[Freeswitch-users] Is there a way for FS not to send back any response to INVITE

Oleg Stolyar olegstolyar at gmail.com
Thu Jun 2 01:08:22 MSD 2016


Yep, thanks for the context Ken!

On Wed, Jun 1, 2016 at 1:52 PM, Ken Rice <krice at freeswitch.org> wrote:

> Keep in mind that with SIP if the server is listening you are supposed to
> respond. Not responding is a violation of the RFC… now that being side…
> using DPI via IPTables is a perfect way to dissuade the scanners… and btw,
> if you are using TLS, they don’t even need to see SIP to know you have
> something listening on TCP on the SIP port now, you’re syn-ack in reply to
> their syn already told them that….
>
>
>
> *From:* freeswitch-users-bounces at lists.freeswitch.org [mailto:
> freeswitch-users-bounces at lists.freeswitch.org] *On Behalf Of *Oleg Stolyar
> *Sent:* Wednesday, June 1, 2016 3:39 PM
> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> *Subject:* Re: [Freeswitch-users] Is there a way for FS not to send back
> any response to INVITE
>
>
>
> Thanks Jurijs!
>
>
>
> Unfortunately we do need to use TLS.
>
>
>
> On Wed, Jun 1, 2016 at 1:26 PM, Jurijs Ivolga <jurijs.ivolga at gmail.com>
> wrote:
>
> Hi Oleg,
>
> With iptables you can block based on what is inside SIP packet(off cause
> if you are not using TLS), take a look on link below:
>
>
> http://www.bertera.it/index.php/2014/01/22/sip-facket-filtering-with-iptables/
>
> It is not best way to achieve what you need, cause as far as I know it is
> resource consuming operations. Best way will be to use Kamailio as SIP
> proxy in front.
>
> With kind regards,
>
>
> Jurijs
>
>
>
> On Wed, Jun 1, 2016 at 11:05 PM, Oleg Stolyar <olegstolyar at gmail.com>
> wrote:
>
> Thanks guys!  IP tables is how we block most traffic but we can only block
> traffic by port.  In this case it's about invalid INVITES coming in on a
> valid port.
>
>
>
> Do you think this functionality would be useful?
>
> Is it worth opening a feature request and perhaps putting a bounty on it?
>
> Any idea of the effort?
>
>
>
> On Wed, Jun 1, 2016 at 1:00 PM, Michael Jerris <mike at jerris.com> wrote:
>
> The only way with our current sip module to accomplish either of these
> would be to put a sip proxy out front to handle that behavior, or to
> somehow use iptables to block the traffic
>
>
>
> On Jun 1, 2016, at 3:40 PM, Oleg Stolyar <olegstolyar at gmail.com> wrote:
>
>
>
> Hi,
>
>
>
> In order to protect against scanning attacks I'd like for FS to not
> respond to INVITES unless they match certain conditions.
>
>
>
> I understand that currently FS always responds with 100 Trying right away
> before processing the call and then, if the call does not match anything in
> the dialplan, responds with a 302 Moved Temporarily.
>
>
>
> The 302 can be replaced with another response code (for example 403
> Forbidden which is what I am doing now) using the *respond* dialplan app.
>   However, that might encourage the scanner to keep trying.
>
>
>
> So I guess there are two questions:
>
>
>
> 1. Is there a way not to send back 100 Trying at all?
>
>
>
> 2. Is there a way to not send any final response?
>
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160601/dc9fe2eb/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list