<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="margin: 0px;" class="">Thank you really Michael,David and Brian,</div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class="">I did a simple change to the external sip profile which resolved the issue from my point of view.</div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class="">what I did is I add the below line to the external sip profile, which inform it to valid any request from external system against ACL list.</div><div style="margin: 0px;" class=""><font color="#38571a" class=""><br class=""></font></div><div style="margin: 0px;" class=""><font color="#38571a" class=""><span style="font-family: -apple-system-font; line-height: 16px;" class=""><param </span><span style="font-family: -apple-system-font; line-height: 16px;" class="">name</span><span style="font-family: -apple-system-font; line-height: 16px;" class="">=</span><span style="font-family: -apple-system-font; line-height: 16px;" class="">"apply-inbound-acl"</span><span style="font-family: -apple-system-font; line-height: 16px;" class=""> </span><span style="font-family: -apple-system-font; line-height: 16px;" class="">value</span><span style="font-family: -apple-system-font; line-height: 16px;" class="">=</span><span style="font-family: -apple-system-font; line-height: 16px;" class="">"domains"</span><span style="font-family: -apple-system-font; line-height: 16px;" class="">/></span></font></div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class=""><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(127, 127, 127);" class=""><b class="">From: </b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class="">Michael Collins <<a href="mailto:msc@freeswitch.org" class="">msc@freeswitch.org</a>><br class=""></span></div><div style="margin: 0px;" class=""><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(127, 127, 127);" class=""><b class="">To: </b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class="">FreeSWITCH Users Help <<a href="mailto:freeswitch-users@lists.freeswitch.org" class="">freeswitch-users@lists.freeswitch.org</a>><br class=""></span></div><div style="margin: 0px;" class=""><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(127, 127, 127);" class=""><b class="">Date: </b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class="">January 15, 2015 at 7:19:07 AM GMT+3<br class=""></span></div><div style="margin: 0px;" class=""><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(127, 127, 127);" class=""><b class="">Reply-To: </b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class="">FreeSWITCH Users Help <<a href="mailto:freeswitch-users@lists.freeswitch.org" class="">freeswitch-users@lists.freeswitch.org</a>><br class=""></span></div><div style="margin: 0px;" class=""><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(127, 127, 127);" class=""><b class="">Subject: </b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class=""><b class="">Re: [Freeswitch-users] Security Issue</b><br class=""></span></div><br class=""><br class=""><div dir="ltr" class=""><br class=""><div class="gmail_extra"><br class=""><div class="gmail_quote">On Wed, Jan 14, 2015 at 9:40 AM, Ahmed Habiba <span dir="ltr" class=""><<a href="mailto:ahabiba@gmail.com" target="_blank" class="">ahabiba@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex;"><div style="word-wrap: break-word;" class=""><div style="margin: 0px;" class="">Thank you really David,</div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class="">Here is my point, the sip-trace in the first mail shows that, the call comes to public context mainly through port 5080, and however the originator IP was not defined in my ACL list Freeswitch continue to process the call for some reason.</div></div></blockquote><div class="">Just an FYI, the external profile does not have auth-calls param set to true, so FS simply tries to route the call in the public context without sending back an auth challenge. Since the public context is pretty paranoid it's not exactly easy to dial out. Also, just because FS tries to route the call does not mean that FS considers the call to be "authenticated." <br class=""><br class=""></div><div class="">If you want all traffic coming in to your server to be authenticated then either send it all to the internal profile (i.e. port 5060) or add auth-calls to your external profile.<br class=""><br class=""></div><div class="">The bigger question you may want to ask is: why are these random IP even getting to your server? Do you allow public access to your system? If so, why? If not, then you need a firewall (iptables or whatnot) to block those SIP messages from ever getting to your FreeSWITCH. You may also be interested in something like fail2ban and <a href="http://voipbl.org" class="">voipbl.org</a>.<br class=""><br class=""></div><div class="">-MC<br class=""></div></div><div class="gmail_quote"><div class=""> <br class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex;"><div style="word-wrap: break-word;" class=""><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class="">even if it come to 5060, I was expecting some request for digest authentication, which is not shown in the log.</div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class=""><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(127, 127, 127);" class=""><b class="">From: </b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class="">David Villasmil Govea <<a href="mailto:david.villasmil@gmail.com" target="_blank" class="">david.villasmil@gmail.com</a>><br class=""></span></div><span class=""><div style="margin: 0px;" class=""><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(127, 127, 127);" class=""><b class="">To: </b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class="">FreeSWITCH Users Help <<a href="mailto:freeswitch-users@lists.freeswitch.org" target="_blank" class="">freeswitch-users@lists.freeswitch.org</a>><br class=""></span></div></span><div style="margin: 0px;" class=""><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(127, 127, 127);" class=""><b class="">Date: </b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class="">January 14, 2015 at 8:30:35 PM GMT+3<br class=""></span></div><div class=""><div class="h5"><div style="margin: 0px;" class=""><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(127, 127, 127);" class=""><b class="">Reply-To: </b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class="">FreeSWITCH Users Help <<a href="mailto:freeswitch-users@lists.freeswitch.org" target="_blank" class="">freeswitch-users@lists.freeswitch.org</a>><br class=""></span></div><div style="margin: 0px;" class=""><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(127, 127, 127);" class=""><b class="">Subject: </b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class=""><b class="">Re: [Freeswitch-users] Security Issue</b><br class=""></span></div><br class=""><br class=""><p dir="ltr" class="">Authorization is done if you configure your sip profile to do it. By default 5060 (internal) requires authentication, 5080 (external) doesn't but it does use the ACL to allow or not calls.<br class=""></p><div class=""><br class=""></div></div></div></div></blockquote></div></div></div></body></html>