[Freeswitch-users] how to ban this spammer?

Michael Jerris mike at jerris.com
Wed Jun 4 22:20:49 MSD 2014


yes, if you blocked everything that was challenged you would probably block legitimate traffic.  There is no "regex" that can tell you the difference between good and bad traffic like this, perhaps something that looks more specifically at traffic patterns could help, but that would be significant logic to find the right mix.  you could do something with iptables for rate limiting that can minimize the effectiveness of attacks like this.

Mike

On Jun 4, 2014, at 5:59 PM, Neo Haux <neo.haux at gmx.com> wrote:

> Hi all,
> 
> I am receiving hundreds of INVITE/minute and in the log I can see:
> 
> 2014-06-04 13:52:30.189371 [WARNING] sofia_reg.c:1532 SIP auth challenge (REGISTER) on sofia profile 'internal' for [340 at MyExternalIP] from ip 62.210.142.39
> 2014-06-04 13:52:42.789530 [WARNING] sofia_reg.c:1532 SIP auth challenge (REGISTER) on sofia profile 'internal' for [341 at MyExternalIP] from ip 62.210.142.39
> 2014-06-04 13:52:55.479999 [WARNING] sofia_reg.c:1532 SIP auth challenge (REGISTER) on sofia profile 'internal' for [341 at MyExternalIP] from ip 62.210.142.39
> 2014-06-04 13:53:08.289660 [WARNING] sofia_reg.c:1532 SIP auth challenge (REGISTER) on sofia profile 'internal' for [342 at MyExternalIP] from ip 62.210.142.39
> 2014-06-04 13:53:21.679512 [WARNING] sofia_reg.c:1532 SIP auth challenge (REGISTER) on sofia profile 'internal' for [342 at MyExternalIP] from ip 62.210.142.39
> 
> 
> In the /etc/fail2ban/filter.d/freeswitch.conf file I have these lines:
> 
> failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
>             \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
> 
> 
> You can see clearly that my logs contain failure word not "auth challange".
> 
> My question is : If I put "auth challange" in my /etc/fail2ban/filter.d/freeswitch.conf  will I block regular known and authenticated SIP clients ? If yes, could you help find the right regex to stop this kind of spammers ?
> 
> Thank you very much in advance.
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140604/6cf60472/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list