Discussion:
[Freeswitch-users] Need help to stop this hack into FreeSwitch!
Mario G
2014-05-20 16:57:12 UTC
Permalink
Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don?t know what is going on. Next I?ll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G

* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.

* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392? is baffling.

This is a short/reduced snippet from the log:
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6210 Remote SDP:
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253
s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20

2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false
???. deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE
EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true]
EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6210 Remote SDP:
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253
s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20

2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
Kristian Kielhofner
2014-05-20 17:31:12 UTC
Permalink
Your firewall isn't doing what you think it should be doing. Triple
check and (ideally) get another set of eyes on it.

There are multiple options for dealing with this in FreeSWITCH. The
ACL wiki article has a good intro:

https://wiki.freeswitch.org/wiki/ACL
Post by Mario G
Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don?t know what is going on. Next I?ll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392? is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253
s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false
???. deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE
EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true]
EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253
s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
--
Kristian Kielhofner
Lawrence Conroy
2014-05-20 17:32:38 UTC
Permalink
Hi Mario,
+972 - Aha -- our friends in the Gaza Strip/Ramallah at work.
Fail2Ban worked very nicely to deal with this excrescence for me.

I assume that you do require authentication before calling out.
outside_calling is being set, so it's certainly armed (i.e., the dialplan knows that this is a non-local call).
Thus I'd guess fS drops the call as it skips any outcalling originate command.

=> Looks like you have a call in from what purports to be your ITSP with a destination number of +972... @ <your domain>, it hits 4003, and that context doesn't allow the call to proceed.
So ... it's a nuisance, but at least it isn't costing you money.

Is this what you're seeing? The dialplan is simply not allowing the outside_call to go anywhere when it's to an external number.

all the best,
Lawrence
Post by Mario G
Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don?t know what is going on. Next I?ll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392? is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253
s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false
???. deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE
EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true]
EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253
s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Yehavi Bourvine
2014-05-20 17:51:27 UTC
Permalink
A slight clarification: +972 is Israel, and +970 is Paletine (Gaza & west
bank); however, at present 970 is an alias to 972.

The call you see is to +972-59xxxxx which is one of Palestine mobile
operators (Jawwal).

If you block 972 then you block all Israel. You can block +972-5[69]xxxxx
wich are the two Palestinian mobile operators.
Post by Lawrence Conroy
Hi Mario,
+972 - Aha -- our friends in the Gaza Strip/Ramallah at work.
Fail2Ban worked very nicely to deal with this excrescence for me.
I assume that you do require authentication before calling out.
outside_calling is being set, so it's certainly armed (i.e., the dialplan
knows that this is a non-local call).
Thus I'd guess fS drops the call as it skips any outcalling originate command.
=> Looks like you have a call in from what purports to be your ITSP with a
context doesn't allow the call to proceed.
So ... it's a nuisance, but at least it isn't costing you money.
Is this what you're seeing? The dialplan is simply not allowing the
outside_call to go anywhere when it's to an external number.
all the best,
Lawrence
Post by Mario G
Someone has gotten into my FreeSwitch, my firewall is set to only allow
SIP traffic from my ITSP, and I added a rule to block the bad address but
it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is
making a call to me and trying to call out. I would really appreciate any
ideas on what kind of general FW rule to add to prevent this, I don?t know
what is going on. Next I?ll run PCAPs. I was thinking of a rule to block
all outgoing SIP traffic except to the ITSP. Would appreciate help,
especially an explanation of what they are trying to do in FS.
Post by Mario G
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts,
then waits 10 seconds, the extension is incremented by 1 and goes through
all 7 accounts, this repeats until finally stopping at extension 9010, then
starts at a different time of day hours later.
Post by Mario G
* My account is itsp1 and itsp2, there are 5 more but I cut them out to
reduce this.
Post by Mario G
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not
help. Odd since I have done that before and it worked.
Post by Mario G
* The "processing 4003 <4003>->+972592406392? is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel
sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4receiving invite from
85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/
4003 at 1.2.3.4 entering state [received][100]
Post by Mario G
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253
s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec
Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec
Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set
telephone-event payload to 101
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec
sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/
4003 at 1.2.3.4 Original read codec set to PCMU:0
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833
dtmf send/recv payload to 101
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/
4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486
(sofia/itsp1/4003 at 1.2.3.4) State NEW
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
(sofia/itsp1/4003 at 1.2.3.4) State INIT
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/
4003 at 1.2.3.4 SOFIA INIT
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40
sofia/itsp1/4003 at 1.2.3.4 Standard INIT
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
(sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/
4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
(sofia/itsp1/4003 at 1.2.3.4) State ROUTING
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/
4003 at 1.2.3.4 SOFIA ROUTING
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164
sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
Post by Mario G
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003
<4003>->+972592406392 in context public
Post by Mario G
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop]
continue=false
Post by Mario G
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop]
${unroll_loops}(true) =~ /^true$/ break=on-false
Post by Mario G
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop]
${sip_looped_call}() =~ /^true$/ break=on-false
Post by Mario G
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call]
continue=true
Post by Mario G
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action
export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Post by Mario G
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug]
continue=true
Post by Mario G
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug]
${call_debug}(false) =~ /^true$/ break=never
Post by Mario G
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions]
continue=false
Post by Mario G
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions]
destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false
Post by Mario G
???. deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did]
destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Post by Mario G
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did]
continue=false
Post by Mario G
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did]
destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
(sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
(sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/
4003 at 1.2.3.4 SOFIA EXECUTE
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256
sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE
Post by Mario G
EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/
4003 at 1.2.3.4 SET [outside_call]=[true]
Post by Mario G
EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014
17:02:23 -0700)
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT
(export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
Post by Mario G
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313
sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction,
hanging up.
Post by Mario G
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315
Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal
sofia/itsp1/4003 at 1.2.3.4 [KILL]
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
(sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
Post by Mario G
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730
(sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
(sofia/itsp1/4003 at 1.2.3.4) State HANGUP
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/
4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE
with: 480
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58
sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
(sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
(sofia/itsp1/4003 at 1.2.3.4) State REPORTING
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102
sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
(sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session
234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
Post by Mario G
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session
234 (sofia/itsp1/4003 at 1.2.3.4) Ended
Post by Mario G
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close
Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618
(sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
(sofia/itsp1/4003 at 1.2.3.4) State DESTROY
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/
4003 at 1.2.3.4 SOFIA DESTROY
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109
sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
Post by Mario G
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
(sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
Post by Mario G
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel
sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
Post by Mario G
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
Post by Mario G
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
Post by Mario G
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
Post by Mario G
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4receiving invite from
85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
Post by Mario G
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/
4003 at 1.2.3.4 entering state [received][100]
Post by Mario G
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253
s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec
Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
Post by Mario G
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140520/8552495d/attachment-0001.html
Mario G
2014-05-20 18:02:42 UTC
Permalink
Will look into fail2ban, there is no activity for these calls on the ITSP so somehow they are coming in as my ITSP IP? If so, the ITSP should know about this. Yes, just happens the dial plan can?t handle that number. Yes, authentication is on, yes a nuisance but the router log show huge traffic spikes during these times. I am trying to figure out a rule for the FW so it can handle this from other IPs. Thanks,
Mario G
Post by Lawrence Conroy
Hi Mario,
+972 - Aha -- our friends in the Gaza Strip/Ramallah at work.
Fail2Ban worked very nicely to deal with this excrescence for me.
I assume that you do require authentication before calling out.
outside_calling is being set, so it's certainly armed (i.e., the dialplan knows that this is a non-local call).
Thus I'd guess fS drops the call as it skips any outcalling originate command.
So ... it's a nuisance, but at least it isn't costing you money.
Is this what you're seeing? The dialplan is simply not allowing the outside_call to go anywhere when it's to an external number.
all the best,
Lawrence
Post by Mario G
Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don?t know what is going on. Next I?ll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392? is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253
s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false
???. deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE
EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true]
EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253
s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Sean Devoy
2014-05-20 18:12:14 UTC
Permalink
Mario,

Assuming you are not on windows, You need to run this line
iptables -A INPUT -s 85.25.198.0/24 -j DROP

That will block that class C subnet from your system completely. That is the subnet their traffic is coming from. But I am not sure they have not authenticated (registered) on your server. If you are on windows let me know, I can help there too.

Please send the output from:
iptables -L -v

and from the FS console:
show registrations

Sean.

-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
Sent: Tuesday, May 20, 2014 12:57 PM
To: FreeSWITCH Users Help
Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!

Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don't know what is going on. Next I'll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G

* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.

* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392" is baffling.

This is a short/reduced snippet from the log:
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6210 Remote SDP:
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20

2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false .......... deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6210 Remote SDP:
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20

2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]


_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com

FreeSWITCH-powered IP PBX: The CudaTel Communication Server http://www.cudatel.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Lloyd Aloysius
2014-05-20 18:24:45 UTC
Permalink
Your firewall settings may have issues. Also check your freeswitch
settings.

https://confluence.freeswitch.org/display/FREESWITCH/Fail2Ban


Also check your profile parameter *auth-calls*

?Lloyd
Post by Lawrence Conroy
Mario,
Assuming you are not on windows, You need to run this line
iptables -A INPUT -s 85.25.198.0/24 -j DROP
That will block that class C subnet from your system completely. That is
the subnet their traffic is coming from. But I am not sure they have not
authenticated (registered) on your server. If you are on windows let me
know, I can help there too.
iptables -L -v
show registrations
Sean.
-----Original Message-----
freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
Sent: Tuesday, May 20, 2014 12:57 PM
To: FreeSWITCH Users Help
Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
Someone has gotten into my FreeSwitch, my firewall is set to only allow
SIP traffic from my ITSP, and I added a rule to block the bad address but
it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is
making a call to me and trying to call out. I would really appreciate any
ideas on what kind of general FW rule to add to prevent this, I don't know
what is going on. Next I'll run PCAPs. I was thinking of a rule to block
all outgoing SIP traffic except to the ITSP. Would appreciate help,
especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then
waits 10 seconds, the extension is incremented by 1 and goes through all 7
accounts, this repeats until finally stopping at extension 9010, then
starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not
help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392" is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel
sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4receiving invite from
85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/
4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec
Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec
Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set
telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec
sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/
4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf
send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4)
State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486
(sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
(sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40
sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
(sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/
4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
(sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/
4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164
sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003
<4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop]
${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop]
${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action
export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug]
${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions]
destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false
.......... deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did]
destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did]
destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
(sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
(sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/
4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256
sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE sofia/itsp1/4003 at 1.2.3.4set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/
4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE sofia/itsp1/4003 at 1.2.3.4export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT
(export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313
sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction,
hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup
sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal
sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
(sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730
(sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
(sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/
4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58
sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
(sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
(sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102
sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
(sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234
(sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234
(sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close
Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618
(sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
(sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/
4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109
sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
(sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel
sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4receiving invite from
85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/
4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec
Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140520/282d0b48/attachment-0001.html
Mario G
2014-05-20 18:29:21 UTC
Permalink
I am on OS X, no iptables, show registrations only show internal phones nothing else. I am sure they are not registered. Just looks like an incoming call trying to dial out.
Mario G
Post by Lawrence Conroy
Mario,
Assuming you are not on windows, You need to run this line
iptables -A INPUT -s 85.25.198.0/24 -j DROP
That will block that class C subnet from your system completely. That is the subnet their traffic is coming from. But I am not sure they have not authenticated (registered) on your server. If you are on windows let me know, I can help there too.
iptables -L -v
show registrations
Sean.
-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
Sent: Tuesday, May 20, 2014 12:57 PM
To: FreeSWITCH Users Help
Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don't know what is going on. Next I'll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392" is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false .......... deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Oz Mortimer
2014-05-20 19:28:03 UTC
Permalink
At a guess, check the cli they are sending from. Then have a look at your user acl.
Could it be you have id=123 cidr=...
If the caller sends with cli 123, depending on your setup the call will pass and go to the associated context.
Just a wild stab in the dark , but I've seen this happen and fail2ban obviously wouldn't capture it.
Post by Mario G
I am on OS X, no iptables, show registrations only show internal phones nothing else. I am sure they are not registered. Just looks like an incoming call trying to dial out.
Mario G
Post by Lawrence Conroy
Mario,
Assuming you are not on windows, You need to run this line
iptables -A INPUT -s 85.25.198.0/24 -j DROP
That will block that class C subnet from your system completely. That is the subnet their traffic is coming from. But I am not sure they have not authenticated (registered) on your server. If you are on windows let me know, I can help there too.
iptables -L -v
show registrations
Sean.
-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
Sent: Tuesday, May 20, 2014 12:57 PM
To: FreeSWITCH Users Help
Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don't know what is going on. Next I'll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392" is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false .......... deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Mario G
2014-05-20 20:10:10 UTC
Permalink
Thanks for the suggestions, I will do a PCAP in the router next time to see what is happening. It was suggested that the IP address could be a proxy, also I did not block TCP SIP ports, only UDP so that is now set. Will post when I have more info in case someone else runs into this.
Mario G
Post by Oz Mortimer
At a guess, check the cli they are sending from. Then have a look at your user acl.
Could it be you have id=123 cidr=...
If the caller sends with cli 123, depending on your setup the call will pass and go to the associated context.
Just a wild stab in the dark , but I've seen this happen and fail2ban obviously wouldn't capture it.
Post by Mario G
I am on OS X, no iptables, show registrations only show internal phones nothing else. I am sure they are not registered. Just looks like an incoming call trying to dial out.
Mario G
Post by Lawrence Conroy
Mario,
Assuming you are not on windows, You need to run this line
iptables -A INPUT -s 85.25.198.0/24 -j DROP
That will block that class C subnet from your system completely. That is the subnet their traffic is coming from. But I am not sure they have not authenticated (registered) on your server. If you are on windows let me know, I can help there too.
iptables -L -v
show registrations
Sean.
-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
Sent: Tuesday, May 20, 2014 12:57 PM
To: FreeSWITCH Users Help
Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don't know what is going on. Next I'll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392" is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false .......... deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Moishe Grunstein
2014-05-20 20:15:51 UTC
Permalink
http://torrents.freeswitch.org/conf_call_2014-05-07.torrent


Thanks,

Moishe Grunstein
Tornado Computer Systems, Inc.
212.400.7650 888.IPPBX.US
Service Request Email: support at nysolutions.com
Polycom Certified VAR
Microsoft Small Business Specialist, Cisco SMB Select Certified

Computer Networking * Managed Services * IP Video Surveillance * Network Assessments * Web Solutions * Voice over IP * Disaster Recovery * Network Security * Site Surveys * CMS


-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
Sent: Tuesday, May 20, 2014 4:10 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] Need help to stop this hack into FreeSwitch!

Thanks for the suggestions, I will do a PCAP in the router next time to see what is happening. It was suggested that the IP address could be a proxy, also I did not block TCP SIP ports, only UDP so that is now set. Will post when I have more info in case someone else runs into this.
Mario G
Post by Oz Mortimer
At a guess, check the cli they are sending from. Then have a look at your user acl.
Could it be you have id=123 cidr=...
If the caller sends with cli 123, depending on your setup the call will pass and go to the associated context.
Just a wild stab in the dark , but I've seen this happen and fail2ban obviously wouldn't capture it.
Post by Mario G
I am on OS X, no iptables, show registrations only show internal phones nothing else. I am sure they are not registered. Just looks like an incoming call trying to dial out.
Mario G
Post by Lawrence Conroy
Mario,
Assuming you are not on windows, You need to run this line iptables
-A INPUT -s 85.25.198.0/24 -j DROP
That will block that class C subnet from your system completely. That is the subnet their traffic is coming from. But I am not sure they have not authenticated (registered) on your server. If you are on windows let me know, I can help there too.
iptables -L -v
show registrations
Sean.
-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org
[mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of
Mario G
Sent: Tuesday, May 20, 2014 12:57 PM
To: FreeSWITCH Users Help
Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don't know what is going on. Next I'll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392" is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New
Channel sofia/itsp1/4003 at 1.2.3.4
[2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334
sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074
version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel
sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio
Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio
Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set
telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set
Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000
bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111
sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833
dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486
(sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
(sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87
sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40
sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
(sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178
(sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
(sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123
sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164
sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing
4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop]
${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop]
${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action
export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug]
${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing
[public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions]
destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/
break=on-false .......... deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did]
destination_number(+972592406392) =~ /^(1212121212121)$/
break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did]
destination_number(+972592406392) =~ /^(1313131313131)$/
break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
(sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
(sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178
sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256
sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE
sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435
sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE
sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014
17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT
(export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315
Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal
sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
(sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730
(sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
(sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel
sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58
sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
(sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
(sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102
sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
(sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604
Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external
entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622
Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close
Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618
(sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
(sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323
sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109
sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
(sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New
Channel sofia/itsp1/4003 at 1.2.3.4
[364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334
sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084
version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel
sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio
Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
____________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-u
sers
http://www.freeswitch.org
____________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-u
sers
http://www.freeswitch.org
_____________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-us
ers
http://www.freeswitch.org
______________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-use
rs
http://www.freeswitch.org
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com

FreeSWITCH-powered IP PBX: The CudaTel Communication Server http://www.cudatel.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Sean Devoy
2014-05-21 02:17:02 UTC
Permalink
Are you sure they are coming in UDP? They could be using TCP.

-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
Sent: Tuesday, May 20, 2014 4:10 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] Need help to stop this hack into FreeSwitch!

Thanks for the suggestions, I will do a PCAP in the router next time to see what is happening. It was suggested that the IP address could be a proxy, also I did not block TCP SIP ports, only UDP so that is now set. Will post when I have more info in case someone else runs into this.
Mario G
Post by Oz Mortimer
At a guess, check the cli they are sending from. Then have a look at your user acl.
Could it be you have id=123 cidr=...
If the caller sends with cli 123, depending on your setup the call will pass and go to the associated context.
Just a wild stab in the dark , but I've seen this happen and fail2ban obviously wouldn't capture it.
Post by Mario G
I am on OS X, no iptables, show registrations only show internal phones nothing else. I am sure they are not registered. Just looks like an incoming call trying to dial out.
Mario G
Post by Lawrence Conroy
Mario,
Assuming you are not on windows, You need to run this line iptables
-A INPUT -s 85.25.198.0/24 -j DROP
That will block that class C subnet from your system completely. That is the subnet their traffic is coming from. But I am not sure they have not authenticated (registered) on your server. If you are on windows let me know, I can help there too.
iptables -L -v
show registrations
Sean.
-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org
[mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of
Mario G
Sent: Tuesday, May 20, 2014 12:57 PM
To: FreeSWITCH Users Help
Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don't know what is going on. Next I'll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392" is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New
Channel sofia/itsp1/4003 at 1.2.3.4
[2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334
sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074
version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel
sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio
Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio
Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set
telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set
Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000
bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111
sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833
dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486
(sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
(sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87
sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40
sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
(sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178
(sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
(sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123
sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164
sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing
4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop]
${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop]
${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action
export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug]
${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing
[public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions]
destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/
break=on-false .......... deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did]
destination_number(+972592406392) =~ /^(1212121212121)$/
break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did]
destination_number(+972592406392) =~ /^(1313131313131)$/
break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
(sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
(sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178
sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256
sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE
sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435
sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE
sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014
17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT
(export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315
Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal
sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
(sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730
(sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
(sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel
sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58
sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
(sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
(sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102
sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
(sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604
Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external
entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622
Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close
Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618
(sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
(sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323
sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109
sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
(sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New
Channel sofia/itsp1/4003 at 1.2.3.4
[364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send
signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334
sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084
version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel
sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli
c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio
Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
____________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-u
sers
http://www.freeswitch.org
____________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-u
sers
http://www.freeswitch.org
_____________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-us
ers
http://www.freeswitch.org
______________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-use
rs
http://www.freeswitch.org
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com

FreeSWITCH-powered IP PBX: The CudaTel Communication Server http://www.cudatel.com

Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Victor Chukalovskiy
2014-05-20 21:05:25 UTC
Permalink
Hey Oz,

On the same subject, would you explain what needs to be set to avoid
authenticating the call on "id" if "cidr" does not match?
Assume no any password set for the users.

The goal is to only auth calls when cidr matches.

Thanks!
-Victor
Post by Oz Mortimer
At a guess, check the cli they are sending from. Then have a look at your user acl.
Could it be you have id=123 cidr=...
If the caller sends with cli 123, depending on your setup the call will pass and go to the associated context.
Just a wild stab in the dark , but I've seen this happen and fail2ban obviously wouldn't capture it.
Post by Mario G
I am on OS X, no iptables, show registrations only show internal phones nothing else. I am sure they are not registered. Just looks like an incoming call trying to dial out.
Mario G
Post by Lawrence Conroy
Mario,
Assuming you are not on windows, You need to run this line
iptables -A INPUT -s 85.25.198.0/24 -j DROP
That will block that class C subnet from your system completely. That is the subnet their traffic is coming from. But I am not sure they have not authenticated (registered) on your server. If you are on windows let me know, I can help there too.
iptables -L -v
show registrations
Sean.
-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
Sent: Tuesday, May 20, 2014 12:57 PM
To: FreeSWITCH Users Help
Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don't know what is going on. Next I'll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392" is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false .......... deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Terry Barnum
2014-05-21 02:29:17 UTC
Permalink
Mario, OS X 10.9 uses the pf and alf firewalls (ipfw was used from 10.5-10.8). Use the free IceFloor app to configure pf via GUI. http://www.hanynet.com/icefloor/ Use fail2ban to add offending IPs to an IceFloor table.

-Terry

iPad says Hello World!
Post by Mario G
I am on OS X, no iptables, show registrations only show internal phones nothing else. I am sure they are not registered. Just looks like an incoming call trying to dial out.
Mario G
Post by Lawrence Conroy
Mario,
Assuming you are not on windows, You need to run this line
iptables -A INPUT -s 85.25.198.0/24 -j DROP
That will block that class C subnet from your system completely. That is the subnet their traffic is coming from. But I am not sure they have not authenticated (registered) on your server. If you are on windows let me know, I can help there too.
iptables -L -v
show registrations
Sean.
-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
Sent: Tuesday, May 20, 2014 12:57 PM
To: FreeSWITCH Users Help
Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don't know what is going on. Next I'll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392" is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false .......... deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140520/e928484d/attachment-0001.html
Steven Ayre
2014-05-21 09:30:52 UTC
Permalink
Why do you say it's a class C subnet? He's only mentioned a single IP
address, which comes from an ISP that has a /16 block. Class C networks
don't really exist any more, especially not on the internet since we have
CIDR now.

It's likely a zombie trawling the network for insecure setups. Blocking a
single IP won't work (could be a dynamic IP) and blocking an ISP also won't
work (there could be affected machines elsewhere).

Better to either use a whitelist to just allow though allowed IPs on the
(non-public?) SIP ports, or use something like fail2ban.
Post by Lawrence Conroy
Mario,
Assuming you are not on windows, You need to run this line
iptables -A INPUT -s 85.25.198.0/24 -j DROP
That will block that class C subnet from your system completely. That is
the subnet their traffic is coming from. But I am not sure they have not
authenticated (registered) on your server. If you are on windows let me
know, I can help there too.
iptables -L -v
show registrations
Sean.
-----Original Message-----
freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
Sent: Tuesday, May 20, 2014 12:57 PM
To: FreeSWITCH Users Help
Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
Someone has gotten into my FreeSwitch, my firewall is set to only allow
SIP traffic from my ITSP, and I added a rule to block the bad address but
it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is
making a call to me and trying to call out. I would really appreciate any
ideas on what kind of general FW rule to add to prevent this, I don't know
what is going on. Next I'll run PCAPs. I was thinking of a rule to block
all outgoing SIP traffic except to the ITSP. Would appreciate help,
especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then
waits 10 seconds, the extension is incremented by 1 and goes through all 7
accounts, this repeats until finally stopping at extension 9010, then
starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not
help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392" is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel
sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4receiving invite from
85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/
4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec
Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec
Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set
telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec
sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/
4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf
send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4)
State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486
(sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
(sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40
sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507
(sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/
4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
(sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/
4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164
sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003
<4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop]
${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop]
${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action
export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug]
${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions]
destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false
.......... deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did]
destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did]
destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523
(sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
(sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/
4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256
sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE sofia/itsp1/4003 at 1.2.3.4set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/
4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE sofia/itsp1/4003 at 1.2.3.4export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT
(export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313
sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction,
hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup
sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal
sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530
(sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730
(sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
(sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/
4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58
sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732
(sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
(sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102
sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818
(sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493
(sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234
(sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234
(sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close
Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618
(sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
(sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/
4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109
sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631
(sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel
sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467
(sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal
sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4receiving invite from
85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/
4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec
Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140521/a273f38b/attachment-0001.html
Mario G
2014-05-21 16:00:01 UTC
Permalink
My understanding is the it could have been TCP instead of UDP, also the IP address could have been proxied so what I saw was not correct. They did not register, just tried 8,010 extensions to call out from. I figured the only thing I can do is a PCAP when I catch it (my router can create PCAPs). But no attack in the last 24 hours, go figure. At leaf I have the TCP rule, I will check every few hours, since it lasts for over an hour I am hoping the PCAP will help. I also have the router (Zyxel USG100) emailing me alerts and the logs. BTW, looking further into this I don?t think fail2ban would have worked, this was different. A whitelist is a good idea but I really want to stop it at the firewall if possible. Thanks for all the suggestions, will post if I get a PCAP and figure out how they got in.
Mario G
Why do you say it's a class C subnet? He's only mentioned a single IP address, which comes from an ISP that has a /16 block. Class C networks don't really exist any more, especially not on the internet since we have CIDR now.
It's likely a zombie trawling the network for insecure setups. Blocking a single IP won't work (could be a dynamic IP) and blocking an ISP also won't work (there could be affected machines elsewhere).
Better to either use a whitelist to just allow though allowed IPs on the (non-public?) SIP ports, or use something like fail2ban.
Mario,
Assuming you are not on windows, You need to run this line
iptables -A INPUT -s 85.25.198.0/24 -j DROP
That will block that class C subnet from your system completely. That is the subnet their traffic is coming from. But I am not sure they have not authenticated (registered) on your server. If you are on windows let me know, I can help there too.
iptables -L -v
show registrations
Sean.
-----Original Message-----
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Mario G
Sent: Tuesday, May 20, 2014 12:57 PM
To: FreeSWITCH Users Help
Subject: [Freeswitch-users] Need help to stop this hack into FreeSwitch!
Someone has gotten into my FreeSwitch, my firewall is set to only allow SIP traffic from my ITSP, and I added a rule to block the bad address but it did not work so I am baffled. It looks like 85.25.198.253 (Germany) is making a call to me and trying to call out. I would really appreciate any ideas on what kind of general FW rule to add to prevent this, I don't know what is going on. Next I'll run PCAPs. I was thinking of a rule to block all outgoing SIP traffic except to the ITSP. Would appreciate help, especially an explanation of what they are trying to do in FS.
Mario G
* Started May 19 8am, goes through all 7 sip accounts every 10 seconds
* Each time it starts at extension 1000, goes through all 7 accounts, then waits 10 seconds, the extension is incremented by 1 and goes through all 7 accounts, this repeats until finally stopping at extension 9010, then starts at a different time of day hours later.
* My account is itsp1 and itsp2, there are 5 more but I cut them out to reduce this.
* 1.2.3.4 is my public wan address.
* They look like 85.25.198.253, but blocking that in the FW does not help. Odd since I have done that before and it worked.
* The "processing 4003 <4003>->+972592406392" is baffling.
2014-05-19 17:02:23.827470 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [2837a51d-b25d-4b42-9fd9-f5b772d93f70]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5074 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 1785091527 1239589188 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5075 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3437 Audio Codec Compare [PCMA:8:8000:20:64000] ++++ is saved as a match
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [PCMA:8:8000:20:64000]/[GSM:3:8000:20:13200]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3309 Set telephone-event payload to 101
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:2343 Set Codec sofia/itsp1/4003 at 1.2.3.4 PCMU/8000 20 ms 160 samples 64000 bits
2014-05-19 17:02:23.827470 [DEBUG] switch_core_codec.c:111 sofia/itsp1/4003 at 1.2.3.4 Original read codec set to PCMU:0
2014-05-19 17:02:23.827470 [DEBUG] switch_core_media.c:3626 Set 2833 dtmf send/recv payload to 101
2014-05-19 17:02:23.827470 [DEBUG] sofia.c:6485 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_NEW -> CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:486 (sofia/itsp1/4003 at 1.2.3.4) State NEW
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:87 sofia/itsp1/4003 at 1.2.3.4 SOFIA INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:40 sofia/itsp1/4003 at 1.2.3.4 Standard INIT
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:48 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_INIT -> CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:507 (sofia/itsp1/4003 at 1.2.3.4) State INIT going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:2178 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change DOWN -> RINGING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:123 sofia/itsp1/4003 at 1.2.3.4 SOFIA ROUTING
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:164 sofia/itsp1/4003 at 1.2.3.4 Standard ROUTING
2014-05-19 17:02:23.827470 [INFO] mod_dialplan_xml.c:558 Processing 4003 <4003>->+972592406392 in context public
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->unloop] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (PASS) [unloop] ${unroll_loops}(true) =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [unloop] ${sip_looped_call}() =~ /^true$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->outside_call] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Absolute Condition [outside_call]
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action set(outside_call=true)
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Action export(RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)})
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->call_debug] continue=true
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [call_debug] ${call_debug}(false) =~ /^true$/ break=never
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->public_extensions] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [public_extensions] destination_number(+972592406392) =~ /^([1-2][0-1][0-3])$/ break=on-false .......... deleted lines
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp1_did] destination_number(+972592406392) =~ /^(1212121212121)$/ break=on-false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 parsing [public->itsp2_did] continue=false
Dialplan: sofia/itsp1/4003 at 1.2.3.4 Regex (FAIL) [itsp2_did] destination_number(+972592406392) =~ /^(1313131313131)$/ break=on-false
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:214 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_ROUTING -> CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:523 (sofia/itsp1/4003 at 1.2.3.4) State ROUTING going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] mod_sofia.c:178 sofia/itsp1/4003 at 1.2.3.4 SOFIA EXECUTE
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:256 sofia/itsp1/4003 at 1.2.3.4 Standard EXECUTE EXECUTE sofia/itsp1/4003 at 1.2.3.4 set(outside_call=true)
2014-05-19 17:02:23.827470 [DEBUG] mod_dptools.c:1435 sofia/itsp1/4003 at 1.2.3.4 SET [outside_call]=[true] EXECUTE sofia/itsp1/4003 at 1.2.3.4 export(RFC2822_DATE=Mon, 19 May 2014 17:02:23 -0700)
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:1246 EXPORT (export_vars) [RFC2822_DATE]=[Mon, 19 May 2014 17:02:23 -0700]
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:313 sofia/itsp1/4003 at 1.2.3.4 has executed the last dialplan instruction, hanging up.
2014-05-19 17:02:23.827470 [NOTICE] switch_core_state_machine.c:315 Hangup sofia/itsp1/4003 at 1.2.3.4 [CS_EXECUTE] [NORMAL_CLEARING]
2014-05-19 17:02:23.827470 [DEBUG] switch_channel.c:3216 Send signal sofia/itsp1/4003 at 1.2.3.4 [KILL]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:530 (sofia/itsp1/4003 at 1.2.3.4) State EXECUTE going to sleep
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_HANGUP
2014-05-19 17:02:23.827470 [DEBUG] switch_core_state_machine.c:730 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change RINGING -> HANGUP
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:413 Channel sofia/itsp1/4003 at 1.2.3.4 hanging up, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:547 Responding to INVITE with: 480
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:58 sofia/itsp1/4003 at 1.2.3.4 Standard HANGUP, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:732 (sofia/itsp1/4003 at 1.2.3.4) State HANGUP going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:499 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_HANGUP -> CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:102 sofia/itsp1/4003 at 1.2.3.4 Standard REPORTING, cause: NORMAL_CLEARING
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:818 (sofia/itsp1/4003 at 1.2.3.4) State REPORTING going to sleep
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:493 (sofia/itsp1/4003 at 1.2.3.4) State Change CS_REPORTING -> CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1387 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_session.c:1604 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Locked, Waiting on external entities
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1622 Session 234 (sofia/itsp1/4003 at 1.2.3.4) Ended
2014-05-19 17:02:23.846717 [NOTICE] switch_core_session.c:1626 Close Channel sofia/itsp1/4003 at 1.2.3.4 [CS_DESTROY]
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:618 (sofia/itsp1/4003 at 1.2.3.4) Callstate Change HANGUP -> DOWN
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:621 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY
2014-05-19 17:02:23.846717 [DEBUG] mod_sofia.c:323 sofia/itsp1/4003 at 1.2.3.4 SOFIA DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:109 sofia/itsp1/4003 at 1.2.3.4 Standard DESTROY
2014-05-19 17:02:23.846717 [DEBUG] switch_core_state_machine.c:631 (sofia/itsp1/4003 at 1.2.3.4) State DESTROY going to sleep
2014-05-19 17:02:25.107472 [NOTICE] switch_channel.c:1054 New Channel sofia/itsp1/4003 at 1.2.3.4 [364bd3e4-2c4b-4412-b259-10cfb0b6c391]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] switch_core_state_machine.c:467 (sofia/itsp1/4003 at 1.2.3.4) Running State Change CS_NEW
2014-05-19 17:02:25.107472 [DEBUG] switch_core_session.c:1052 Send signal sofia/itsp1/4003 at 1.2.3.4 [BREAK]
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:8334 sofia/itsp1/4003 at 1.2.3.4 receiving invite from 85.25.198.253:5084 version: 1.5.13b git 285e7dc 2014-05-19 17:38:09Z 64bit
2014-05-19 17:02:25.107472 [DEBUG] sofia.c:6200 Channel sofia/itsp1/4003 at 1.2.3.4 entering state [received][100]
v=0
o=sipcli-Session 17343503 2124966596 IN IP4 85.25.198.253 s=sipcli c=IN IP4 85.25.198.253
t=0 0
m=audio 5085 RTP/AVP 18 0 8 101
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
2014-05-19 17:02:25.107472 [DEBUG] switch_core_media.c:3383 Audio Codec Compare [G729:18:8000:20:8000]/[G722:9:8000:20:64000]
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
consulting at freeswitch.org
http://www.freeswitchsolutions.com
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
http://www.cudatel.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140521/83e434e0/attachment-0001.html
Loading...