[RndTbl] FreeSWITCH, WAN PBXs - Word to the wise

Alex Weber alexwebr at gmail.com
Thu Jul 8 15:02:39 CDT 2021

Very funny Troy. I made an even worsee mistake a few months ago. I
exposed a new system (intended to be a router) with 'root:root' to the
world thinking my brand new nftables knowledge was sound, and it was
not. Literally the definition of "enough to be dangerous!". Had
multiple successful SSH root logins in the course of only a few hours
and decided I was better off wiping and starting over. Fun times!

> Date: Wed, 7 Jul 2021 13:42:55 -0500
> From: Troy Denton <trdenton at gmail.com>
> To: Continuation of Round Table discussion <roundtable at muug.ca>
> Subject: [RndTbl] FreeSWITCH, WAN PBXs - Word to the wise
> Message-ID:
>         <CAN8-H5_ONESqpnNu_78_taq8Uu9bnK9Po4FTyq_gkf_y8WKvOg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> Yesterday I modified my freeswitch config to allow phone registration over
> the WAN for a very specific and short-term use case.   You may remember a
> warning about this in my FreeSWITCH presentation - this open registration
> is a big no-no. You can probably see where this is going.
> Not being entirely foolish, I introduced an ACL to limit it to my household
> IP - or so I thought! The ACL I modified had a default "allow" policy
> (woops!!). Within 2 hours, I had hackers trying to authenticate.  Within 24
> hours, they were making calls to the Caribbean and Palestine!
> I'm still doing a postmortem to see exactly how they were able to register
> - the accounts they were able to use did not (and still do not) exist in my
> dialplan.  That one's a headscratcher.  It's probably a goofy config on my
> part.  At worst, there was a freeswitch exploit used.
> Luckily les.net has some very good piracy detection, and they were able to
> turn off my service before I had any serious financial impact - I'm out
> about 25 cents.
> Moral of the story- don't open your PBX's internal registration to the
> internet - even if you think you know what you're doing ;)
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://muug.ca/pipermail/roundtable/attachments/20210707/fca2334f/attachment-0001.htm>

More information about the Roundtable mailing list