[Freeswitch-users] Hacking FS issue
BookBag
asaad2 at gmail.com
Thu Sep 27 23:27:48 MSD 2012
when nmap finds a port open, it looks in its database of what protocol is
likely to be running on that port. It doesnt actually test if the standard
protocol is running on that port.
On Thu, Sep 27, 2012 at 12:11 PM, Nelson Camargo <bigx333 at gmail.com> wrote:
> Ever heard about nmap? lol
> On 27 Sep 2012, at 5:52 PM, BookBag wrote:
>
> How will they know what protocol I'm running on that port?
> On Sep 27, 2012 11:42 AM, "Ben Langfeld" <ben at langfeld.co.uk> wrote:
>
>> This is classic wardialing and is very common. Don't worry, your port
>> change won't slow down people who really want to get in ;)
>>
>>
>> On 27 September 2012 11:55, BookBag <asaad2 at gmail.com> wrote:
>>
>>> I had the same issue. There are hackers continuously scanning public
>>> ip's for known ports then trying to register devices using the default
>>> extensions and passwords "1234". After noticing this in my logs I just
>>> changed the default external sip port from 5080 to something else.
>>>
>>> Security through obscurity if you will.
>>> P.S. I was also using fail2ban
>>> On Sep 26, 2012 7:11 PM, "Lawrence Conroy" <lconroy at insensate.co.uk>
>>> wrote:
>>>
>>>> Hi There,
>>>> welcome to our world; hope it didn't cost too much.
>>>> Frontier were pro-active, which is very good. Don't forget to thank
>>>> them.
>>>> I'd guess that this particular bunch are coming from IP addresses
>>>> provided in the West bank and/or Gaza; that's from where my "visitors"
>>>> appeared to originate.
>>>>
>>>> 1st rule of fight club: Firewalls are no use for a server that is going
>>>> to listen for requests from the Internet and allow authenticated calls to
>>>> be placed from any IP address.
>>>>
>>>> You MUST have reasonable passwords, plus fail2ban is easy to set up and
>>>> works just fine [unless you're using Windoz, in which case God hates you**].
>>>>
>>>> For more refined control (if you know where your external contacts are
>>>> coming from) ...
>>>>
>>>> Consider setting up ACLs (nailing down the IP address ranges from which
>>>> you'll accept incalls) in autoload/acl.conf.xml -- the "domains" definition
>>>> there is one place to add in your external correspondents.
>>>>
>>>> Also, consider using cidr= parameters in your directory folder for each
>>>> of your users (if they will only attempt to register or place calls from
>>>> given address ranges).
>>>> Then enable ACLs for incalls in your sip profile(s).
>>>>
>>>> This is all covered on wiki.freeswitch.org -- search for ACLs and take
>>>> it from there.
>>>>
>>>> BTW, you WILL be confused by setting explicit ACLs on registration --
>>>> leave that one commented out until you know what it actually does, as it's
>>>> probably not what you expect. Several strong cups of coffee and protracted
>>>> meditation may help.
>>>>
>>>> Main message:
>>>> -- Immediately - fix the passwords so they're not easy to guess [as the
>>>> bad guys *will* try again and again until they get it right].
>>>> -- set up fail2ban (which has its own page on the wiki) exactly as
>>>> proposed. <======= MOST IMPORTANT
>>>> -- lose the belief that firewalls are going to help protect an
>>>> Internet-listening server as, logically, they can't
>>>> Finally, be amazed at the occasional "block" reports in the fail2ban
>>>> logfile, and wonder how you got away with it for so long.
>>>>
>>>> all the best,
>>>> Lawrence
>>>> ** There was apparently a talk on how Windows users could get something
>>>> close to a fail2ban-style setup (IIRC, it was on the weekly conf call a
>>>> while back)
>>>>
>>>> On 26 Sep 2012, at 19:54, Nelson Luiz Ferraz de Camargo Penteado wrote:
>>>> > I really think that people give way too much importance to firewalls,
>>>> > specially stateless ones, blocking ports isn't going to do much for
>>>> you
>>>> > unless you are trying to hide vulnerable services behind it.
>>>> >
>>>> > They used the extension 1000 to make the calls so I would say:
>>>> activate
>>>> > log-auth-failures on your profile, setup a fail2ban and get stronger
>>>> > passwords.
>>>> >
>>>> > If you want to go further you can use a stateful firewall limiting
>>>> > connections and setup a IDS(recommend snort)
>>>> > On Sep 26, 2012 8:29 PM, "Todd Bailey" <toddb at toddbailey.net> wrote:
>>>> >
>>>> >>
>>>> >> Hey All,
>>>> >>
>>>> >>
>>>> >> I just got an email from Frontier that there were several attempts to
>>>> >> make international calls.
>>>> >>
>>>> >>
>>>> >> I checked the log file and verified that somehow someone was able to
>>>> get
>>>> >> access to FS from the internet.
>>>> >>
>>>> >>
>>>> >> here is a sample of the log
>>>> >>
>>>> >> [m [36m2012-09-23 16:30:29.916821 [NOTICE] switch_channel.c:941 New
>>>> >> Channel sofia/internal/1000 at 50.47.85.167
>>>> >> [af778857-0188-4ed2-a82a-94ae749a02cb]
>>>> >> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>>>> >> Processing 1000 <1000>->01137168521352 in context default
>>>> >> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
>>>> >> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>>>> >> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>>>> >> sofia/internal/01137168521352 at 192.168.1.5:5061!
>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572
>>>> Ring-Ready
>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
>>>> >> Ring Ready sofia/internal/1000 at 50.47.85.167!
>>>> >> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>>>> >> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176
>>>> Pre-Answer
>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE]
>>>> switch_ivr_originate.c:3303
>>>> >> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>>>> >> [m [36m2012-09-23 16:30:52.356865 [N [m [36m2012-09-23
>>>> 16:30:29.916821
>>>> >> [NOTICE] switch_channel.c:941 New Channel
>>>> >> sofia/internal/1000 at 50.47.85.167[af778857-0188-4ed2-a82a-94ae749a02cb]
>>>> >> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>>>> >> Processing 1000 <1000>->01137168521352 in context default
>>>> >> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941 New
>>>> >> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>>>> >> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>>>> >> sofia/internal/01137168521352 at 192.168.1.5:5061!
>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572
>>>> Ring-Ready
>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] switch_ivr_originate.c:519
>>>> >> Ring Ready sofia/internal/1000 at 50.47.85.167!
>>>> >> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>>>> >> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been answered
>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176
>>>> Pre-Answer
>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE]
>>>> switch_ivr_originate.c:3303
>>>> >> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>>>> >> [m [36m2012-09-23 16:30:52.356865 [NOTICE] switch_channel.c:941 New
>>>> >> Channel sofia/internal/1000 at 50.47.85.167
>>>> >> [4576bc76-144a-4f6f-8915-871b511c374d]
>>>> >> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>>>> >> Processing 1000 <1000>->01137168905352 in context defaultOTICE]
>>>> >> switch_channel.c:941 New Channel sofia/internal/1000 at 50.47.85.167
>>>> >> [4576bc76-144a-4f6f-8915-871b511c374d]
>>>> >> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>>>> >> Processing 1000 <1000>->01137168905352 in context default
>>>> >>
>>>> >>
>>>> >> At this point I'm at a loss how this is happening as I have multiple
>>>> >> firewalls in place that limit port access.
>>>> >>
>>>> >> Can someone provide a few pointers on how to better secure FS
>>>> running on
>>>> >> Linux systems?
>>>> >>
>>>> >>
>>>> >> thanks
>>>> >>
>>>> >>
>>>> >> --
>>>> >> -
>>>> >> -
>>>> >> - Best Regards,
>>>> >> -
>>>> >> - Todd Bailey
>>>> >> -
>>>> >> -
>>>> >>
>>>> >>
>>>> >>
>>>> _________________________________________________________________________
>>>> >> Professional FreeSWITCH Consulting Services:
>>>> >> consulting at freeswitch.org
>>>> >> http://www.freeswitchsolutions.com
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> Official FreeSWITCH Sites
>>>> >> http://www.freeswitch.org
>>>> >> http://wiki.freeswitch.org
>>>> >> http://www.cluecon.com
>>>> >>
>>>> >> FreeSWITCH-users mailing list
>>>> >> FreeSWITCH-users at lists.freeswitch.org
>>>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> >> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> >> http://www.freeswitch.org
>>>> >>
>>>> >
>>>> _________________________________________________________________________
>>>> > Professional FreeSWITCH Consulting Services:
>>>> > consulting at freeswitch.org
>>>> > http://www.freeswitchsolutions.com
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > Official FreeSWITCH Sites
>>>> > http://www.freeswitch.org
>>>> > http://wiki.freeswitch.org
>>>> > http://www.cluecon.com
>>>> >
>>>> > FreeSWITCH-users mailing list
>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> > UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> > http://www.freeswitch.org
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>>
>>>>
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>>
>>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120927/6d02d4fe/attachment-0001.html
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list