[Freeswitch-users] Fail to ban rule for detecting INVITES with no challenge
Peter Steinbach
lists at telefaks.de
Fri Mar 13 00:25:53 MSK 2015
Thanks Sergey
i've installed it. That was rather simple.
I will look at the output in some next hours.
On 03/12/15 19:44, Sergey Safarov wrote:
> Marvin you can use solution published
> at https://freeswitch.org/jira/browse/FS-7125
> https://freeswitch.org/stash/projects/FS/repos/freeswitch/commits/63a622decc0994d69a8e4ec223cb5359430f03d9
>
> Currently I successfully block that calls
>
> On Thu, Mar 12, 2015 at 7:28 PM, Peter Steinbach <lists at telefaks.de
> <mailto:lists at telefaks.de>> wrote:
>
> Hello,
>
> we receive a number of Invites from certain IPs, who want to break
> into our system and call external premium rate numbers
> Unwanted registers we can block already, but we still have the
> issue to block specific invites from fraudulent IPs inside the
> iptables firewall.
>
> In the Freeswitch log we see:
> 2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055 New
> Channel sofia/internal/149 at 10.11.12.13
> <mailto:sofia/internal/149 at 10.11.12.13>
> [167bb9ee-c8d0-11e4-9f31-b39e581405c5]
> 2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
> signal sofia/internal/149 at 10.11.12.13
> <mailto:sofia/internal/149 at 10.11.12.13> [BREAK]
> 2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
> signal sofia/internal/149 at 10.11.12.13
> <mailto:sofia/internal/149 at 10.11.12.13> [BREAK]
> 2015-03-12 16:54:38.381552 [DEBUG] switch_core_state_machine.c:472
> (sofia/internal/149 at 10.11.12.13
> <mailto:sofia/internal/149 at 10.11.12.13>) Running State Change CS_NEW
> 2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841
> sofia/internal/149 at 10.11.12.13
> <mailto:sofia/internal/149 at 10.11.12.13> receiving invite from
> 155.94.64.26:5076 <http://155.94.64.26:5076> version: 1.5.15b git
> 82f267a 2015-02-16 22:59:55Z 64bit
> 2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP 15.194.164.26
> Rejected by acl "domains". Falling back to Digest auth.
> 2015-03-12 16:54:38.441582 [DEBUG] switch_core_state_machine.c:491
> (sofia/internal/149 at 10.11.12.13
> <mailto:sofia/internal/149 at 10.11.12.13>) State NEW
> 2015-03-12 16:54:38.441582 [DEBUG] switch_core_session.c:1061 Send
> signal sofia/internal/149 at 10.11.12.13
> <mailto:sofia/internal/149 at 10.11.12.13> [BREAK]
> 2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching session
> 167bb9ee-c8d0-11e4-9f31-b39e581405c5
> 2015-03-12 16:54:48.461568 [WARNING]
> switch_core_state_machine.c:572
> 167bb9ee-c8d0-11e4-9f31-b39e581405c5
> sofia/internal/149 at 10.11.12.13
> <mailto:sofia/internal/149 at 10.11.12.13> Abandoned
>
> The fraudulent IP here is 15.194.164.26 (anonymized of course).
> The IP 10.11.12.13 is the (anonymized) IP of our server.
>
> The point here is: 15.194.164.26 is sending an INVITE, Freeswitch
> then sends "authentication required". Freeswitch then logs this
> entry with "Abandoned" (see last line above) and that's it.
>
> So Is there any way to make Freeswitch show up a log line with the
> fraudulent IP 15.194.164.26 and some text like "abandonned"?
> Example for extending a current log line
> 2015-03-12 16:54:48.461568 [WARNING]
> switch_core_state_machine.c:572
> 167bb9ee-c8d0-11e4-9f31-b39e581405c5
> sofia/internal/149 at 10.11.12.13
> <mailto:sofia/internal/149 at 10.11.12.13> Abandoned for IP
> 15.194.164.26
> This would enable us to process this entry with fail2ban and block
> this IP in the Firewall.
>
> Any other hint is welcome.
>
> --
> With kind regards
> Marvin Keil
>
> Telefaks Services GmbH
> mailto:lists (att) telefaks.de <http://telefaks.de>
> Internet: www.telefaks.de <http://www.telefaks.de>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
--
With kind regards
Peter Steinbach
Telefaks Services GmbH
mailto:lists (att) telefaks.de
Internet: www.telefaks.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150312/4bf0e60b/attachment.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list