当前位置:呼叫中心系统 > 服务支持 >

全国7*24小时业务咨询热线:028-69686996

全国7*24小时技术值班电话:18615791415

freeswitch防止被盗打

发布时间:2014-01-12 22:02 文章作者:成都启点科技 点击:次 文章标签:呼叫中心系统freeswitch

呼叫中心系统

        近期检查用户的freeswitch呼叫中心系统通讯后台,常发现5060端口被来自国外的ip扫描而且尝试注册,应该是暴力破解密码之类攻击。我们知道,由于sip对注册信息的返回,扫描到开放的sip端口比较容易。如有不轨者利用弱密码等漏洞进入我们系统,盗打电话和国际长途,势必造成不小损失。
        翻阅fs的wiki,正好有篇关于安全的文章,摘录下来。总的来说,fs自带的策略总不如用iptables来得彻底。
Security Best Practices
Informal Security Discussion

What are your security best practices?
What techniques do you use?
How do you balance security vs. ease of use?
Security is about mitigating risks and providing ease of use, problem detection and remediation while protecting the most important characteristics of the system. This section will provide a number of directions to look at.
General Recommendations

If you are not using VPN or on a local intranet with the FS server make sure to use SIP_TLS as all sip traffic and authentication is in the clear otherwise.
The most basic things for any system include:
Have a router with SPI firewall between your system and the Internet
Do not put your system in the router DMZ (where all default incoming traffic will be sent)
Change all system passwords and set them to strong ones.
Install the latest patches for your OS
Setup an IDS like Snort or AIDE
Use fail2ban to limit password / id guessing (linux only)
Setup a firewall - configuration to be described later in the page
Install an Anti-Virus (Windows)
Remember that AVG seems to interfere with compilation
... please add to this list ...
Sources to consider:
SNORT [1]
Linux only: AIDE [2]
Windows only: Threats and Countermeasures Guide: Security Settings in Windows Server 2008 and Windows Vista [3]
Freeswitch Configuration

Passwords and other confidential information to change and protect
Your freeswitch configuration will have a number of areas where confidential information is stored. Here is a list to start with:
User names and passwords
Proxies or Gateways names and passwords
Other module configuration... please add ...
Please change the following elements of the default configuration:
users 1000 to 1019 and their passwords (good ideas to remove them completely)
change the default vm password
Local Registrations
For company that accept only static IP address should use registeracl and add there customers IP to the ACL for register protection.
Limit the number of connections per second or per minute, depending on your setup, on your firewall. This way if there are more attempts than there should be, your firewall should block them before they even get to FS. Your firewall rules may follow this general scheme: (1) Accept signaling or media traffic from trusted IPs and apply connections per second rules based on their traffic pattern; (2) Accept signaling or media traffic from any IP but with the condition that if a single IP exceeds a certain connections per second number then block that IP temporarily or permanently (depending on the situation). pfSense blocks that IP for one hour automatically if the rule has this setting enabled. Using iptables it is also easy to create such a rule (see Using iptables to rate-limit incoming connections).

展开