[Freeswitch-users] SIP invalid call attempts from unknown dialer

Sergey Okhapkin sos at sokhapkin.dyndns.org
Mon Nov 21 19:11:53 MSK 2011 

http://wiki.freeswitch.org/wiki/Fail2ban

On Monday 21 November 2011, D M wrote:
> Hello,
> I have noticed quite a few different attempts on accessing my freeswitch
> machine via SIP that does not come from the company. I have attached
> part of a log with such an attempt.
> 
> My main concern is ensuring that similar attempts will not be able to
> make external calls. I realize that any number made available externally
> will also be accessable via this method so my secondary concern is
> throttling or preventing these type of attempts to avoid autodialer spam.
> 
> This log repeats with around 12 call attempts per second for almost a
> minute times with different attempts on seemingly random numbers. There
> has been multiple different attempts to spam random numbers via SIP but
> so far none has been successful. This log is the most relevant since it
> made a single login attempt on an nonexistent user after which it has
> either successfully spoofed the ip of the freeswitch machine or used an
> vulnerability in either my config or freeswitch.
> 
> My config is the default freeswitch+fusionpbx installation on Ubuntu
> 10.04.3 LTS with instructions from here
> (http://wiki.fusionpbx.com/index.php?title=Easy_Ubuntu_10.04&oldid=1574).
> With a few minor configuration changes:
> * Registering is done via external domain pointing to the freeswitch
> machine, NOT using the default port 5060
> * Port 5060 is generally used for traffic with SIP provider that
> connects us to phone network but the port not firewalled/restricted in
> any other way
> 
> This is an example log of a single login attempt and single call
> attempt, the following modifications have been made:
> * Freeswitch public ip has been changed to xx.xx.xx.xx
> * 2 regexps have been changed from public telephone number to
> /^publicnumber$/ and /^publicnumber2$/
> * A large list of regexps have been replaced with <!-- Cut out
> additional regex checks-->
> 
> Please let me know if you need any more details or longer logs
> 
> Thanks,
> Daniel
> 
> ##### LOG BEGIN #####
> 
> 2011-11-18 15:27:33.293146 [WARNING] sofia_reg.c:2283 Can't find user
> [1010 at xx.xx.xx.xx]
> You must define a domain called 'xx.xx.xx.xx' in your directory and add
> a user with the id="1010" attribute
> and you must configure your device to use the proper domain in it's
> authentication credentials.
> 2011-11-18 15:27:36.633145 [NOTICE] switch_channel.c:897 New Channel
> sofia/external/1010 at xx.xx.xx.xx:5060 [75cf1808-11f1-11e1-9c95-494fea388543]
> 2011-11-18 15:27:36.633145 [DEBUG] sofia.c:5084 Channel
> sofia/external/1010 at xx.xx.xx.xx:5060 entering state [received][100]
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325
> (sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_NEW
> 2011-11-18 15:27:36.633145 [DEBUG] sofia.c:5095 Remote SDP:
> v=0^M
> o=1010 13216264671138 13216264671138 IN IP4 192.168.1.3^M
> s=VaxSoft^M
> c=IN IP4 192.168.1.3^M
> t=0 0^M
> m=audio 7000 RTP/AVP 0 8 3 98 101^M
> a=rtpmap:0 PCMU/8000^M
> a=rtpmap:8 PCMA/8000^M
> a=rtpmap:3 GSM/8000^M
> a=rtpmap:98 iLBC/8000^M
> a=rtpmap:101 telephone-event/8000^M
> a=fmtp:101 0-16^M
> 
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:343
> (sofia/external/1010 at xx.xx.xx.xx:5060) State NEW
> 2011-11-18 15:27:36.633145 [DEBUG] sofia_glue.c:4711 Audio Codec Compare
> [PCMU:0:8000:20:64000]/[PCMA:8:8000:20:64000]
> 2011-11-18 15:27:36.633145 [DEBUG] sofia_glue.c:4711 Audio Codec Compare
> [PCMA:8:8000:20:64000]/[PCMA:8:8000:20:64000]
> 2011-11-18 15:27:36.633145 [DEBUG] sofia_glue.c:2819 Set Codec
> sofia/external/1010 at xx.xx.xx.xx:5060 PCMA/8000 20 ms 160 samples 64000 bits
> 2011-11-18 15:27:36.633145 [DEBUG] sofia_glue.c:4825 Set 2833 dtmf
> send/recv payload to 101
> 2011-11-18 15:27:36.633145 [DEBUG] sofia.c:5284
> (sofia/external/1010 at xx.xx.xx.xx:5060) State Change CS_NEW -> CS_INIT
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send
> signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325
> (sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_INIT
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:364
> (sofia/external/1010 at xx.xx.xx.xx:5060) State INIT
> 2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:85
> sofia/external/1010 at xx.xx.xx.xx:5060 SOFIA INIT
> 2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:125
> (sofia/external/1010 at xx.xx.xx.xx:5060) State Change CS_INIT -> CS_ROUTING
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send
> signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:364
> (sofia/external/1010 at xx.xx.xx.xx:5060) State INIT going to sleep
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325
> (sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_ROUTING
> 2011-11-18 15:27:36.633145 [DEBUG] switch_channel.c:1821
> (sofia/external/1010 at xx.xx.xx.xx:5060) Callstate Change DOWN -> RINGING
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:373
> (sofia/external/1010 at xx.xx.xx.xx:5060) State ROUTING
> 2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:148
> sofia/external/1010 at xx.xx.xx.xx:5060 SOFIA ROUTING
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:77
> sofia/external/1010 at xx.xx.xx.xx:5060 Standard ROUTING
> 2011-11-18 15:27:36.633145 [INFO] mod_dialplan_xml.c:336 Processing
> MyName <1010>->972592182076 in context public
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing [public->unloop]
> continue=false
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (PASS) [unloop]
> ${unroll_loops}(true) =~ /^true$/ break=on-false
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL) [unloop]
> ${sip_looped_call}() =~ /^true$/ break=on-false
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing
> [public->outside_call] continue=true
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Absolute Condition
> [outside_call]
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Action
> set(outside_call=true) Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060
> Action
> set(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing
> [public->call_debug] continue=true
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL) [call_debug]
> ${call_debug}(false) =~ /^true$/ break=never
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing
> [public->public_extensions] continue=false
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL)
> [public_extensions] destination_number(972592182076) =~
> /^(10[01][0-9])$/ break=on-false
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing [public->TEMP]
> continue=false
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (PASS) [TEMP]
> context(public) =~ /public/ break=on-false
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL) [TEMP]
> destination_number(972592182076) =~ /^publicnumber$/ break=on-false
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing
> [public->Misc_Number] continue=false
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (PASS)
> [Misc_Number] context(public) =~ /public/ break=on-false
> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL)
> [Misc_Number] destination_number(972592182076) =~ /^publicnumber2$/
> break=on-false
> <!-- Cut out additional regex checks-->
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:119
> (sofia/external/1010 at xx.xx.xx.xx:5060) State Change CS_ROUTING ->
> CS_EXECUTE 2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154
> Send signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:373
> (sofia/external/1010 at xx.xx.xx.xx:5060) State ROUTING going to sleep
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325
> (sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_EXECUTE
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:380
> (sofia/external/1010 at xx.xx.xx.xx:5060) State EXECUTE
> 2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:241
> sofia/external/1010 at xx.xx.xx.xx:5060 SOFIA EXECUTE
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:157
> sofia/external/1010 at xx.xx.xx.xx:5060 Standard EXECUTE
> EXECUTE sofia/external/1010 at xx.xx.xx.xx:5060 set(outside_call=true)
> 2011-11-18 15:27:36.633145 [DEBUG] mod_dptools.c:1063
> sofia/external/1010 at xx.xx.xx.xx:5060 SET [outside_call]=[true]
> EXECUTE sofia/external/1010 at xx.xx.xx.xx:5060 set(RFC2822_DATE=Fri, 18
> Nov 2011 15:27:36 +0100)
> 2011-11-18 15:27:36.633145 [DEBUG] mod_dptools.c:1063
> sofia/external/1010 at xx.xx.xx.xx:5060 SET [RFC2822_DATE]=[Fri, 18 Nov
> 2011 15:27:36 +0100]
> 2011-11-18 15:27:36.633145 [NOTICE] switch_core_state_machine.c:189
> sofia/external/1010 at xx.xx.xx.xx:5060 has executed the last dialplan
> instruction, hanging up.
> 2011-11-18 15:27:36.633145 [DEBUG] switch_channel.c:2739
> (sofia/external/1010 at xx.xx.xx.xx:5060) Callstate Change RINGING -> HANGUP
> 2011-11-18 15:27:36.633145 [NOTICE] switch_core_state_machine.c:191
> Hangup sofia/external/1010 at xx.xx.xx.xx:5060 [CS_EXECUTE] [NORMAL_CLEARING]
> 2011-11-18 15:27:36.633145 [DEBUG] switch_channel.c:2755 Send signal
> sofia/external/1010 at xx.xx.xx.xx:5060 [KILL]
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send
> signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:380
> (sofia/external/1010 at xx.xx.xx.xx:5060) State EXECUTE going to sleep
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325
> (sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_HANGUP
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:575
> (sofia/external/1010 at xx.xx.xx.xx:5060) State HANGUP
> 2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:458 Channel
> sofia/external/1010 at xx.xx.xx.xx:5060 hanging up, cause: NORMAL_CLEARING
> 2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:522 Responding to INVITE
> with: 480
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:46
> sofia/external/1010 at xx.xx.xx.xx:5060 Standard HANGUP, cause:
> NORMAL_CLEARING 2011-11-18 15:27:36.633145 [DEBUG]
> switch_core_state_machine.c:575 (sofia/external/1010 at xx.xx.xx.xx:5060)
> State HANGUP going to sleep 2011-11-18 15:27:36.633145 [DEBUG]
> switch_core_state_machine.c:356 (sofia/external/1010 at xx.xx.xx.xx:5060)
> State Change CS_HANGUP ->
> CS_REPORTING
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send
> signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325
> (sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_REPORTING
> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:635
> (sofia/external/1010 at xx.xx.xx.xx:5060) State REPORTING
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list