[Freeswitch-users] Outgoing calls from unknown users

Ken Rice krice at freeswitch.org
Fri Feb 22 19:03:29 MSK 2013


If you were seeing a billtime of 0 that means the calls were blocked... Some
one was probably hitting the ³external² interface then hitting the public
context... This is allowed in the default example configs for freeswitch,
but calls coming in that way are only allowed to actually do something if a)
they hit one of the pre-defined local extensions or you have modified it to
allow other calling.

Why is it like this? This is so you can define your local extensions and
DIDs in the public context then say hey you can just call me via sip to
SIP:mynumber_or_extension at hostname.or.ip.of.my.FS.box.com

Bots will scan the internet (the entire internet) and find your public
profile is not doing sip challenge response, then they will try to place
calls. In your logs they were trying to call a number in what appears to be
Palestine, this is very comon, as they are probing to see if you let the
calls pass by trying various prefixes...

As long as you are configuring the unauthenticated interfaces to only allow
calls for your local extensions this is not a big dead, they will give up
and go away.



On 2/22/13 9:48 AM, "Frederick Pruneau" <frederick at targointernet.com> wrote:

>    
> PB 20618
>  
>  Everytime, it is a 0 billsec. For now, international calls are not
> authorized. But in a near future, I want to authorized them.
>  
>  I verified what Ken wrote:
>  
>  A) make sure you are not using the default username and passwords for
>  registered sip users (not using default username and password. All default
> users/extensions have been removed)
>  B) don't allow unauthenticated calls to go back out to the PSTN (I don't have
> PSTN lines)
>  C) Use appropriate firewall rules to only allow places you should be getting
>  calls from (Already done)
>  D) use something like Fail2Ban to block people attempting to make repeated
>  failed calls/registration attempts in a short period of time...
>  
>  Actually, I have fail2ban that blocks registration attemps. I don't know how
> to block failed calls. Can you guide me to a web site or help me to ban failed
> calls?
>  
>  Thank you for your quick replies!
>  
>  Fred
>  
>  Le 2013-02-22 09:01, Christian Benke a écrit :
>  
>  
>>  
>> Do you have a logfile of these calls? Can you please paste it to
>> http://pastebin.freeswitch.org/. Otherwise, please paste your
>> dialplans to pastebin so we can figure out what's really happening
>> with your calls, the csv has too little information. Do all of these
>> calls have 0 billsec?
>> 
>> If possible, you should turn off FreeSWITCH till you know the reason
>> for this calls, it looks very much like your system is not safe.
>> 
>> Best regards,
>> Christian
>> 
>> --
>> Central Asia by bike, starting May 2013 - http://poab.org
>> 
>> 
>> On 22 February 2013 14:26, Frederick Pruneau
>> <frederick at targointernet.com> <mailto:frederick at targointernet.com>  wrote:
>>  
>>>  
>>> Hi everyone!
>>> 
>>> I have found in the log files some international calls from unknown
>>> extensions. These extensions don't exist in my configuration. I tried to
>>> block them in my firewall (iptables on my freeswitch server) but they
>>> always use random IP adresses. Here is a short part of my Master.csv:
>>> 
>>> "1001","1001","0015972595646444","2013-02-22 02:05:27","","2013-02-22
>>> 02:05:27","0","NORMAL_CLEARING","3c876eae-7cbe-11e2-877f-b791adff5763","",""
>>> ,"",""
>>> "1001","1001","9011972595646444","2013-02-22 02:05:28","","2013-02-22
>>> 02:05:28","0","NORMAL_CLEARING","3d0d058c-7cbe-11e2-8783-b791adff5763","",""
>>> ,"",""
>>> "1001","1001","2011972595646444","2013-02-22 02:05:29","","2013-02-22
>>> 02:05:29","0","NORMAL_CLEARING","3da55576-7cbe-11e2-8787-b791adff5763","",""
>>> ,"",""
>>> "1001","1001","3011972595646444","2013-02-22 02:05:30","","2013-02-22
>>> 02:05:30","0","NORMAL_CLEARING","3e4727ca-7cbe-11e2-878b-b791adff5763","",""
>>> ,"",""
>>> "1001","1001","4011972595646444","2013-02-22 02:05:31","","2013-02-22
>>> 02:05:31","0","NORMAL_CLEARING","3eecc2e8-7cbe-11e2-878f-b791adff5763","",""
>>> ,"",""
>>> "1001","1001","5011972595646444","2013-02-22 02:05:32","","2013-02-22
>>> 02:05:32","0","NORMAL_CLEARING","3f633b94-7cbe-11e2-8793-b791adff5763","",""
>>> ,"",""
>>> "1001","1001","6011972595646444","2013-02-22 02:05:33","","2013-02-22
>>> 02:05:33","0","NORMAL_CLEARING","3fc49902-7cbe-11e2-8797-b791adff5763","",""
>>> ,"",""
>>> "1001","1001","7011972595646444","2013-02-22 02:05:33","","2013-02-22
>>> 02:05:33","0","NORMAL_CLEARING","403c0622-7cbe-11e2-879b-b791adff5763","",""
>>> ,"",""
>>> "1001","1001","8011972595646444","2013-02-22 02:05:34","","2013-02-22
>>> 02:05:34","0","NORMAL_CLEARING","40e61ef0-7cbe-11e2-879f-b791adff5763","",""
>>> ,"",""
>>> 
>>> With my configuration, I need to be registered to make a call. I tried
>>> to call with an unregistered phone and I was not able to make a call. I
>>> don't know how they are able to do this but I need to block them. Is
>>> there something that I am missing in my configuration to block unwanted
>>> extensions to make calls?
>>> 
>>> Thanks in advance!
>>> 
>>> 
>>> Fred
>>> 
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>> 
>>> 
>>> 
>>> 
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>> 
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>  
>>  
>> 
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>> 
>> 
>> 
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>  
>  
>  
>  

-- 
Ken
http://www.FreeSWITCH.org
http://www.ClueCon.com
http://www.OSTAG.org
irc.freenode.net #freeswitch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130222/f0192204/attachment.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list