[Freeswitch-users] SIP invalid call attempts from unknown dialer

D M debianmailz at gmail.com
Tue Nov 22 10:42:29 MSK 2011 

Hello,
I already have fail2ban configured with 2 freeswitch filters, normally 
adding another fail2ban filter would be fine but the log does not show 
what ip the attempt is coming from and xx.xx.xx.xx in the log is the IP 
of the freeswitch machine, obviously blocking that would be bad.

Regards,
Daniel


Sergey Okhapkin skrev 2011-11-21 17:11:
> http://wiki.freeswitch.org/wiki/Fail2ban
>
> On Monday 21 November 2011, D M wrote:
>> Hello,
>> I have noticed quite a few different attempts on accessing my freeswitch
>> machine via SIP that does not come from the company. I have attached
>> part of a log with such an attempt.
>>
>> My main concern is ensuring that similar attempts will not be able to
>> make external calls. I realize that any number made available externally
>> will also be accessable via this method so my secondary concern is
>> throttling or preventing these type of attempts to avoid autodialer spam.
>>
>> This log repeats with around 12 call attempts per second for almost a
>> minute times with different attempts on seemingly random numbers. There
>> has been multiple different attempts to spam random numbers via SIP but
>> so far none has been successful. This log is the most relevant since it
>> made a single login attempt on an nonexistent user after which it has
>> either successfully spoofed the ip of the freeswitch machine or used an
>> vulnerability in either my config or freeswitch.
>>
>> My config is the default freeswitch+fusionpbx installation on Ubuntu
>> 10.04.3 LTS with instructions from here
>> (http://wiki.fusionpbx.com/index.php?title=Easy_Ubuntu_10.04&oldid=1574).
>> With a few minor configuration changes:
>> * Registering is done via external domain pointing to the freeswitch
>> machine, NOT using the default port 5060
>> * Port 5060 is generally used for traffic with SIP provider that
>> connects us to phone network but the port not firewalled/restricted in
>> any other way
>>
>> This is an example log of a single login attempt and single call
>> attempt, the following modifications have been made:
>> * Freeswitch public ip has been changed to xx.xx.xx.xx
>> * 2 regexps have been changed from public telephone number to
>> /^publicnumber$/ and /^publicnumber2$/
>> * A large list of regexps have been replaced with<!-- Cut out
>> additional regex checks-->
>>
>> Please let me know if you need any more details or longer logs
>>
>> Thanks,
>> Daniel
>>
>> ##### LOG BEGIN #####
>>
>> 2011-11-18 15:27:33.293146 [WARNING] sofia_reg.c:2283 Can't find user
>> [1010 at xx.xx.xx.xx]
>> You must define a domain called 'xx.xx.xx.xx' in your directory and add
>> a user with the id="1010" attribute
>> and you must configure your device to use the proper domain in it's
>> authentication credentials.
>> 2011-11-18 15:27:36.633145 [NOTICE] switch_channel.c:897 New Channel
>> sofia/external/1010 at xx.xx.xx.xx:5060 [75cf1808-11f1-11e1-9c95-494fea388543]
>> 2011-11-18 15:27:36.633145 [DEBUG] sofia.c:5084 Channel
>> sofia/external/1010 at xx.xx.xx.xx:5060 entering state [received][100]
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325
>> (sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_NEW
>> 2011-11-18 15:27:36.633145 [DEBUG] sofia.c:5095 Remote SDP:
>> v=0^M
>> o=1010 13216264671138 13216264671138 IN IP4 192.168.1.3^M
>> s=VaxSoft^M
>> c=IN IP4 192.168.1.3^M
>> t=0 0^M
>> m=audio 7000 RTP/AVP 0 8 3 98 101^M
>> a=rtpmap:0 PCMU/8000^M
>> a=rtpmap:8 PCMA/8000^M
>> a=rtpmap:3 GSM/8000^M
>> a=rtpmap:98 iLBC/8000^M
>> a=rtpmap:101 telephone-event/8000^M
>> a=fmtp:101 0-16^M
>>
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:343
>> (sofia/external/1010 at xx.xx.xx.xx:5060) State NEW
>> 2011-11-18 15:27:36.633145 [DEBUG] sofia_glue.c:4711 Audio Codec Compare
>> [PCMU:0:8000:20:64000]/[PCMA:8:8000:20:64000]
>> 2011-11-18 15:27:36.633145 [DEBUG] sofia_glue.c:4711 Audio Codec Compare
>> [PCMA:8:8000:20:64000]/[PCMA:8:8000:20:64000]
>> 2011-11-18 15:27:36.633145 [DEBUG] sofia_glue.c:2819 Set Codec
>> sofia/external/1010 at xx.xx.xx.xx:5060 PCMA/8000 20 ms 160 samples 64000 bits
>> 2011-11-18 15:27:36.633145 [DEBUG] sofia_glue.c:4825 Set 2833 dtmf
>> send/recv payload to 101
>> 2011-11-18 15:27:36.633145 [DEBUG] sofia.c:5284
>> (sofia/external/1010 at xx.xx.xx.xx:5060) State Change CS_NEW ->  CS_INIT
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send
>> signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325
>> (sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_INIT
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:364
>> (sofia/external/1010 at xx.xx.xx.xx:5060) State INIT
>> 2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:85
>> sofia/external/1010 at xx.xx.xx.xx:5060 SOFIA INIT
>> 2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:125
>> (sofia/external/1010 at xx.xx.xx.xx:5060) State Change CS_INIT ->  CS_ROUTING
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send
>> signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:364
>> (sofia/external/1010 at xx.xx.xx.xx:5060) State INIT going to sleep
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325
>> (sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_ROUTING
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_channel.c:1821
>> (sofia/external/1010 at xx.xx.xx.xx:5060) Callstate Change DOWN ->  RINGING
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:373
>> (sofia/external/1010 at xx.xx.xx.xx:5060) State ROUTING
>> 2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:148
>> sofia/external/1010 at xx.xx.xx.xx:5060 SOFIA ROUTING
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:77
>> sofia/external/1010 at xx.xx.xx.xx:5060 Standard ROUTING
>> 2011-11-18 15:27:36.633145 [INFO] mod_dialplan_xml.c:336 Processing
>> MyName<1010>->972592182076 in context public
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing [public->unloop]
>> continue=false
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (PASS) [unloop]
>> ${unroll_loops}(true) =~ /^true$/ break=on-false
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL) [unloop]
>> ${sip_looped_call}() =~ /^true$/ break=on-false
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing
>> [public->outside_call] continue=true
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Absolute Condition
>> [outside_call]
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Action
>> set(outside_call=true) Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060
>> Action
>> set(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing
>> [public->call_debug] continue=true
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL) [call_debug]
>> ${call_debug}(false) =~ /^true$/ break=never
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing
>> [public->public_extensions] continue=false
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL)
>> [public_extensions] destination_number(972592182076) =~
>> /^(10[01][0-9])$/ break=on-false
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing [public->TEMP]
>> continue=false
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (PASS) [TEMP]
>> context(public) =~ /public/ break=on-false
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL) [TEMP]
>> destination_number(972592182076) =~ /^publicnumber$/ break=on-false
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 parsing
>> [public->Misc_Number] continue=false
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (PASS)
>> [Misc_Number] context(public) =~ /public/ break=on-false
>> Dialplan: sofia/external/1010 at xx.xx.xx.xx:5060 Regex (FAIL)
>> [Misc_Number] destination_number(972592182076) =~ /^publicnumber2$/
>> break=on-false
>> <!-- Cut out additional regex checks-->
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:119
>> (sofia/external/1010 at xx.xx.xx.xx:5060) State Change CS_ROUTING ->
>> CS_EXECUTE 2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154
>> Send signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:373
>> (sofia/external/1010 at xx.xx.xx.xx:5060) State ROUTING going to sleep
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325
>> (sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_EXECUTE
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:380
>> (sofia/external/1010 at xx.xx.xx.xx:5060) State EXECUTE
>> 2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:241
>> sofia/external/1010 at xx.xx.xx.xx:5060 SOFIA EXECUTE
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:157
>> sofia/external/1010 at xx.xx.xx.xx:5060 Standard EXECUTE
>> EXECUTE sofia/external/1010 at xx.xx.xx.xx:5060 set(outside_call=true)
>> 2011-11-18 15:27:36.633145 [DEBUG] mod_dptools.c:1063
>> sofia/external/1010 at xx.xx.xx.xx:5060 SET [outside_call]=[true]
>> EXECUTE sofia/external/1010 at xx.xx.xx.xx:5060 set(RFC2822_DATE=Fri, 18
>> Nov 2011 15:27:36 +0100)
>> 2011-11-18 15:27:36.633145 [DEBUG] mod_dptools.c:1063
>> sofia/external/1010 at xx.xx.xx.xx:5060 SET [RFC2822_DATE]=[Fri, 18 Nov
>> 2011 15:27:36 +0100]
>> 2011-11-18 15:27:36.633145 [NOTICE] switch_core_state_machine.c:189
>> sofia/external/1010 at xx.xx.xx.xx:5060 has executed the last dialplan
>> instruction, hanging up.
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_channel.c:2739
>> (sofia/external/1010 at xx.xx.xx.xx:5060) Callstate Change RINGING ->  HANGUP
>> 2011-11-18 15:27:36.633145 [NOTICE] switch_core_state_machine.c:191
>> Hangup sofia/external/1010 at xx.xx.xx.xx:5060 [CS_EXECUTE] [NORMAL_CLEARING]
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_channel.c:2755 Send signal
>> sofia/external/1010 at xx.xx.xx.xx:5060 [KILL]
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send
>> signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:380
>> (sofia/external/1010 at xx.xx.xx.xx:5060) State EXECUTE going to sleep
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325
>> (sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_HANGUP
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:575
>> (sofia/external/1010 at xx.xx.xx.xx:5060) State HANGUP
>> 2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:458 Channel
>> sofia/external/1010 at xx.xx.xx.xx:5060 hanging up, cause: NORMAL_CLEARING
>> 2011-11-18 15:27:36.633145 [DEBUG] mod_sofia.c:522 Responding to INVITE
>> with: 480
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:46
>> sofia/external/1010 at xx.xx.xx.xx:5060 Standard HANGUP, cause:
>> NORMAL_CLEARING 2011-11-18 15:27:36.633145 [DEBUG]
>> switch_core_state_machine.c:575 (sofia/external/1010 at xx.xx.xx.xx:5060)
>> State HANGUP going to sleep 2011-11-18 15:27:36.633145 [DEBUG]
>> switch_core_state_machine.c:356 (sofia/external/1010 at xx.xx.xx.xx:5060)
>> State Change CS_HANGUP ->
>> CS_REPORTING
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_session.c:1154 Send
>> signal sofia/external/1010 at xx.xx.xx.xx:5060 [BREAK]
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:325
>> (sofia/external/1010 at xx.xx.xx.xx:5060) Running State Change CS_REPORTING
>> 2011-11-18 15:27:36.633145 [DEBUG] switch_core_state_machine.c:635
>> (sofia/external/1010 at xx.xx.xx.xx:5060) State REPORTING
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list