[Freeswitch-users] Blocking incoming calls

Steven Ayre steveayre at gmail.com
Wed Mar 13 21:06:49 MSK 2013


>
> But they can be every few seconds and I suspect they might be using a lot
> of bandwidth just hammering the system.


Probably not that much since SIP packets are pretty small... but it depends
on how often they'll be sending the INVITE. Collect their traffic with
tcpdump if you're concerned and that'll let you see how much (tcpdump -i
eth0 -w probes.pcap "port 5060 and host not $providerip)

Unless you can block it further upstream you're always going to get the
INVITE though so even with a firewall won't be able to completely stop the
bandwidth drain. However blocking it might make them move on after the 1st
attempt, while responding (even with a failure) might lead to them trying
other attempts. That depends on the attacker's script.

Such probes are really not unusual at all these days. There're a lot of bot
nets that scan public IPs for listening SIP servers.

-Steve



On 13 March 2013 17:39, Clive Lansink <clive at lansink.co.nz> wrote:

> Thanks everyone. Perhaps I should have added that we have a separate
> internal SIP profile that our internal phone extensions register to but the
> question only related to the public profile through which we receive
> incoming calls from our VOIP provider.
>
> Sounds like the best way to silently and completely block other incoming
> traffic we don't want is to use a firewall rule so that's what I'll do.
>
> Cheers.
>
>
> Clive Lansink
> Email: Clive at Lansink.Co.NZ
> Phone: +64 9 520-4242
> Mobile: +64 21 663-999
> Fax: +64 21 789-150
>
> -----Original message-----
> From: Alex Lake <alex at digitalmail.com>
> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> Subject: Re: [Freeswitch-users] Blocking incoming calls
> Reply-to: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> Date: Wed, 13 Mar 2013 12:43:29 +0000
>
> Ah! A different IP address. That's handy.
> Now I'll go away (OK, Avi? ;-P)
> > mod_sofia supports having different sip 'profiles'. Each one can be
> > bound to a different IP address or port, and they can have different
> > options, like different ACL settings, different codec settings,
> > different NAT settings, etc.
> >
> > On 13 March 2013 12:20, Alex Lake <alex at digitalmail.com
> > <mailto:alex at digitalmail.com>> wrote:
> >
> >     When you say "to a different profile" - you're talking about on
> >     the same box, but a different port?
> >>     They could still be registering, but to a different profile.
> >>     Possibly on an internal network.
> >>
> >>     On 13 March 2013 11:43, Alex Lake <alex at digitalmail.com
> >>     <mailto:alex at digitalmail.com>> wrote:
> >>
> >>         Ah, so presumably the OP doesn't have (for example) SIP
> >>         handsets registered to his box (presumably that's done on
> >>         port 5060, too)
> >>>         Only if you don't know what IP addresses calls are going to
> >>>         be coming from. In this case, we can probably ask the
> >>>         provider what their IP addresses are and just explicitly
> >>>         allow them.
> >>>
> >>>         All fail2ban does is check the log files then set up
> >>>         relevant firewall blacklist rules, so for the same job you
> >>>         get slightly more CPU load too.
> >>>
> >>>         On 13 March 2013 10:28, Alex Lake <alex at digitalmail.com
> >>>         <mailto:alex at digitalmail.com>> wrote:
> >>>
> >>>             Isn't fail2ban the usual solution here?
> >>>             > Hello. I hope someone can quickly see what I want to
> >>>             do and steer me in the right direction.
> >>>             >
> >>>             > I've looked at the documentation for acl.conf.xml and
> >>>             the SIP profile config file external.xml. I want to
> >>>             block incoming calls from all but a single external IP
> >>>             address and I'm sorry I just can't figure out how to do
> >>>             it or even if it can be done.
> >>>             >
> >>>             > We have a SIP trunk service with our VOIP provider.
> >>>             That means we have a static IP address which they use
> >>>             when they forward calls to us. They don't need to
> >>>             register, we just accept their calls but of course they
> >>>             have to be to our destination phone number. That all
> >>>             works and we have been very happy with Freeswitch for I
> >>>             don't know well over a year.
> >>>             >
> >>>             > Recently I became aware that someone is hammering our
> >>>             system trying to make calls. Our provider will only use
> >>>             port 5060 so that does mean our system is sitting on the
> >>>             internet with port 5060 open. Our dial plan works
> >>>             correctly and I can see in the log these calls are going
> >>>             nowhere. But they can be every few seconds and I suspect
> >>>             they might be using a lot of bandwidth just hammering
> >>>             the system.
> >>>             >
> >>>             > We will never receive calls from any other address
> >>>             than the one our VOIP provider will use to call us. So I
> >>>             just want to block SIP traffic from all addresses except
> >>>             theirs. I just want Freeswitch to stay silent when a
> >>>             call comes in on any other address, so there is no
> >>>             evidence that it is there to be attacked.
> >>>             >
> >>>             > I know I can do this with a firewall but I hope I can
> >>>             do it in Freeswitch itself. I am confused about the
> >>>             parameters auth-calls and auth-call and how to apply an
> >>>             access list that would restrict all calls to just one IP
> >>>             address. I did read somewhere in the docs that if you
> >>>             want to block calls you need to use a firewall and maybe
> >>>             that's the answer and so be it. Still I hope I can do it
> >>>             with Freeswitch so I can just apply the right ACL and
> >>>             sort the problem without creating new problems by
> >>>             introducing a firewall.
> >>>             >
> >>>             > Hope you can help.
> >>>             >
> >>>             >
> >>>             > Clive Lansink
> >>>             > Email: Clive at Lansink.Co.NZ <mailto:Clive at Lansink.Co.NZ>
> >>>             > Phone: +64 9 520-4242 <tel:%2B64%209%20520-4242>
> >>>             > Mobile: +64 21 663-999 <tel:%2B64%2021%20663-999>
> >>>             > Fax: +64 21 789-150 <tel:%2B64%2021%20789-150>
> >>>             >
> >>>             >
> >>>
> _________________________________________________________________________
> >>>             > Professional FreeSWITCH Consulting Services:
> >>>             > consulting at freeswitch.org
> >>>             <mailto:consulting at freeswitch.org>
> >>>             > http://www.freeswitchsolutions.com
> >>>             >
> >>>             > FreeSWITCH-powered IP PBX: The CudaTel Communication
> >>>             Server
> >>>             > 
> >>>             >
> >>>             > Official FreeSWITCH Sites
> >>>             > http://www.freeswitch.org
> >>>             > http://wiki.freeswitch.org
> >>>             > http://www.cluecon.com
> >>>             >
> >>>             > FreeSWITCH-users mailing list
> >>>             > FreeSWITCH-users at lists.freeswitch.org
> >>>             <mailto:FreeSWITCH-users at lists.freeswitch.org>
> >>>             >
> >>>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >>>             >
> >>>             UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >>>             > http://www.freeswitch.org
> >>>             >
> >>>             >
> >>>             > -----
> >>>             > No virus found in this message.
> >>>             > Checked by AVG - www.avg.com <http://www.avg.com>
> >>>             > Version: 2012.0.2240 / Virus Database: 2641/5668 -
> >>>             Release Date: 03/12/13
> >>>             >
> >>>             >
> >>>
> >>>
> >>>
> _________________________________________________________________________
> >>>             Professional FreeSWITCH Consulting Services:
> >>>             consulting at freeswitch.org <mailto:
> consulting at freeswitch.org>
> >>>             http://www.freeswitchsolutions.com
> >>>
> >>>             
> >>>             
> >>>
> >>>             Official FreeSWITCH Sites
> >>>             http://www.freeswitch.org
> >>>             http://wiki.freeswitch.org
> >>>             http://www.cluecon.com
> >>>
> >>>             FreeSWITCH-users mailing list
> >>>             FreeSWITCH-users at lists.freeswitch.org
> >>>             <mailto:FreeSWITCH-users at lists.freeswitch.org>
> >>>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >>>             UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >>>             http://www.freeswitch.org
> >>>
> >>>
> >>>
> >>>
> >>>         --
> >>>         *Andrew Cassidy BSc (Hons) MBCS SSCA*
> >>>         Managing Director
> >>>
> >>>
> >>>         *T <mailto:info at cassidywebservices.co.uk> *03300 100 960
> >>>         <tel:03300%20100%20960> *F
> >>>         <mailto:info at cassidywebservices.co.uk> *03300 100 961
> >>>         <tel:03300%20100%20961>
> >>>         *E <mailto:info at cassidywebservices.co.uk>
> >>>         *andrew at cassidywebservices.co.uk
> >>>         <mailto:andrew at cassidywebservices.co.uk>
> >>>         *W <mailto:info at cassidywebservices.co.uk>
> >>>         *www.cassidywebservices.co.uk
> >>>         <http://www.cassidywebservices.co.uk>
> >>>
> >>>
> >>>
> _________________________________________________________________________
> >>>         Professional FreeSWITCH Consulting Services:
> >>>         consulting at freeswitch.org  <mailto:consulting at freeswitch.org>
> >>>         http://www.freeswitchsolutions.com
> >>>
> >>>         
> >>>         
> >>>
> >>>         Official FreeSWITCH Sites
> >>>         http://www.freeswitch.org
> >>>         http://wiki.freeswitch.org
> >>>         http://www.cluecon.com
> >>>
> >>>         FreeSWITCH-users mailing list
> >>>         FreeSWITCH-users at lists.freeswitch.org  <mailto:
> FreeSWITCH-users at lists.freeswitch.org>
> >>>         http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >>>         UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >>>         http://www.freeswitch.org
> >>>
> >>>
> >>>         No virus found in this message.
> >>>         Checked by AVG - www.avg.com <http://www.avg.com>
> >>>         Version: 2012.0.2240 / Virus Database: 2641/5668 - Release
> >>>         Date: 03/12/13
> >>>
> >>
> >>
> >>
> _________________________________________________________________________
> >>         Professional FreeSWITCH Consulting Services:
> >>         consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> >>         http://www.freeswitchsolutions.com
> >>
> >>         
> >>         
> >>
> >>         Official FreeSWITCH Sites
> >>         http://www.freeswitch.org
> >>         http://wiki.freeswitch.org
> >>         http://www.cluecon.com
> >>
> >>         FreeSWITCH-users mailing list
> >>         FreeSWITCH-users at lists.freeswitch.org
> >>         <mailto:FreeSWITCH-users at lists.freeswitch.org>
> >>         http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >>         UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >>         http://www.freeswitch.org
> >>
> >>
> >>
> >>
> >>     --
> >>     *Andrew Cassidy BSc (Hons) MBCS SSCA*
> >>     Managing Director
> >>
> >>
> >>     *T <mailto:info at cassidywebservices.co.uk> *03300 100 960
> >>     <tel:03300%20100%20960> *F <mailto:info at cassidywebservices.co.uk>
> >>     *03300 100 961 <tel:03300%20100%20961>
> >>     *E <mailto:info at cassidywebservices.co.uk>
> >>     *andrew at cassidywebservices.co.uk
> >>     <mailto:andrew at cassidywebservices.co.uk>
> >>     *W <mailto:info at cassidywebservices.co.uk>
> >>     *www.cassidywebservices.co.uk <http://www.cassidywebservices.co.uk>
> >>
> >>
> >>
> _________________________________________________________________________
> >>     Professional FreeSWITCH Consulting Services:
> >>     consulting at freeswitch.org  <mailto:consulting at freeswitch.org>
> >>     http://www.freeswitchsolutions.com
> >>
> >>     
> >>     
> >>
> >>     Official FreeSWITCH Sites
> >>     http://www.freeswitch.org
> >>     http://wiki.freeswitch.org
> >>     http://www.cluecon.com
> >>
> >>     FreeSWITCH-users mailing list
> >>     FreeSWITCH-users at lists.freeswitch.org  <mailto:
> FreeSWITCH-users at lists.freeswitch.org>
> >>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >>     UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >>     http://www.freeswitch.org
> >>
> >>
> >>     No virus found in this message.
> >>     Checked by AVG - www.avg.com <http://www.avg.com>
> >>     Version: 2012.0.2240 / Virus Database: 2641/5668 - Release Date:
> >>     03/12/13
> >>
> >
> >
> >
> _________________________________________________________________________
> >     Professional FreeSWITCH Consulting Services:
> >     consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> >     http://www.freeswitchsolutions.com
> >
> >     
> >     
> >
> >     Official FreeSWITCH Sites
> >     http://www.freeswitch.org
> >     http://wiki.freeswitch.org
> >     http://www.cluecon.com
> >
> >     FreeSWITCH-users mailing list
> >     FreeSWITCH-users at lists.freeswitch.org
> >     <mailto:FreeSWITCH-users at lists.freeswitch.org>
> >     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >     UNSUBSCRIBE:
> http://lists.freeswitch.org/mailman/options/freeswitch-users
> >     http://www.freeswitch.org
> >
> >
> >
> >
> > --
> > *Andrew Cassidy BSc (Hons) MBCS SSCA*
> > Managing Director
> >
> >
> > *T <mailto:info at cassidywebservices.co.uk> *03300 100 960 *F
> > <mailto:info at cassidywebservices.co.uk> *03300 100 961
> > *E <mailto:info at cassidywebservices.co.uk>
> > *andrew at cassidywebservices.co.uk <mailto:andrew at cassidywebservices.co.uk
> >
> > *W <mailto:info at cassidywebservices.co.uk>
> > *www.cassidywebservices.co.uk <http://www.cassidywebservices.co.uk>
> >
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org
> > http://www.freeswitchsolutions.com
> >
> > 
> > 
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org
> > http://wiki.freeswitch.org
> > http://www.cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
> >
> >
> > No virus found in this message.
> > Checked by AVG - www.avg.com <http://www.avg.com>
> > Version: 2012.0.2240 / Virus Database: 2641/5668 - Release Date: 03/12/13
> >
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130313/a01da6ce/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list