[Freeswitch-users] Security Issue
msc at freeswitch.org
Thu Jan 15 07:19:07 MSK 2015
On Wed, Jan 14, 2015 at 9:40 AM, Ahmed Habiba <ahabiba at gmail.com> wrote:
> Thank you really David,
> Here is my point, the sip-trace in the first mail shows that, the call
> comes to public context mainly through port 5080, and however the
> originator IP was not defined in my ACL list Freeswitch continue to process
> the call for some reason.
Just an FYI, the external profile does not have auth-calls param set to
true, so FS simply tries to route the call in the public context without
sending back an auth challenge. Since the public context is pretty paranoid
it's not exactly easy to dial out. Also, just because FS tries to route the
call does not mean that FS considers the call to be "authenticated."
If you want all traffic coming in to your server to be authenticated then
either send it all to the internal profile (i.e. port 5060) or add
auth-calls to your external profile.
The bigger question you may want to ask is: why are these random IP even
getting to your server? Do you allow public access to your system? If so,
why? If not, then you need a firewall (iptables or whatnot) to block those
SIP messages from ever getting to your FreeSWITCH. You may also be
interested in something like fail2ban and voipbl.org.
> even if it come to 5060, I was expecting some request for digest
> authentication, which is not shown in the log.
> *From: *David Villasmil Govea <david.villasmil at gmail.com>
> *To: *FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> *Date: *January 14, 2015 at 8:30:35 PM GMT+3
> *Reply-To: *FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> *Subject: **Re: [Freeswitch-users] Security Issue*
> Authorization is done if you configure your sip profile to do it. By
> default 5060 (internal) requires authentication, 5080 (external) doesn't
> but it does use the ACL to allow or not calls.
-------------- next part --------------
An HTML attachment was scrubbed...
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users