[Freeswitch-users] freeswitch hack

Wed Feb 20 11:46:11 MSK 2013

They are probably hitting the public/external interface which by default
accepts calls for any number but will reject them as the public dialplan
doesn¹t know what to do with them. I see this on a regular basis on my
PBX... The real question is, are you setup to allow anyone to call you, and
if you are, are you sure to block calls not destined for your box.

As a previous response pointed out this is a very common attack, I see it
several times a day from many different IPs as its just a bot.... There is
also sipvicious attacks which I don¹t see much of as I block them on the
firewall level (they almost always include the string Œfriendly-scanner¹ and
a quick google with give you an iptables command to drop them).

These bots exist to exploit not just freeswitch, but any SIP server, and to
exploit sip users with bad/common passwords...

Good System Admin practices and double checking your FreeSWITCH configs will
generally stop them in their tracks.

If you need assistance stop by the FreeSWITCH IRC channel on Freenode
#freeswitch and ask around... If you need professional help email
consulting at freeswitch.org and they will help you out.

K

On 2/20/13 2:35 AM, "Avi Marcus" <avi at avimarcus.net> wrote:

> Personally, I've seen the last option -- CDRs for calls that have been
> rejected.
> 
> They come in on the public profile, attempt to call a single number with
> several prefix types... but they are indeed unauthenticated so FS just hangs
> up on them.
> 
> -Avi
> 
> On Wed, Feb 20, 2013 at 10:14 AM, Steven Ayre <steveayre at gmail.com> wrote:
>> Not unusual at all, and not even clever... there are lots of bots that
>> just randomly search the net for IP addresses that're open to allowing
>> calls.
>> 
>> First, are you sure the profile is actually requiring authentication
>> (a simple packet trace will reveal that - the first INVITE should get
>> a 401 reply).
>> 
>> Second, do you have blind auth enabled, in which case it'd be
>> accepting any username/password?
>> 
>> Third, are they getting authenticated via an ACL or user CIDR?
>> 
>> Finally, is it possible that you're loading CDRs for calls which have
>> been rejected?
>> 
>> -Steve
>> 
>> 
>> 
>> 
>> On 20 February 2013 07:28, Mario Karakanovski <mario at ims.bg> wrote:
>>> > Hi all,
>>> >
>>> >         For some days i noticed that somebody was able to register to my
>>> > freeswitch and trying to call international numbers. The attack is very
>>> > clever as the hacker logs at the night, trying to call international
>>> number
>>> > 10-15 times while changing the prefix and go away.
>>> >
>>> > The sip profile is connected directly to the internet and require
>>> > authentication:
>>> >         auth-calls = true
>>> >         auth-all-packets = true
>>> >
>>> > There is no IP filtering as the service does not allow setting some.
>>> > Firewall blokes all port except TCP and UDP 5060 and required UDP media
>>> > ports. The authentication is made by directory.
>>> > What I wonder is how ones can authenticated with extension that not exist
>>> > and not described anywhere.
>>> >
>>> > Can it be some security issue with freeswitch? Any ideas how to solve the
>>> > problem?
>>> >
>>> > Regards,
>>> >         Mario
>>> >
>>> >
>>> > _________________________________________________________________________
>>> > Professional FreeSWITCH Consulting Services:
>>> > consulting at freeswitch.org
>>> > http://www.freeswitchsolutions.com
>>> >
>>> > 
>>> > 
>>> >
>>> > Official FreeSWITCH Sites
>>> > http://www.freeswitch.org
>>> > http://wiki.freeswitch.org
>>> > http://www.cluecon.com
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> > http://www.freeswitch.org
>> 
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>> 
>> 
>> 
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
> 
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-- 
Ken
http://www.FreeSWITCH.org
http://www.ClueCon.com
http://www.OSTAG.org
irc.freenode.net #freeswitch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130220/602080f0/attachment-0001.html 