[Freeswitch-users] how to ban this spammer?

Neo Haux neo.haux at gmx.com
Wed Jun 4 22:32:16 MSD 2014 

Thanks Michael,

May be it's related to SIP not freeswitch, but how can a sip client ask 
a FS to make an external call without authentication. Shouldn't be 
banned from making any request by FS if it doesn't find this user 
already registred ?


Here is my list_users:

freeswitch at internal> list_users
userid|context|domain|group|contact|callgroup|effective_caller_id_name|effective_caller_id_number
100|default|192.168.1.1|default|sofia/internal/sip:100 at 192.168.1.1:5060|||
101|default|192.168.1.1|default|sofia/internal/sip:101 at 192.168.1.1:5061|||
102|default|192.168.1.1|default|error/user_not_registered|||
103|default|192.168.1.1|default|error/user_not_registered|||
104|default|192.168.1.1|default|error/user_not_registered|||




Subject:
Re: [Freeswitch-users] how to ban this spammer?
From:
Michael Jerris <mike at jerris.com>
Date:
14-06-04 02:20 PM

To:
FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>


yes, if you blocked everything that was challenged you would probably 
block legitimate traffic.  There is no "regex" that can tell you the 
difference between good and bad traffic like this, perhaps something 
that looks more specifically at traffic patterns could help, but that 
would be significant logic to find the right mix.  you could do 
something with iptables for rate limiting that can minimize the 
effectiveness of attacks like this.

Mike

On Jun 4, 2014, at 5:59 PM, Neo Haux <neo.haux at gmx.com 
<mailto:neo.haux at gmx.com>> wrote:

Hi all,

I am receiving hundreds of INVITE/minute and in the log I can see:

/2014-06-04 13:52:30.189371 [WARNING] sofia_reg.c:1532 SIP auth 
challenge (REGISTER) on sofia profile 'internal' for [340 at MyExternalIP] 
from ip 62.210.142.39//
//2014-06-04 13:52:42.789530 [WARNING] sofia_reg.c:1532 SIP auth 
challenge (REGISTER) on sofia profile 'internal' for [341 at MyExternalIP] 
from ip 62.210.142.39//
//2014-06-04 13:52:55.479999 [WARNING] sofia_reg.c:1532 SIP auth 
challenge (REGISTER) on sofia profile 'internal' for [341 at MyExternalIP] 
from ip 62.210.142.39//
//2014-06-04 13:53:08.289660 [WARNING] sofia_reg.c:1532 SIP auth 
challenge (REGISTER) on sofia profile 'internal' for [342 at MyExternalIP] 
from ip 62.210.142.39//
//2014-06-04 13:53:21.679512 [WARNING] sofia_reg.c:1532 SIP auth 
challenge (REGISTER) on sofia profile 'internal' for [342 at MyExternalIP] 
from ip 62.210.142.39/


In the /etc/fail2ban/filter.d/freeswitch.conf file I have these lines:

/failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) 
on sofia profile \'\w+\' for \[.*\] from ip <HOST>
             \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on 
sofia profile \'\w+\' for \[.*\] from ip <HOST>/


You can see clearly that my logs contain failure word not "auth challange".

My question is : If I put "auth challange" in my 
/etc/fail2ban/filter.d/freeswitch.conf  will I block regular known and 
authenticated SIP clients ? If yes, could you help find the right regex 
to stop this kind of spammers ?

Thank you very much in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140604/e79e59ab/attachment.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list