[Freeswitch-users] Hacking FS issue

Lawrence Conroy lconroy at insensate.co.uk
Thu Sep 27 03:09:50 MSD 2012


Hi There,
 welcome to our world; hope it didn't cost too much.
Frontier were pro-active, which is very good. Don't forget to thank them.
I'd guess that this particular bunch are coming from IP addresses provided in the West bank and/or Gaza; that's from where my "visitors" appeared to originate.

1st rule of fight club: Firewalls are no use for a server that is going to listen for requests from the Internet and allow authenticated calls to be placed from any IP address.

You MUST have reasonable passwords, plus fail2ban is easy to set up and works just fine [unless you're using Windoz, in which case God hates you**].

For more refined control (if you know where your external contacts are coming from) ...

Consider setting up ACLs (nailing down the IP address ranges from which you'll accept incalls) in autoload/acl.conf.xml -- the "domains" definition there is one place to add in your external correspondents.

Also, consider using cidr= parameters in your directory folder for each of your users (if they will only attempt to register or place calls from given address ranges).
Then enable ACLs for incalls in your sip profile(s).

This is all covered on wiki.freeswitch.org -- search for ACLs and take it from there.

BTW, you WILL be confused by setting explicit ACLs on registration -- leave that one commented out until you know what it actually does, as it's probably not what you expect. Several strong cups of coffee and protracted meditation may help.

Main message:
-- Immediately - fix the passwords so they're not easy to guess [as the bad guys *will* try again and again until they get it right].
-- set up fail2ban (which has its own page on the wiki) exactly as proposed. <======= MOST IMPORTANT
-- lose the belief that firewalls are going to help protect an Internet-listening server as, logically, they can't
Finally, be amazed at the occasional "block" reports in the fail2ban logfile, and wonder how you got away with it for so long.

all the best,
  Lawrence
** There was apparently a talk on how Windows users could get something close to a fail2ban-style setup (IIRC, it was on the weekly conf call a while back)

On 26 Sep 2012, at 19:54, Nelson Luiz Ferraz de Camargo Penteado wrote:
> I really think that people give way too much importance to firewalls,
> specially stateless ones, blocking ports isn't going to do much for you
> unless you are trying to hide vulnerable services behind it.
> 
> They used the extension 1000 to make the calls so I would say: activate
> log-auth-failures on your profile, setup a fail2ban and get stronger
> passwords.
> 
> If you want to go further you can use a stateful firewall limiting
> connections and setup a IDS(recommend snort)
> On Sep 26, 2012 8:29 PM, "Todd Bailey" <toddb at toddbailey.net> wrote:
> 
>> 
>> Hey All,
>> 
>> 
>> I just got an email from Frontier that there were several attempts to
>> make international calls.
>> 
>> 
>> I checked the log file and verified that somehow someone was able to get
>> access to FS from the internet.
>> 
>> 
>> here is a sample of the log
>> 
>> [m [36m2012-09-23 16:30:29.916821 [NOTICE] switch_channel.c:941 New
>> Channel sofia/internal/1000 at 50.47.85.167
>> [af778857-0188-4ed2-a82a-94ae749a02cb]
>> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>> Processing 1000 <1000>->01137168521352 in context default
>> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
>> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>> sofia/internal/01137168521352 at 192.168.1.5:5061!
>> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready
>> sofia/internal/1000 at 50.47.85.167!
>> [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
>> Ring Ready sofia/internal/1000 at 50.47.85.167!
>> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer
>> sofia/internal/1000 at 50.47.85.167!
>> [m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303
>> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>> [m [36m2012-09-23 16:30:52.356865 [N [m [36m2012-09-23 16:30:29.916821
>> [NOTICE] switch_channel.c:941 New Channel
>> sofia/internal/1000 at 50.47.85.167 [af778857-0188-4ed2-a82a-94ae749a02cb]
>> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>> Processing 1000 <1000>->01137168521352 in context default
>> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
>> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>> sofia/internal/01137168521352 at 192.168.1.5:5061!
>> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready
>> sofia/internal/1000 at 50.47.85.167!
>> [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
>> Ring Ready sofia/internal/1000 at 50.47.85.167!
>> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176 Pre-Answer
>> sofia/internal/1000 at 50.47.85.167!
>> [m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303
>> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>> [m [36m2012-09-23 16:30:52.356865 [NOTICE] switch_channel.c:941 New
>> Channel sofia/internal/1000 at 50.47.85.167
>> [4576bc76-144a-4f6f-8915-871b511c374d]
>> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>> Processing 1000 <1000>->01137168905352 in context defaultOTICE]
>> switch_channel.c:941 New Channel sofia/internal/1000 at 50.47.85.167
>> [4576bc76-144a-4f6f-8915-871b511c374d]
>> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>> Processing 1000 <1000>->01137168905352 in context default
>> 
>> 
>> At this point I'm at a loss how this is happening as I have multiple
>> firewalls in place that limit port access.
>> 
>> Can someone provide a few pointers on how to better secure FS running on
>> Linux systems?
>> 
>> 
>> thanks
>> 
>> 
>> --
>> -
>> -
>> -    Best Regards,
>> -
>> -            Todd Bailey
>> -
>> -
>> 
>> 
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>> 
>> 
>> 
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org




Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list