[Freeswitch-users] Fail to ban rule for detecting INVITES with no challenge
Steven Ayre
steveayre at gmail.com
Thu Mar 12 20:36:37 MSK 2015
Check <param name="log-auth-failures" value="true"/> is on your sofia
profiles. There should be a message when the challenge is sent and when the
call is abandoned. It's not the 'Abandoned' switch_core_state_machine.c one
but one coming from sofia_reg.c.
On 12 March 2015 at 16:28, Peter Steinbach <lists at telefaks.de> wrote:
> Hello,
>
> we receive a number of Invites from certain IPs, who want to break into
> our system and call external premium rate numbers
> Unwanted registers we can block already, but we still have the issue to
> block specific invites from fraudulent IPs inside the iptables firewall.
>
> In the Freeswitch log we see:
> 2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055 New Channel
> sofia/internal/149 at 10.11.12.13 [167bb9ee-c8d0-11e4-9f31-b39e581405c5]
> 2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send signal
> sofia/internal/149 at 10.11.12.13 [BREAK]
> 2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send signal
> sofia/internal/149 at 10.11.12.13 [BREAK]
> 2015-03-12 16:54:38.381552 [DEBUG] switch_core_state_machine.c:472 (
> sofia/internal/149 at 10.11.12.13) Running State Change CS_NEW
> 2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841
> sofia/internal/149 at 10.11.12.13 receiving invite from 155.94.64.26:5076
> version: 1.5.15b git 82f267a 2015-02-16 22:59:55Z 64bit
> 2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP 15.194.164.26 Rejected
> by acl "domains". Falling back to Digest auth.
> 2015-03-12 16:54:38.441582 [DEBUG] switch_core_state_machine.c:491 (
> sofia/internal/149 at 10.11.12.13) State NEW
> 2015-03-12 16:54:38.441582 [DEBUG] switch_core_session.c:1061 Send signal
> sofia/internal/149 at 10.11.12.13 [BREAK]
> 2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching session
> 167bb9ee-c8d0-11e4-9f31-b39e581405c5
> 2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
> 167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13
> Abandoned
>
> The fraudulent IP here is 15.194.164.26 (anonymized of course). The IP
> 10.11.12.13 is the (anonymized) IP of our server.
>
> The point here is: 15.194.164.26 is sending an INVITE, Freeswitch then
> sends "authentication required". Freeswitch then logs this entry with
> "Abandoned" (see last line above) and that's it.
>
> So Is there any way to make Freeswitch show up a log line with the
> fraudulent IP 15.194.164.26 and some text like "abandonned"?
> Example for extending a current log line
> 2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
> 167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13
> Abandoned for IP 15.194.164.26
> This would enable us to process this entry with fail2ban and block this IP
> in the Firewall.
>
> Any other hint is welcome.
>
> --
> With kind regards
> Marvin Keil
>
> Telefaks Services GmbHmailto:lists <lists> (att) telefaks.de
> Internet: www.telefaks.de
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150312/b02a1e48/attachment.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list