[Freeswitch-users] freeswitch hack
Avi Marcus
avi at avimarcus.net
Wed Feb 20 11:35:52 MSK 2013
Personally, I've seen the last option -- CDRs for calls that have been
rejected.
They come in on the public profile, attempt to call a single number with
several prefix types... but they are indeed unauthenticated so FS just
hangs up on them.
-Avi
On Wed, Feb 20, 2013 at 10:14 AM, Steven Ayre <steveayre at gmail.com> wrote:
> Not unusual at all, and not even clever... there are lots of bots that
> just randomly search the net for IP addresses that're open to allowing
> calls.
>
> First, are you sure the profile is actually requiring authentication
> (a simple packet trace will reveal that - the first INVITE should get
> a 401 reply).
>
> Second, do you have blind auth enabled, in which case it'd be
> accepting any username/password?
>
> Third, are they getting authenticated via an ACL or user CIDR?
>
> Finally, is it possible that you're loading CDRs for calls which have
> been rejected?
>
> -Steve
>
>
>
>
> On 20 February 2013 07:28, Mario Karakanovski <mario at ims.bg> wrote:
> > Hi all,
> >
> > For some days i noticed that somebody was able to register to my
> > freeswitch and trying to call international numbers. The attack is very
> > clever as the hacker logs at the night, trying to call international
> number
> > 10-15 times while changing the prefix and go away.
> >
> > The sip profile is connected directly to the internet and require
> > authentication:
> > auth-calls = true
> > auth-all-packets = true
> >
> > There is no IP filtering as the service does not allow setting some.
> > Firewall blokes all port except TCP and UDP 5060 and required UDP media
> > ports. The authentication is made by directory.
> > What I wonder is how ones can authenticated with extension that not exist
> > and not described anywhere.
> >
> > Can it be some security issue with freeswitch? Any ideas how to solve the
> > problem?
> >
> > Regards,
> > Mario
> >
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> >
> >
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://wiki.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130220/28853595/attachment.html
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list