CIDR?<br>
<br>
Finally, is it possible that you're loading CDRs for calls which have<br>
been rejected?<br>
<br>
-Steve<br>
<br>
<br>
<br>
<br>
On 20 February 2013 07:28, Mario Karakanovski <<a href="mario@ims.bg">mario@ims.bg</a>>
wrote:<br>
> Hi all,<br>
><br>
> For some days i noticed that somebody was able
to register to my<br>
> freeswitch and trying to call international numbers. The attack is very<br>
> clever as the hacker logs at the night, trying to call international
number<br>
> 10-15 times while changing the prefix and go away.<br>
><br>
> The sip profile is connected directly to the internet and require<br>
> authentication:<br>
> auth-calls = true<br>
> auth-all-packets = true<br>
><br>
> There is no IP filtering as the service does not allow setting some.<br>
> Firewall blokes all port except TCP and UDP 5060 and required UDP media<br>
> ports. The authentication is made by directory.<br>
> What I wonder is how ones can authenticated with extension that not exist<br>
> and not described anywhere.<br>
><br>
> Can it be some security issue with freeswitch? Any ideas how to solve the<br>
> problem?<br>
><br>
> Regards,<br>
> Mario<br>
><br>
><br>
> _________________________________________________________________________<br>
> Professional FreeSWITCH Consulting Services:<br>
> <a href="consulting@freeswitch.org">consulting@freeswitch.org</a><br>
> <a href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a><br>
><br>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
> <a href="http://www.cudatel.com">http://www.cudatel.com</a><br>
><br>
> Official FreeSWITCH Sites<br>
> <a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br>
> <a href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a><br>
> <a href="http://www.cluecon.com">http://www.cluecon.com</a><br>
><br>
> FreeSWITCH-users mailing list<br>
> <a href="FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
> UNSUBSCRIBE:<a
href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
> <a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a
href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org">http://www.freeswitch.org</a></span></font><o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=2 face="Courier New"><span
style='font-size:11.0pt;font-family:"Courier New"'><o:p> </o:p></span></font></p>
<div class=MsoNormal align=center style='text-align:center'><font size=2
face="Courier New"><span style='font-size:11.0pt;font-family:"Courier New"'>
<hr size=3 width="95%" align=center>
</span></font></div>
<p class=MsoNormal><font size=2 face=Consolas><span style='font-size:10.0pt;
font-family:Consolas'>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a
href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org">http://www.freeswitch.org</a></span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 face=Consolas><span style='font-size:10.0pt;
font-family:Consolas'><br>
</span></font><font size=2 face="Courier New"><span style='font-size:11.0pt;
font-family:"Courier New"'>-- <br>
Ken<br>
<u><font color=blue><span style='color:blue'><a href="http://www.FreeSWITCH.org">http://www.FreeSWITCH.org</a><br>
<a href="http://www.ClueCon.com">http://www.ClueCon.com</a><br>
<a href="http://www.OSTAG.org">http://www.OSTAG.org</a><br>
</span></font></u>irc.freenode.net #freeswitch</span></font><o:p></o:p></p>
</div>
</body>
</html>