[Freeswitch-users] Hacking FS issue

BookBag asaad2 at gmail.com
Thu Sep 27 19:52:07 MSD 2012 

How will they know what protocol I'm running on that port?
On Sep 27, 2012 11:42 AM, "Ben Langfeld" <ben at langfeld.co.uk> wrote:

> This is classic wardialing and is very common. Don't worry, your port
> change won't slow down people who really want to get in ;)
>
>
> On 27 September 2012 11:55, BookBag <asaad2 at gmail.com> wrote:
>
>> I had the same issue. There are hackers continuously scanning public ip's
>> for known ports then trying to register devices using the default
>> extensions and passwords "1234". After noticing this in my logs I just
>> changed the default external sip port from 5080 to something else.
>>
>> Security through obscurity if you will.
>> P.S. I was also using fail2ban
>> On Sep 26, 2012 7:11 PM, "Lawrence Conroy" <lconroy at insensate.co.uk>
>> wrote:
>>
>>> Hi There,
>>>  welcome to our world; hope it didn't cost too much.
>>> Frontier were pro-active, which is very good. Don't forget to thank them.
>>> I'd guess that this particular bunch are coming from IP addresses
>>> provided in the West bank and/or Gaza; that's from where my "visitors"
>>> appeared to originate.
>>>
>>> 1st rule of fight club: Firewalls are no use for a server that is going
>>> to listen for requests from the Internet and allow authenticated calls to
>>> be placed from any IP address.
>>>
>>> You MUST have reasonable passwords, plus fail2ban is easy to set up and
>>> works just fine [unless you're using Windoz, in which case God hates you**].
>>>
>>> For more refined control (if you know where your external contacts are
>>> coming from) ...
>>>
>>> Consider setting up ACLs (nailing down the IP address ranges from which
>>> you'll accept incalls) in autoload/acl.conf.xml -- the "domains" definition
>>> there is one place to add in your external correspondents.
>>>
>>> Also, consider using cidr= parameters in your directory folder for each
>>> of your users (if they will only attempt to register or place calls from
>>> given address ranges).
>>> Then enable ACLs for incalls in your sip profile(s).
>>>
>>> This is all covered on wiki.freeswitch.org -- search for ACLs and take
>>> it from there.
>>>
>>> BTW, you WILL be confused by setting explicit ACLs on registration --
>>> leave that one commented out until you know what it actually does, as it's
>>> probably not what you expect. Several strong cups of coffee and protracted
>>> meditation may help.
>>>
>>> Main message:
>>> -- Immediately - fix the passwords so they're not easy to guess [as the
>>> bad guys *will* try again and again until they get it right].
>>> -- set up fail2ban (which has its own page on the wiki) exactly as
>>> proposed. <======= MOST IMPORTANT
>>> -- lose the belief that firewalls are going to help protect an
>>> Internet-listening server as, logically, they can't
>>> Finally, be amazed at the occasional "block" reports in the fail2ban
>>> logfile, and wonder how you got away with it for so long.
>>>
>>> all the best,
>>>   Lawrence
>>> ** There was apparently a talk on how Windows users could get something
>>> close to a fail2ban-style setup (IIRC, it was on the weekly conf call a
>>> while back)
>>>
>>> On 26 Sep 2012, at 19:54, Nelson Luiz Ferraz de Camargo Penteado wrote:
>>> > I really think that people give way too much importance to firewalls,
>>> > specially stateless ones, blocking ports isn't going to do much for you
>>> > unless you are trying to hide vulnerable services behind it.
>>> >
>>> > They used the extension 1000 to make the calls so I would say: activate
>>> > log-auth-failures on your profile, setup a fail2ban and get stronger
>>> > passwords.
>>> >
>>> > If you want to go further you can use a stateful firewall limiting
>>> > connections and setup a IDS(recommend snort)
>>> > On Sep 26, 2012 8:29 PM, "Todd Bailey" <toddb at toddbailey.net> wrote:
>>> >
>>> >>
>>> >> Hey All,
>>> >>
>>> >>
>>> >> I just got an email from Frontier that there were several attempts to
>>> >> make international calls.
>>> >>
>>> >>
>>> >> I checked the log file and verified that somehow someone was able to
>>> get
>>> >> access to FS from the internet.
>>> >>
>>> >>
>>> >> here is a sample of the log
>>> >>
>>> >> [m [36m2012-09-23 16:30:29.916821 [NOTICE] switch_channel.c:941 New
>>> >> Channel sofia/internal/1000 at 50.47.85.167
>>> >> [af778857-0188-4ed2-a82a-94ae749a02cb]
>>> >> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>>> >> Processing 1000 <1000>->01137168521352 in context default
>>> >> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
>>> >> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>>> >> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>>> >> sofia/internal/01137168521352 at 192.168.1.5:5061!
>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready
>>> >> sofia/internal/1000 at 50.47.85.167!
>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
>>> >> Ring Ready sofia/internal/1000 at 50.47.85.167!
>>> >> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>>> >> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176
>>> Pre-Answer
>>> >> sofia/internal/1000 at 50.47.85.167!
>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303
>>> >> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>>> >> [m [36m2012-09-23 16:30:52.356865 [N [m [36m2012-09-23 16:30:29.916821
>>> >> [NOTICE] switch_channel.c:941 New Channel
>>> >> sofia/internal/1000 at 50.47.85.167[af778857-0188-4ed2-a82a-94ae749a02cb]
>>> >> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>>> >> Processing 1000 <1000>->01137168521352 in context default
>>> >> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
>>> >> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>>> >> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>>> >> sofia/internal/01137168521352 at 192.168.1.5:5061!
>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572 Ring-Ready
>>> >> sofia/internal/1000 at 50.47.85.167!
>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
>>> >> Ring Ready sofia/internal/1000 at 50.47.85.167!
>>> >> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>>> >> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176
>>> Pre-Answer
>>> >> sofia/internal/1000 at 50.47.85.167!
>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] switch_ivr_originate.c:3303
>>> >> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>>> >> [m [36m2012-09-23 16:30:52.356865 [NOTICE] switch_channel.c:941 New
>>> >> Channel sofia/internal/1000 at 50.47.85.167
>>> >> [4576bc76-144a-4f6f-8915-871b511c374d]
>>> >> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>>> >> Processing 1000 <1000>->01137168905352 in context defaultOTICE]
>>> >> switch_channel.c:941 New Channel sofia/internal/1000 at 50.47.85.167
>>> >> [4576bc76-144a-4f6f-8915-871b511c374d]
>>> >> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>>> >> Processing 1000 <1000>->01137168905352 in context default
>>> >>
>>> >>
>>> >> At this point I'm at a loss how this is happening as I have multiple
>>> >> firewalls in place that limit port access.
>>> >>
>>> >> Can someone provide a few pointers on how to better secure FS running
>>> on
>>> >> Linux systems?
>>> >>
>>> >>
>>> >> thanks
>>> >>
>>> >>
>>> >> --
>>> >> -
>>> >> -
>>> >> -    Best Regards,
>>> >> -
>>> >> -            Todd Bailey
>>> >> -
>>> >> -
>>> >>
>>> >>
>>> >>
>>> _________________________________________________________________________
>>> >> Professional FreeSWITCH Consulting Services:
>>> >> consulting at freeswitch.org
>>> >> http://www.freeswitchsolutions.com
>>> >>
>>> >> 
>>> >> 
>>> >>
>>> >> Official FreeSWITCH Sites
>>> >> http://www.freeswitch.org
>>> >> http://wiki.freeswitch.org
>>> >> http://www.cluecon.com
>>> >>
>>> >> FreeSWITCH-users mailing list
>>> >> FreeSWITCH-users at lists.freeswitch.org
>>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >> UNSUBSCRIBE:
>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> >> http://www.freeswitch.org
>>> >>
>>> >
>>> _________________________________________________________________________
>>> > Professional FreeSWITCH Consulting Services:
>>> > consulting at freeswitch.org
>>> > http://www.freeswitchsolutions.com
>>> >
>>> > 
>>> > 
>>> >
>>> > Official FreeSWITCH Sites
>>> > http://www.freeswitch.org
>>> > http://wiki.freeswitch.org
>>> > http://www.cluecon.com
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > UNSUBSCRIBE:
>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> > http://www.freeswitch.org
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120927/b8c64bf2/attachment-0001.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list