[Freeswitch-users] Hacking FS issue

Avi Marcus avi at avimarcus.net
Thu Sep 27 20:35:42 MSD 2012


nmap, port scanning.
Nearly every port responds in some way, if it's not ignoring that IP.

-Avi


On Thu, Sep 27, 2012 at 5:52 PM, BookBag <asaad2 at gmail.com> wrote:

> How will they know what protocol I'm running on that port?
> On Sep 27, 2012 11:42 AM, "Ben Langfeld" <ben at langfeld.co.uk> wrote:
>
>> This is classic wardialing and is very common. Don't worry, your port
>> change won't slow down people who really want to get in ;)
>>
>>
>> On 27 September 2012 11:55, BookBag <asaad2 at gmail.com> wrote:
>>
>>> I had the same issue. There are hackers continuously scanning public
>>> ip's for known ports then trying to register devices using the default
>>> extensions and passwords "1234". After noticing this in my logs I just
>>> changed the default external sip port from 5080 to something else.
>>>
>>> Security through obscurity if you will.
>>> P.S. I was also using fail2ban
>>> On Sep 26, 2012 7:11 PM, "Lawrence Conroy" <lconroy at insensate.co.uk>
>>> wrote:
>>>
>>>> Hi There,
>>>>  welcome to our world; hope it didn't cost too much.
>>>> Frontier were pro-active, which is very good. Don't forget to thank
>>>> them.
>>>> I'd guess that this particular bunch are coming from IP addresses
>>>> provided in the West bank and/or Gaza; that's from where my "visitors"
>>>> appeared to originate.
>>>>
>>>> 1st rule of fight club: Firewalls are no use for a server that is going
>>>> to listen for requests from the Internet and allow authenticated calls to
>>>> be placed from any IP address.
>>>>
>>>> You MUST have reasonable passwords, plus fail2ban is easy to set up and
>>>> works just fine [unless you're using Windoz, in which case God hates you**].
>>>>
>>>> For more refined control (if you know where your external contacts are
>>>> coming from) ...
>>>>
>>>> Consider setting up ACLs (nailing down the IP address ranges from which
>>>> you'll accept incalls) in autoload/acl.conf.xml -- the "domains" definition
>>>> there is one place to add in your external correspondents.
>>>>
>>>> Also, consider using cidr= parameters in your directory folder for each
>>>> of your users (if they will only attempt to register or place calls from
>>>> given address ranges).
>>>> Then enable ACLs for incalls in your sip profile(s).
>>>>
>>>> This is all covered on wiki.freeswitch.org -- search for ACLs and take
>>>> it from there.
>>>>
>>>> BTW, you WILL be confused by setting explicit ACLs on registration --
>>>> leave that one commented out until you know what it actually does, as it's
>>>> probably not what you expect. Several strong cups of coffee and protracted
>>>> meditation may help.
>>>>
>>>> Main message:
>>>> -- Immediately - fix the passwords so they're not easy to guess [as the
>>>> bad guys *will* try again and again until they get it right].
>>>> -- set up fail2ban (which has its own page on the wiki) exactly as
>>>> proposed. <======= MOST IMPORTANT
>>>> -- lose the belief that firewalls are going to help protect an
>>>> Internet-listening server as, logically, they can't
>>>> Finally, be amazed at the occasional "block" reports in the fail2ban
>>>> logfile, and wonder how you got away with it for so long.
>>>>
>>>> all the best,
>>>>   Lawrence
>>>> ** There was apparently a talk on how Windows users could get something
>>>> close to a fail2ban-style setup (IIRC, it was on the weekly conf call a
>>>> while back)
>>>>
>>>> On 26 Sep 2012, at 19:54, Nelson Luiz Ferraz de Camargo Penteado wrote:
>>>> > I really think that people give way too much importance to firewalls,
>>>> > specially stateless ones, blocking ports isn't going to do much for
>>>> you
>>>> > unless you are trying to hide vulnerable services behind it.
>>>> >
>>>> > They used the extension 1000 to make the calls so I would say:
>>>> activate
>>>> > log-auth-failures on your profile, setup a fail2ban and get stronger
>>>> > passwords.
>>>> >
>>>> > If you want to go further you can use a stateful firewall limiting
>>>> > connections and setup a IDS(recommend snort)
>>>> > On Sep 26, 2012 8:29 PM, "Todd Bailey" <toddb at toddbailey.net> wrote:
>>>> >
>>>> >>
>>>> >> Hey All,
>>>> >>
>>>> >>
>>>> >> I just got an email from Frontier that there were several attempts to
>>>> >> make international calls.
>>>> >>
>>>> >>
>>>> >> I checked the log file and verified that somehow someone was able to
>>>> get
>>>> >> access to FS from the internet.
>>>> >>
>>>> >>
>>>> >> here is a sample of the log
>>>> >>
>>>> >> [m [36m2012-09-23 16:30:29.916821 [NOTICE] switch_channel.c:941 New
>>>> >> Channel sofia/internal/1000 at 50.47.85.167
>>>> >> [af778857-0188-4ed2-a82a-94ae749a02cb]
>>>> >> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>>>> >> Processing 1000 <1000>->01137168521352 in context default
>>>> >> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
>>>> >> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>>>> >> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>>>> >> sofia/internal/01137168521352 at 192.168.1.5:5061!
>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572
>>>> Ring-Ready
>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
>>>> >> Ring Ready sofia/internal/1000 at 50.47.85.167!
>>>> >> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>>>> >> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176
>>>> Pre-Answer
>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE]
>>>> switch_ivr_originate.c:3303
>>>> >> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>>>> >> [m [36m2012-09-23 16:30:52.356865 [N [m [36m2012-09-23
>>>> 16:30:29.916821
>>>> >> [NOTICE] switch_channel.c:941 New Channel
>>>> >> sofia/internal/1000 at 50.47.85.167[af778857-0188-4ed2-a82a-94ae749a02cb]
>>>> >> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>>>> >> Processing 1000 <1000>->01137168521352 in context default
>>>> >> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
>>>> >> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>>>> >> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>>>> >> sofia/internal/01137168521352 at 192.168.1.5:5061!
>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572
>>>> Ring-Ready
>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
>>>> >> Ring Ready sofia/internal/1000 at 50.47.85.167!
>>>> >> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>>>> >> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176
>>>> Pre-Answer
>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE]
>>>> switch_ivr_originate.c:3303
>>>> >> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>>>> >> [m [36m2012-09-23 16:30:52.356865 [NOTICE] switch_channel.c:941 New
>>>> >> Channel sofia/internal/1000 at 50.47.85.167
>>>> >> [4576bc76-144a-4f6f-8915-871b511c374d]
>>>> >> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>>>> >> Processing 1000 <1000>->01137168905352 in context defaultOTICE]
>>>> >> switch_channel.c:941 New Channel sofia/internal/1000 at 50.47.85.167
>>>> >> [4576bc76-144a-4f6f-8915-871b511c374d]
>>>> >> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>>>> >> Processing 1000 <1000>->01137168905352 in context default
>>>> >>
>>>> >>
>>>> >> At this point I'm at a loss how this is happening as I have multiple
>>>> >> firewalls in place that limit port access.
>>>> >>
>>>> >> Can someone provide a few pointers on how to better secure FS
>>>> running on
>>>> >> Linux systems?
>>>> >>
>>>> >>
>>>> >> thanks
>>>> >>
>>>> >>
>>>> >> --
>>>> >> -
>>>> >> -
>>>> >> -    Best Regards,
>>>> >> -
>>>> >> -            Todd Bailey
>>>> >> -
>>>> >> -
>>>> >>
>>>> >>
>>>> >>
>>>> _________________________________________________________________________
>>>> >> Professional FreeSWITCH Consulting Services:
>>>> >> consulting at freeswitch.org
>>>> >> http://www.freeswitchsolutions.com
>>>> >>
>>>> >> 
>>>> >> 
>>>> >>
>>>> >> Official FreeSWITCH Sites
>>>> >> http://www.freeswitch.org
>>>> >> http://wiki.freeswitch.org
>>>> >> http://www.cluecon.com
>>>> >>
>>>> >> FreeSWITCH-users mailing list
>>>> >> FreeSWITCH-users at lists.freeswitch.org
>>>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> >> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> >> http://www.freeswitch.org
>>>> >>
>>>> >
>>>> _________________________________________________________________________
>>>> > Professional FreeSWITCH Consulting Services:
>>>> > consulting at freeswitch.org
>>>> > http://www.freeswitchsolutions.com
>>>> >
>>>> > 
>>>> > 
>>>> >
>>>> > Official FreeSWITCH Sites
>>>> > http://www.freeswitch.org
>>>> > http://wiki.freeswitch.org
>>>> > http://www.cluecon.com
>>>> >
>>>> > FreeSWITCH-users mailing list
>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> > UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> > http://www.freeswitch.org
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120927/e5c9d5c2/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list