[Freeswitch-users] event based sipVicious blocker
Michael Giagnocavo
mgg at giagnocavo.net
Fri Nov 13 19:23:37 MSK 2015
Of perhaps some interest if you’re blocking a large amount of IP addresses (or whitelisting client IPs) is ipset.
http://ipset.netfilter.org/
Allows you to create a set then just have on rule in iptables. Plus has an atomic swap feature so you can build up new sets “offline” then flip them in.
-Michael
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Sergey Safarov
Sent: Friday, November 13, 2015 2:13 AM
To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
Subject: Re: [Freeswitch-users] event based sipVicious blocker
Think solution where INVITE mesages DROP/REJECT action will be implemented in mod_fail2ban is be have high pefomance
Iprables is good solution, but cannot help for TLS connection.
He is my iptables status where configure fail2ban. At present time 99% scans is made via UDP transport and 1% for TCP.
Chain f2b-freeswitch-local-tcp (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 37.8.37.84 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 195.154.134.220 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.227.169.113 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 104.214.34.182 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.25.218.94 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 80.84.58.173 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.8.47.155 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 23.239.65.132 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.138.33.13 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.138.33.113 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 80.84.55.178 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.227.170.157 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 77.245.68.44 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
1 52 REJECT all -- * * 88.150.240.111 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 31.3.230.210 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.8.20.231 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 213.136.75.235 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 195.154.177.146 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.8.77.83 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 88.150.240.169 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.138.33.203 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.138.118.21 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 104.255.70.242 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 77.245.65.98 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 88.150.240.245 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.118.19.157 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.227.170.13 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.172.189.41 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.114.130.146 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.25.207.231 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
6 252 RETURN all -- * * 0.0.0.0/0<http://0.0.0.0/0> 0.0.0.0/0<http://0.0.0.0/0>
Chain f2b-freeswitch-local-udp (1 references)
pkts bytes target prot opt in out source destination
4 3122 REJECT all -- * * 37.8.37.84 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
0 0 REJECT all -- * * 195.154.134.220 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
10 7949 REJECT all -- * * 188.227.169.113 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
201 158K REJECT all -- * * 104.214.34.182 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
15 11677 REJECT all -- * * 85.25.218.94 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
11 8635 REJECT all -- * * 80.84.58.173 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
11 8649 REJECT all -- * * 37.8.47.155 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
48 37438 REJECT all -- * * 23.239.65.132 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
144 116K REJECT all -- * * 188.138.33.13 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
42 33201 REJECT all -- * * 188.138.33.113 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
6 4699 REJECT all -- * * 80.84.55.178 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
75 61117 REJECT all -- * * 188.227.170.157 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
130 104K REJECT all -- * * 77.245.68.44 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
133 108K REJECT all -- * * 88.150.240.111 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
29897 14M REJECT all -- * * 31.3.230.210 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
26 20426 REJECT all -- * * 37.8.20.231 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
312 247K REJECT all -- * * 213.136.75.235 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
1133 612K REJECT all -- * * 195.154.177.146 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
2 1570 REJECT all -- * * 37.8.77.83 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
85917 40M REJECT all -- * * 88.150.240.169 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
73 57484 REJECT all -- * * 188.138.33.203 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
64 50450 REJECT all -- * * 188.138.118.21 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
46 36467 REJECT all -- * * 104.255.70.242 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
3077 2388K REJECT all -- * * 77.245.65.98 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
21 16564 REJECT all -- * * 88.150.240.245 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
104 81759 REJECT all -- * * 217.118.19.157 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
95 75254 REJECT all -- * * 188.227.170.13 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
62 48840 REJECT all -- * * 217.172.189.41 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
2483 1974K REJECT all -- * * 85.114.130.146 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
51 39876 REJECT all -- * * 85.25.207.231 0.0.0.0/0<http://0.0.0.0/0> reject-with icmp-port-unreachable
2351K 1204M RETURN all -- * * 0.0.0.0/0<http://0.0.0.0/0> 0.0.0.0/0<http://0.0.0.0/0>
Sergey.
On Fri, Nov 13, 2015 at 9:38 AM, jay binks <jaybinks at gmail.com<mailto:jaybinks at gmail.com>> wrote:
Doing it like you want is fine for education, however its not the best way, because it wont scale efficiently.
mod_sofia takes significant resources to consume a SIP Invite and generate events.
iptables will stop Freeswitch having to process these INVITES, thus saving CPU.
BUT you may not really care, if this is just for a home PBX.
Jay
On 13 November 2015 at 14:18, Russell Treleaven <rtreleaven at bunnykick.ca<mailto:rtreleaven at bunnykick.ca>> wrote:
figured out how to use events without a socket and thought I would share.
my $con = new freeswitch::EventConsumer("CHANNEL_CREATE");
$con->bind(
"CUSTOM",
"sofia::pre_register"
);
while(my $e = $con->pop(1)) {
freeswitch::consoleLog(
"INFO",
$e->serialize . "\n"
);
}
On Wed, Nov 11, 2015 at 11:33 AM, Ken Rice <krice at freeswitch.org<mailto:krice at freeswitch.org>> wrote:
Why not just block it with iptables?
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "VaxSIPUserAgent" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "friendly-scanner" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "sipcli" --algo bm
these will get 99% of it because the script kiddies doing the scanning aren’t really that bright… there may be some additional strings to want to block, but these work great when combined with fail2bans log parser
From: freeswitch-users-bounces at lists.freeswitch.org<mailto:freeswitch-users-bounces at lists.freeswitch.org> [mailto:freeswitch-users-bounces at lists.freeswitch.org<mailto:freeswitch-users-bounces at lists.freeswitch.org>] On Behalf Of Russell Treleaven
Sent: Wednesday, November 11, 2015 10:29 AM
To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org<mailto:freeswitch-users at lists.freeswitch.org>>
Subject: [Freeswitch-users] event based sipVicious blocker
I am working on a freeswitch sipVicious blocker.
I would like to run it from within freeswitch.
Is there a way to get events while running within freeswitch without running a socket via ESL::ESLconnection?
#!/usr/bin/perl
use strict;
use warnings;
use ESL;
my $c = new ESL::ESLconnection(
"localhost",
"8021",
"ClueCon"
);
$c->events(
"plain",
"CHANNEL_CREATE CUSTOM sofia::pre_register"
);
while ($c->connected()) {
my $event = $c->recvEvent();
#do some stuff
}
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
--
Sincerely
Jay
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20151113/a4b65d97/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list