[Freeswitch-users] how to ban this spammer?
Victor Chukalovskiy
victor.chukalovskiy at gmail.com
Wed Jun 4 22:32:52 MSD 2014
You can create and tweak another fail2ban rule specifically for this:
https://wiki.freeswitch.org/wiki/Fail2ban#SIP_DOS_Attack
On 14-06-04 01:59 PM, Neo Haux wrote:
> Hi all,
>
> I am receiving hundreds of INVITE/minute and in the log I can see:
>
> /2014-06-04 13:52:30.189371 [WARNING] sofia_reg.c:1532 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [340 at MyExternalIP] from ip 62.210.142.39//
> //2014-06-04 13:52:42.789530 [WARNING] sofia_reg.c:1532 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [341 at MyExternalIP] from ip 62.210.142.39//
> //2014-06-04 13:52:55.479999 [WARNING] sofia_reg.c:1532 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [341 at MyExternalIP] from ip 62.210.142.39//
> //2014-06-04 13:53:08.289660 [WARNING] sofia_reg.c:1532 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [342 at MyExternalIP] from ip 62.210.142.39//
> //2014-06-04 13:53:21.679512 [WARNING] sofia_reg.c:1532 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [342 at MyExternalIP] from ip 62.210.142.39/
>
>
> In the /etc/fail2ban/filter.d/freeswitch.conf file I have these lines:
>
> /failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\)
> on sofia profile \'\w+\' for \[.*\] from ip <HOST>
> \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on
> sofia profile \'\w+\' for \[.*\] from ip <HOST>/
>
>
> You can see clearly that my logs contain failure word not "auth
> challange".
>
> My question is : If I put "auth challange" in my
> /etc/fail2ban/filter.d/freeswitch.conf will I block regular known and
> authenticated SIP clients ? If yes, could you help find the right
> regex to stop this kind of spammers ?
>
> Thank you very much in advance.
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140604/0a9f6e80/attachment.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list