[Freeswitch-users] Fail to ban rule for detecting INVITES with no challenge

Michael Jerris mike at jerris.com
Thu Mar 12 23:16:36 MSK 2015


I want to understand why that variable is not populated and see if it can be instead of adding a new channel variable, correct.

> On Mar 12, 2015, at 4:02 PM, Sergey Safarov <s.safarov at gmail.com> wrote:
> 
> Ken pull request has been created https://freeswitch.org/stash/projects/FS/repos/freeswitch/pull-requests/159/overview <https://freeswitch.org/stash/projects/FS/repos/freeswitch/pull-requests/159/overview>
> Mike rightly said that it is necessary to use a variable network_addr in caller profile
> 
> 
> On Thu, Mar 12, 2015 at 11:46 PM, Ken Rice <krice at freeswitch.org <mailto:krice at freeswitch.org>> wrote:
> Is there a pull request on that?
> 
> 
> On 3/12/15, 1:27 PM, "Ítalo Rossi" <italorossib at gmail.com <http://italorossib@gmail.com/>> wrote:
> 
> I set the JIRA status as Needs Review, hope it get merged soon.
> 
> On Thu, Mar 12, 2015 at 4:03 PM, Sergey Safarov <s.safarov at gmail.com <http://s.safarov@gmail.com/>> wrote:
> Ítalo I am not rewrite patch set use network_addr in caller profile and path not merget to master.
> 
> Sergey
> 
> On Thu, Mar 12, 2015 at 7:51 PM, Ítalo Rossi <italorossib at gmail.com <http://italorossib@gmail.com/>> wrote:
> 
> Version?
> 
> I'm almost sure this is already implemented in master. 
> 
> Em 12/03/2015 13:43, "Kyle King" <kyle.king at quentustech.com <http://kyle.king@quentustech.com/>> escreveu:
> Have you tried mod_fail2ban? 
> 
> On March 12, 2015 12:28:16 PM EDT, Peter Steinbach <lists at telefaks.de <http://lists@telefaks.de/>> wrote:
>     Hello,
>  
>  we receive a number of Invites from certain IPs, who want to break into our system and call external premium rate numbers
>  Unwanted registers we can block already, but we still have the issue to block specific invites from fraudulent IPs inside the iptables firewall.
>  
>  In the Freeswitch log we see:
>  2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055 New Channel sofia/internal/149 at 10.11.12.13 <http://sofia/internal/149@10.11.12.13>[167bb9ee-c8d0-11e4-9f31-b39e581405c5]
>  2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send signal sofia/internal/149 at 10.11.12.13 <http://sofia/internal/149@10.11.12.13>[BREAK]
>  2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send signal sofia/internal/149 at 10.11.12.13 <http://sofia/internal/149@10.11.12.13>[BREAK]
>  2015-03-12 16:54:38.381552 [DEBUG] switch_core_state_machine.c:472 (sofia/internal/149 at 10.11.12.13 <http://sofia/internal/149@10.11.12.13>) Running State Change CS_NEW
>  2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841 sofia/internal/149 at 10.11.12.13 <http://sofia/internal/149@10.11.12.13>receiving invite from 155.94.64.26:5076 <http://155.94.64.26:5076/><http://155.94.64.26:5076 <http://155.94.64.26:5076/>>  version: 1.5.15b git 82f267a 2015-02-16 22:59:55Z 64bit
>  2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP 15.194.164.26 Rejected by acl "domains". Falling back to Digest auth.
>  2015-03-12 16:54:38.441582 [DEBUG] switch_core_state_machine.c:491 (sofia/internal/149 at 10.11.12.13 <http://sofia/internal/149@10.11.12.13>) State NEW
>  2015-03-12 16:54:38.441582 [DEBUG] switch_core_session.c:1061 Send signal sofia/internal/149 at 10.11.12.13 <http://sofia/internal/149@10.11.12.13>[BREAK]
>  2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching session 167bb9ee-c8d0-11e4-9f31-b39e581405c5
>  2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572 167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13 <http://sofia/internal/149@10.11.12.13>Abandoned    
>  
>  The fraudulent IP here is 15.194.164.26 (anonymized of course). The IP 10.11.12.13 is the (anonymized) IP of our server.
>  
>  The point here is: 15.194.164.26 is sending an INVITE, Freeswitch then sends "authentication required". Freeswitch then logs this entry with "Abandoned" (see last line above) and that's it. 
>  
>  So Is there any way to make Freeswitch show up a log line with the fraudulent IP 15.194.164.26 and some text like "abandonned"?
>  Example for extending a current log line
>      2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572 167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13 <http://sofia/internal/149@10.11.12.13>Abandoned for IP 15.194.164.26 
>  This would enable us to process this entry with fail2ban and block this IP in the Firewall.
>  
>  Any other hint is welcome.
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150312/c4bcdb15/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list