[Freeswitch-users] Hacking FS issue

Avi Marcus avi at avimarcus.net
Fri Sep 28 05:14:05 MSD 2012


If you do service identification, "nmap -sV", then yes. It takes a lot
longer than straight up port scanning, though.

-Avi

On Fri, Sep 28, 2012 at 2:54 AM, BookBag <asaad2 at gmail.com> wrote:

> If you change your web server to run on port 22. Will it still detect that
> your http protocol or will show it as an ssh protocol?
>  On Sep 27, 2012 3:56 PM, "Avi Marcus" <avi at avimarcus.net> wrote:
>
>> nmap offers service detection:
>>
>>
>> # nmap -sV some-domain.com
>> ...
>> 22/tcp   open   ssh         OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
>> 80/tcp   open   http        nginx web server 0.8.54
>> ...
>> 5060/tcp open   sip         (SIP end point; Status: 200 OK)
>> 5080/tcp open   sip         (SIP end point; Status: 200 OK)
>> ...
>> Nmap done: 1 IP address (1 host up) scanned in 90.91 seconds
>>
>> vs 5 seconds for plain scan. But still, it exists.
>>
>> -Avi
>>
>>
>>
>> On Thu, Sep 27, 2012 at 9:27 PM, BookBag <asaad2 at gmail.com> wrote:
>>
>>> when nmap finds a port open, it looks in its database of what protocol
>>> is likely to be running on that port. It doesnt actually test if the
>>> standard protocol is running on that port.
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Sep 27, 2012 at 12:11 PM, Nelson Camargo <bigx333 at gmail.com>wrote:
>>>
>>>> Ever heard about nmap? lol
>>>> On 27 Sep 2012, at 5:52 PM, BookBag wrote:
>>>>
>>>> How will they know what protocol I'm running on that port?
>>>> On Sep 27, 2012 11:42 AM, "Ben Langfeld" <ben at langfeld.co.uk> wrote:
>>>>
>>>>> This is classic wardialing and is very common. Don't worry, your port
>>>>> change won't slow down people who really want to get in ;)
>>>>>
>>>>>
>>>>> On 27 September 2012 11:55, BookBag <asaad2 at gmail.com> wrote:
>>>>>
>>>>>> I had the same issue. There are hackers continuously scanning public
>>>>>> ip's for known ports then trying to register devices using the default
>>>>>> extensions and passwords "1234". After noticing this in my logs I just
>>>>>> changed the default external sip port from 5080 to something else.
>>>>>>
>>>>>> Security through obscurity if you will.
>>>>>> P.S. I was also using fail2ban
>>>>>> On Sep 26, 2012 7:11 PM, "Lawrence Conroy" <lconroy at insensate.co.uk>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi There,
>>>>>>>  welcome to our world; hope it didn't cost too much.
>>>>>>> Frontier were pro-active, which is very good. Don't forget to thank
>>>>>>> them.
>>>>>>> I'd guess that this particular bunch are coming from IP addresses
>>>>>>> provided in the West bank and/or Gaza; that's from where my "visitors"
>>>>>>> appeared to originate.
>>>>>>>
>>>>>>> 1st rule of fight club: Firewalls are no use for a server that is
>>>>>>> going to listen for requests from the Internet and allow authenticated
>>>>>>> calls to be placed from any IP address.
>>>>>>>
>>>>>>> You MUST have reasonable passwords, plus fail2ban is easy to set up
>>>>>>> and works just fine [unless you're using Windoz, in which case God hates
>>>>>>> you**].
>>>>>>>
>>>>>>> For more refined control (if you know where your external contacts
>>>>>>> are coming from) ...
>>>>>>>
>>>>>>> Consider setting up ACLs (nailing down the IP address ranges from
>>>>>>> which you'll accept incalls) in autoload/acl.conf.xml -- the "domains"
>>>>>>> definition there is one place to add in your external correspondents.
>>>>>>>
>>>>>>> Also, consider using cidr= parameters in your directory folder for
>>>>>>> each of your users (if they will only attempt to register or place calls
>>>>>>> from given address ranges).
>>>>>>> Then enable ACLs for incalls in your sip profile(s).
>>>>>>>
>>>>>>> This is all covered on wiki.freeswitch.org -- search for ACLs and
>>>>>>> take it from there.
>>>>>>>
>>>>>>> BTW, you WILL be confused by setting explicit ACLs on registration
>>>>>>> -- leave that one commented out until you know what it actually does, as
>>>>>>> it's probably not what you expect. Several strong cups of coffee and
>>>>>>> protracted meditation may help.
>>>>>>>
>>>>>>> Main message:
>>>>>>> -- Immediately - fix the passwords so they're not easy to guess [as
>>>>>>> the bad guys *will* try again and again until they get it right].
>>>>>>> -- set up fail2ban (which has its own page on the wiki) exactly as
>>>>>>> proposed. <======= MOST IMPORTANT
>>>>>>> -- lose the belief that firewalls are going to help protect an
>>>>>>> Internet-listening server as, logically, they can't
>>>>>>> Finally, be amazed at the occasional "block" reports in the fail2ban
>>>>>>> logfile, and wonder how you got away with it for so long.
>>>>>>>
>>>>>>> all the best,
>>>>>>>   Lawrence
>>>>>>> ** There was apparently a talk on how Windows users could get
>>>>>>> something close to a fail2ban-style setup (IIRC, it was on the weekly conf
>>>>>>> call a while back)
>>>>>>>
>>>>>>> On 26 Sep 2012, at 19:54, Nelson Luiz Ferraz de Camargo Penteado
>>>>>>> wrote:
>>>>>>> > I really think that people give way too much importance to
>>>>>>> firewalls,
>>>>>>> > specially stateless ones, blocking ports isn't going to do much
>>>>>>> for you
>>>>>>> > unless you are trying to hide vulnerable services behind it.
>>>>>>> >
>>>>>>> > They used the extension 1000 to make the calls so I would say:
>>>>>>> activate
>>>>>>> > log-auth-failures on your profile, setup a fail2ban and get
>>>>>>> stronger
>>>>>>> > passwords.
>>>>>>> >
>>>>>>> > If you want to go further you can use a stateful firewall limiting
>>>>>>> > connections and setup a IDS(recommend snort)
>>>>>>> > On Sep 26, 2012 8:29 PM, "Todd Bailey" <toddb at toddbailey.net>
>>>>>>> wrote:
>>>>>>> >
>>>>>>> >>
>>>>>>> >> Hey All,
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> I just got an email from Frontier that there were several
>>>>>>> attempts to
>>>>>>> >> make international calls.
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> I checked the log file and verified that somehow someone was able
>>>>>>> to get
>>>>>>> >> access to FS from the internet.
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> here is a sample of the log
>>>>>>> >>
>>>>>>> >> [m [36m2012-09-23 16:30:29.916821 [NOTICE] switch_channel.c:941
>>>>>>> New
>>>>>>> >> Channel sofia/internal/1000 at 50.47.85.167
>>>>>>> >> [af778857-0188-4ed2-a82a-94ae749a02cb]
>>>>>>> >> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>>>>>>> >> Processing 1000 <1000>->01137168521352 in context default
>>>>>>> >> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941
>>>>>>> New
>>>>>>> >> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>>>>>>> >> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>>>>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>>>>>>> >> sofia/internal/01137168521352 at 192.168.1.5:5061!
>>>>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572
>>>>>>> Ring-Ready
>>>>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE]
>>>>>>> switch_ivr_originate.c:519
>>>>>>> >> Ring Ready sofia/internal/1000 at 50.47.85.167!
>>>>>>> >> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>>>>>>> >> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been
>>>>>>> answered
>>>>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176
>>>>>>> Pre-Answer
>>>>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE]
>>>>>>> switch_ivr_originate.c:3303
>>>>>>> >> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>>>>>>> >> [m [36m2012-09-23 16:30:52.356865 [N [m [36m2012-09-23
>>>>>>> 16:30:29.916821
>>>>>>> >> [NOTICE] switch_channel.c:941 New Channel
>>>>>>> >> sofia/internal/1000 at 50.47.85.167[af778857-0188-4ed2-a82a-94ae749a02cb]
>>>>>>> >> [m [32m2012-09-23 16:30:29.916821 [INFO] mod_dialplan_xml.c:485
>>>>>>> >> Processing 1000 <1000>->01137168521352 in context default
>>>>>>> >> [m [36m2012-09-23 16:30:29.936831 [NOTICE] switch_channel.c:941
>>>>>>> New
>>>>>>> >> Channel sofia/internal/01137168521352 at 192.168.1.5:5061
>>>>>>> >> [d1243a78-c464-45fa-9215-e7b85e1221fc]
>>>>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] sofia.c:6132 Ring-Ready
>>>>>>> >> sofia/internal/01137168521352 at 192.168.1.5:5061!
>>>>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE] mod_sofia.c:2572
>>>>>>> Ring-Ready
>>>>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>>>>> >> [m [36m2012-09-23 16:30:29.956842 [NOTICE]
>>>>>>> switch_ivr_originate.c:519
>>>>>>> >> Ring Ready sofia/internal/1000 at 50.47.85.167!
>>>>>>> >> [m [36m2012-09-23 16:30:32.936826 [NOTICE] sofia.c:6777 Channel
>>>>>>> >> [sofia/internal/01137168521352 at 192.168.1.5:5061] has been
>>>>>>> answered
>>>>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE] sofia_glue.c:4176
>>>>>>> Pre-Answer
>>>>>>> >> sofia/internal/1000 at 50.47.85.167!
>>>>>>> >> [m [36m2012-09-23 16:30:32.956825 [NOTICE]
>>>>>>> switch_ivr_originate.c:3303
>>>>>>> >> Channel [sofia/internal/1000 at 50.47.85.167] has been answered
>>>>>>> >> [m [36m2012-09-23 16:30:52.356865 [NOTICE] switch_channel.c:941
>>>>>>> New
>>>>>>> >> Channel sofia/internal/1000 at 50.47.85.167
>>>>>>> >> [4576bc76-144a-4f6f-8915-871b511c374d]
>>>>>>> >> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>>>>>>> >> Processing 1000 <1000>->01137168905352 in context defaultOTICE]
>>>>>>> >> switch_channel.c:941 New Channel sofia/internal/1000 at 50.47.85.167
>>>>>>> >> [4576bc76-144a-4f6f-8915-871b511c374d]
>>>>>>> >> [m [32m2012-09-23 16:30:52.376830 [INFO] mod_dialplan_xml.c:485
>>>>>>> >> Processing 1000 <1000>->01137168905352 in context default
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> At this point I'm at a loss how this is happening as I have
>>>>>>> multiple
>>>>>>> >> firewalls in place that limit port access.
>>>>>>> >>
>>>>>>> >> Can someone provide a few pointers on how to better secure FS
>>>>>>> running on
>>>>>>> >> Linux systems?
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> thanks
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> --
>>>>>>> >> -
>>>>>>> >> -
>>>>>>> >> -    Best Regards,
>>>>>>> >> -
>>>>>>> >> -            Todd Bailey
>>>>>>> >> -
>>>>>>> >> -
>>>>>>> >>
>>>>>>> >>
>>>>>>> >>
>>>>>>> _________________________________________________________________________
>>>>>>> >> Professional FreeSWITCH Consulting Services:
>>>>>>> >> consulting at freeswitch.org
>>>>>>> >> http://www.freeswitchsolutions.com
>>>>>>> >>
>>>>>>> >> 
>>>>>>> >> 
>>>>>>> >>
>>>>>>> >> Official FreeSWITCH Sites
>>>>>>> >> http://www.freeswitch.org
>>>>>>> >> http://wiki.freeswitch.org
>>>>>>> >> http://www.cluecon.com
>>>>>>> >>
>>>>>>> >> FreeSWITCH-users mailing list
>>>>>>> >> FreeSWITCH-users at lists.freeswitch.org
>>>>>>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>> >> UNSUBSCRIBE:
>>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>>> >> http://www.freeswitch.org
>>>>>>> >>
>>>>>>> >
>>>>>>> _________________________________________________________________________
>>>>>>> > Professional FreeSWITCH Consulting Services:
>>>>>>> > consulting at freeswitch.org
>>>>>>> > http://www.freeswitchsolutions.com
>>>>>>> >
>>>>>>> > 
>>>>>>> > 
>>>>>>> >
>>>>>>> > Official FreeSWITCH Sites
>>>>>>> > http://www.freeswitch.org
>>>>>>> > http://wiki.freeswitch.org
>>>>>>> > http://www.cluecon.com
>>>>>>> >
>>>>>>> > FreeSWITCH-users mailing list
>>>>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>> > UNSUBSCRIBE:
>>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>>> > http://www.freeswitch.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _________________________________________________________________________
>>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>>> consulting at freeswitch.org
>>>>>>> http://www.freeswitchsolutions.com
>>>>>>>
>>>>>>> 
>>>>>>> 
>>>>>>>
>>>>>>> Official FreeSWITCH Sites
>>>>>>> http://www.freeswitch.org
>>>>>>> http://wiki.freeswitch.org
>>>>>>> http://www.cluecon.com
>>>>>>>
>>>>>>> FreeSWITCH-users mailing list
>>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>> UNSUBSCRIBE:
>>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>>> http://www.freeswitch.org
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _________________________________________________________________________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> 
>>>>>> 
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://wiki.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:
>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> 
>>>>> 
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://wiki.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120928/57ca3071/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list