<div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span style="font-family:arial,sans-serif;font-size:13px">Within 24 hours of pasting to your pastebin, I get 3 to 10 hackers trying<br>
</span><span style="font-family:arial,sans-serif;font-size:13px">to login to my switch with common usernames and passwords as well as<br></span><span style="font-family:arial,sans-serif;font-size:13px">generated ones. Granted that is not a true "port scan", but it conveys the<br>
</span><span style="font-family:arial,sans-serif;font-size:13px">seriousness of the problem. I now have Class A 3 ip domains in the middle<br></span><span style="font-family:arial,sans-serif;font-size:13px">east complete blocked in my iptables because I have no customers there.</span></blockquote>
<div><br></div><div style>It's entirely possible (and likely) this is entirely unrelated to any pastebins you might have posted.</div><div style><br></div><div style>I see such attempts every single day (which all get rejected)... it's pretty standard given the number of botnets out there scanning for insecure VoIP servers to exploit and abuse. Unless they're specifically targetting someone they're just going to be trying random IPs, not checking out a list.</div>
<div style><br></div><div style>IPv4 address space is small enough that it's trivially easy for a botnet to just pick a random IP to start from and then walk though every possible IP from that point. CPU/bandwidth isn't an issue since it's not the attacker's own, and the botnet means it's parallel enough that it doesn't take prohibitively long either. While grabbing pastebins might get them a few IPs which serve SIP they're not automatically going to be insecure, so walking the address space is likely to be far more fruitful.</div>
<div style><br></div><div style>Sure you can sanitise your pastebins if you want to, but if your server is insecure it's insecure and they're going to happen upon you anyway. I'd spend the time you saved replacing IPs with 'x.x.x.x' by securing your setup (never use default passwords, setup firewalls appropriately, etc) and configuring fail2bin instead (I know you said you already have Sean - that was more generic advice for anyone).</div>
<div style><br></div><div style>-Steve</div><div style><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 26 April 2013 15:27, Sean Devoy <span dir="ltr"><<a href="mailto:sdevoy@bizfocused.com" target="_blank">sdevoy@bizfocused.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">What kind of proof do you want? I am sure I have some freeswitch logs<br>
showing authentication errors. FAILTOBAN was well worth learning about and<br>
installing. I even had an earlier post to discuss this. Several people<br>
commented about the need to "sanitize" your posts and the name of the<br>
program frequently used to attempt the hack ins.<br>
<br>
Within 24 hours of pasting to your pastebin, I get 3 to 10 hackers trying<br>
to login to my switch with common usernames and passwords as well as<br>
generated ones. Granted that is not a true "port scan", but it conveys the<br>
seriousness of the problem. I now have Class A 3 ip domains in the middle<br>
east complete blocked in my iptables because I have no customers there.<br>
<br>
I am not saying your pastebin is at fault, only that SCUM can read too and<br>
this is a good source of targets to attack.<br>
<div class="im HOEnZb"><br>
-----Original Message-----<br>
From: <a href="mailto:freeswitch-users-bounces@lists.freeswitch.org">freeswitch-users-bounces@lists.freeswitch.org</a><br>
[mailto:<a href="mailto:freeswitch-users-bounces@lists.freeswitch.org">freeswitch-users-bounces@lists.freeswitch.org</a>] On Behalf Of Brian<br>
West<br>
Sent: Thursday, April 25, 2013 10:15 PM<br>
To: FreeSWITCH Users Help<br>
Subject: Re: [Freeswitch-users] ERROR 404 BAD HEADER<br>
<br>
</div><div class="HOEnZb"><div class="h5">Is this our pastebin you're speaking of? If so can you provide me some proof<br>
of this?<br>
<br>
On Apr 25, 2013, at 8:30 PM, Sean Devoy <<a href="mailto:sdevoy@bizfocused.com">sdevoy@bizfocused.com</a>> wrote:<br>
<br>
> I will see if I can contribute. First, if you have not yet, change the<br>
default passwords. I get port scans everytime I post addresses in pastebin.<br>
<br>
<br>
<br>
<br>
</div></div><div class="HOEnZb"><div class="h5">_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</div></div></blockquote></div><br></div>