[Freeswitch-users] Fail to ban rule for detecting INVITES with no challenge
Ken Rice
krice at freeswitch.org
Thu Mar 12 23:46:00 MSK 2015
Is there a pull request on that?
On 3/12/15, 1:27 PM, "Ítalo Rossi" <italorossib at gmail.com> wrote:
> I set the JIRA status as Needs Review, hope it get merged soon.
>
> On Thu, Mar 12, 2015 at 4:03 PM, Sergey Safarov <s.safarov at gmail.com> wrote:
>> Ítalo I am not rewrite patch set use network_addr in caller profile and path
>> not merget to master.
>>
>> Sergey
>>
>> On Thu, Mar 12, 2015 at 7:51 PM, Ítalo Rossi <italorossib at gmail.com> wrote:
>>>
>>> Version?
>>>
>>> I'm almost sure this is already implemented in master.
>>>
>>> Em 12/03/2015 13:43, "Kyle King" <kyle.king at quentustech.com> escreveu:
>>>> Have you tried mod_fail2ban?
>>>>
>>>> On March 12, 2015 12:28:16 PM EDT, Peter Steinbach <lists at telefaks.de>
>>>> wrote:
>>>>> Hello,
>>>>>
>>>>> we receive a number of Invites from certain IPs, who want to break into
>>>>> our system and call external premium rate numbers
>>>>> Unwanted registers we can block already, but we still have the issue to
>>>>> block specific invites from fraudulent IPs inside the iptables firewall.
>>>>>
>>>>> In the Freeswitch log we see:
>>>>> 2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055 New Channel
>>>>> sofia/internal/149 at 10.11.12.13 [167bb9ee-c8d0-11e4-9f31-b39e581405c5]
>>>>> 2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send signal
>>>>> sofia/internal/149 at 10.11.12.13 [BREAK]
>>>>> 2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send signal
>>>>> sofia/internal/149 at 10.11.12.13 [BREAK]
>>>>> 2015-03-12 16:54:38.381552 [DEBUG] switch_core_state_machine.c:472
>>>>> (sofia/internal/149 at 10.11.12.13) Running State Change CS_NEW
>>>>> 2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841
>>>>> sofia/internal/149 at 10.11.12.13 receiving invite from 155.94.64.26:5076
>>>>> <http://155.94.64.26:5076> version: 1.5.15b git 82f267a 2015-02-16
>>>>> 22:59:55Z 64bit
>>>>> 2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP 15.194.164.26 Rejected
>>>>> by acl "domains". Falling back to Digest auth.
>>>>> 2015-03-12 16:54:38.441582 [DEBUG] switch_core_state_machine.c:491
>>>>> (sofia/internal/149 at 10.11.12.13) State NEW
>>>>> 2015-03-12 16:54:38.441582 [DEBUG] switch_core_session.c:1061 Send signal
>>>>> sofia/internal/149 at 10.11.12.13 [BREAK]
>>>>> 2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching session
>>>>> 167bb9ee-c8d0-11e4-9f31-b39e581405c5
>>>>> 2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
>>>>> 167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13
>>>>> Abandoned
>>>>>
>>>>> The fraudulent IP here is 15.194.164.26 (anonymized of course). The IP
>>>>> 10.11.12.13 is the (anonymized) IP of our server.
>>>>>
>>>>> The point here is: 15.194.164.26 is sending an INVITE, Freeswitch then
>>>>> sends "authentication required". Freeswitch then logs this entry with
>>>>> "Abandoned" (see last line above) and that's it.
>>>>>
>>>>> So Is there any way to make Freeswitch show up a log line with the
>>>>> fraudulent IP 15.194.164.26 and some text like "abandonned"?
>>>>> Example for extending a current log line
>>>>> 2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
>>>>> 167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13
>>>>> Abandoned for IP 15.194.164.26
>>>>> This would enable us to process this entry with fail2ban and block this
>>>>> IP in the Firewall.
>>>>>
>>>>> Any other hint is welcome.
>>>>>
--
Ken
http://www.FreeSWITCH.org
http://www.ClueCon.com
http://www.OSTAG.org
irc.freenode.net #freeswitch
Twitter: @FreeSWITCH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150312/8253e051/attachment.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list