[Freeswitch-users] Need help to stop this hack into FreeSwitch!

Kristian Kielhofner kris at kriskinc.com
Tue May 20 21:31:12 MSD 2014


Your firewall isn't doing what you think it should be doing. Triple
check and (ideally) get another set of eyes on it.

There are multiple options for dealing with this in FreeSWITCH. The
ACL wiki article has a good intro:

https://wiki.freeswitch.org/wiki/ACL



On Tue, May 20, 2014 at 12:57 PM, Mario G <mario_fs at mgtech.com> wrote:
> Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don’t know what is going on. Next I’ll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
> Mario G
>
> * Started May 19 8am, goes through all 7 sip accounts every 10 seconds
> * Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
>
> * My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
> * 1.2.3.4 is my public wan address.
> * They look like  85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
> * The "processing 4003 <4003>->+972592406392” is baffling.
>
> This is a short/reduced snippet from the log:
> 2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6210 Remote SDP:
> v=0
> o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253
> s=sipcli
> c=IN IP4 85.25.198.253
> t=0 0
> m=audio 5075 RTP/AVP 18 0 8 101
> a=rtpmap:18 G729/8000
> a=rtpmap:0 PCMU/8000
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-15
> a=ptime:20
>
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
> 2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
> 2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false
> ………. deleted lines
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
> Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
> 2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE
> EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
> 2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true]
> EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
> 2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
> 2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
> 2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
> 2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
> 2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
> 2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
> 2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
> 2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
> 2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6210 Remote SDP:
> v=0
> o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253
> s=sipcli
> c=IN IP4 85.25.198.253
> t=0 0
> m=audio 5085 RTP/AVP 18 0 8 101
> a=rtpmap:18 G729/8000
> a=rtpmap:0 PCMU/8000
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-15
> a=ptime:20
>
> 2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org



-- 
Kristian Kielhofner



Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list