Also do you know how the password was gained? If it was brute-forced look at implementing a secure password policy and using fail2ban to detect and block brute forcing attacks<br><br>On Wednesday, October 22, 2014, Stanislav Sinyagin <<a href="mailto:ssinyagin@gmail.com">ssinyagin@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>(now on a normal keyboard)<br></div>Kamil, <br></div><br>when you use the "limit" application and increase the user's counter, it keeps its value only within the context where it was originally called. If you, for example, used pieces of the original (Vanilla) FreeSWITCH configuration, there are bind_meta_app bindings which send the call into another context ("features"). Once it's done, the user's limit counter is lost, and you need to increment it again in the new context.<br><br></div>Also, why don't you implement daily and monthly minute limits and block the user as soon as these limits are reached?<br><br><br><br><div><br> <br><div><br><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 21, 2014 at 9:21 PM, Stanislav Sinyagin <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','ssinyagin@gmail.com');" target="_blank">ssinyagin@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><p dir="ltr">Limit resets as soon as the call leaves the context - could that be the reason?</p>
<div class="gmail_quote"><div><div>On Oct 21, 2014 8:44 PM, "Kamil Nigmatullin" <<a href="javascript:_e(%7B%7D,'cvml','kamil.nigmatullin@gmail.com');" target="_blank">kamil.nigmatullin@gmail.com</a>> wrote:<br type="attribution"></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><div dir="ltr"><div><div>Dear all, <br><br></div>Today we had an attack. One of our
clients lost password to his SIP account. So with this password
attackers made calls on our client's behalf to very expensive
destinations. <br><br>We have Opensips as a border controller and
Freeswitch as a Softswitch. This phone was confugured for 1 concurrent
line using module limit of FS. Howerver they somehow managed to make
several concurrent calls per one account. On CDR's we found that there
was Attended transfer. Does anybody knows what kind of attack was that
and how I can protect us against this? Is it sip refer attack when attacker set REFERED BY HEADER?<br><br></div><div>When I check if limit works whith a sipphone, I see that it worked 100%. <br></div><div><br></div>Thanks in advance <br clear="all"><br>-- <br><div dir="ltr">Kamil Nigmatullin<br>Tel: 77272323748<br>mob: 7 (707) 2517003<br>Skype: kamil.nigmatullin</div>
</div>
<br></div></div>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="javascript:_e(%7B%7D,'cvml','consulting@freeswitch.org');" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="javascript:_e(%7B%7D,'cvml','FreeSWITCH-users@lists.freeswitch.org');" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div>
</blockquote></div><br></div></div></div></div></div></div>
</blockquote>