[Freeswitch-users] Fail to ban rule for detecting INVITES with no challenge

Peter Steinbach lists at telefaks.de
Fri Mar 13 00:25:53 MSK 2015


Thanks Sergey

i've installed it. That was rather simple.

I will look at the output in some next hours.


On 03/12/15 19:44, Sergey Safarov wrote:
> Marvin you can use solution published
> at https://freeswitch.org/jira/browse/FS-7125
> https://freeswitch.org/stash/projects/FS/repos/freeswitch/commits/63a622decc0994d69a8e4ec223cb5359430f03d9
>
> Currently I successfully block that calls
>
> On Thu, Mar 12, 2015 at 7:28 PM, Peter Steinbach <lists at telefaks.de
> <mailto:lists at telefaks.de>> wrote:
>
>     Hello,
>
>     we receive a number of Invites from certain IPs, who want to break
>     into our system and call external premium rate numbers
>     Unwanted registers we can block already, but we still have the
>     issue to block specific invites from fraudulent IPs inside the
>     iptables firewall.
>
>     In the Freeswitch log we see:
>     2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055 New
>     Channel sofia/internal/149 at 10.11.12.13
>     <mailto:sofia/internal/149 at 10.11.12.13>
>     [167bb9ee-c8d0-11e4-9f31-b39e581405c5]
>     2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
>     signal sofia/internal/149 at 10.11.12.13
>     <mailto:sofia/internal/149 at 10.11.12.13> [BREAK]
>     2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
>     signal sofia/internal/149 at 10.11.12.13
>     <mailto:sofia/internal/149 at 10.11.12.13> [BREAK]
>     2015-03-12 16:54:38.381552 [DEBUG] switch_core_state_machine.c:472
>     (sofia/internal/149 at 10.11.12.13
>     <mailto:sofia/internal/149 at 10.11.12.13>) Running State Change CS_NEW
>     2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841
>     sofia/internal/149 at 10.11.12.13
>     <mailto:sofia/internal/149 at 10.11.12.13> receiving invite from
>     155.94.64.26:5076 <http://155.94.64.26:5076> version: 1.5.15b git
>     82f267a 2015-02-16 22:59:55Z 64bit
>     2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP 15.194.164.26
>     Rejected by acl "domains". Falling back to Digest auth.
>     2015-03-12 16:54:38.441582 [DEBUG] switch_core_state_machine.c:491
>     (sofia/internal/149 at 10.11.12.13
>     <mailto:sofia/internal/149 at 10.11.12.13>) State NEW
>     2015-03-12 16:54:38.441582 [DEBUG] switch_core_session.c:1061 Send
>     signal sofia/internal/149 at 10.11.12.13
>     <mailto:sofia/internal/149 at 10.11.12.13> [BREAK]
>     2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching session
>     167bb9ee-c8d0-11e4-9f31-b39e581405c5
>     2015-03-12 16:54:48.461568 [WARNING]
>     switch_core_state_machine.c:572
>     167bb9ee-c8d0-11e4-9f31-b39e581405c5
>     sofia/internal/149 at 10.11.12.13
>     <mailto:sofia/internal/149 at 10.11.12.13> Abandoned   
>
>     The fraudulent IP here is 15.194.164.26 (anonymized of course).
>     The IP 10.11.12.13 is the (anonymized) IP of our server.
>
>     The point here is: 15.194.164.26 is sending an INVITE, Freeswitch
>     then sends "authentication required". Freeswitch then logs this
>     entry with "Abandoned" (see last line above) and that's it.
>
>     So Is there any way to make Freeswitch show up a log line with the
>     fraudulent IP 15.194.164.26 and some text like "abandonned"?
>     Example for extending a current log line
>         2015-03-12 16:54:48.461568 [WARNING]
>     switch_core_state_machine.c:572
>     167bb9ee-c8d0-11e4-9f31-b39e581405c5
>     sofia/internal/149 at 10.11.12.13
>     <mailto:sofia/internal/149 at 10.11.12.13> Abandoned for IP
>     15.194.164.26
>     This would enable us to process this entry with fail2ban and block
>     this IP in the Firewall.
>
>     Any other hint is welcome.
>
>     -- 
>     With kind regards
>     Marvin Keil 
>
>     Telefaks Services GmbH
>     mailto:lists (att) telefaks.de <http://telefaks.de>
>     Internet: www.telefaks.de <http://www.telefaks.de>
>
>
>     _________________________________________________________________________
>     Professional FreeSWITCH Consulting Services:
>     consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>     http://www.freeswitchsolutions.com
>
>     Official FreeSWITCH Sites
>     http://www.freeswitch.org
>     http://confluence.freeswitch.org
>     http://www.cluecon.com
>
>     FreeSWITCH-users mailing list
>     FreeSWITCH-users at lists.freeswitch.org
>     <mailto:FreeSWITCH-users at lists.freeswitch.org>
>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>     http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services: 
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org


-- 
With kind regards
Peter Steinbach 

Telefaks Services GmbH
mailto:lists (att) telefaks.de
Internet: www.telefaks.de

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150312/4bf0e60b/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list