[Freeswitch-users] how to block requests with From Ip equal to server interface IP?
Sergey Safarov
s.safarov at gmail.com
Sat Dec 16 05:38:20 UTC 2017
if you use domain names, then you can place FreeSwitch behind Kamailio and
implement filter on Kamailio side.
Filter logic:
1) if To header like \d+\.\d+\.\d+\.\d+ then drop packet;
2) if From header like \d+\.\d+\.\d+\.\d+ then drop packet;
Example of such filter logic you can find here
https://github.com/2600hz/kazoo-configs-kamailio/blob/master/kamailio/traffic-filter-role.cfg
пт, 15 дек. 2017 г. в 20:46, Peter Steinbach <lists at telefaks.de>:
> Hello Miguel,
>
> see here
>
> http://lists.freeswitch.org/pipermail/freeswitch-users/2011-April/071796.html
> You will need to change the line
> search="friendly-scanner"
> to
> search="Z 3.14.38765 rv2.8.3"
>
> This worked for me.
> Best regards Peter
>
>
>
> On 12/15/17 18:32, Miguel Jesús López Valverde wrote:
>
> Good afternoon everyone
>
>
>
> I get a new query regarding a type of attack that our freeswitch servers
> receive constantly in case someone knows how to block them.
>
>
>
> These are INVITE or REGISTER requests in which the FROM: field arrives
> with the ip and port equal to the public interface of the server, so the
> different protection options that I have tried have not blocked these
> requests:
>
>
>
> - IpTables can not filter by the information From the INVITE message.
>
> - Fail2Ban is equally limited than IpTables.
>
> - ACLs have not resolved to filter these requests.
>
>
>
> Does anyone know any way to block these requests?
>
>
>
> I send here a trace with an INVITE message where you can see a request of
> this type.
>
>
>
> Thanks and best regards.
>
>
>
> U 2017/12/14 18:32:55.156886 185.107.94.121:11120 -> 182.30.1.194:5060
>
> INVITE sip:390239297988@ 182.30.1.194:5060;transport=UDP SIP/2.0.
>
> Via: SIP/2.0/UDP 122.221.117.131:5060
> ;branch=z9hG4bK-524287-1---xi3qy2kz737ni404.
>
> Max-Forwards: 70.
>
> Contact: <sip:15714000000 at 122.221.117.131:5060;transport=UDP>
> <sip:15714000000 at 122.221.117.131:5060;transport=UDP>.
>
> To: <sip:390239297988@ 182.30.1.194;transport=UDP>.
>
> From: <sip:15714000000@ 182.30.1.194;transport=UDP>
> <sip:15714000000 at 182.30.1.194;transport=UDP>;tag=hlzg2jcv.
>
> Call-ID: KaQqH51mAcFv34qN8cGyv3...
>
> CSeq: 1 INVITE.
>
> Content-Type: application/sdp.
>
> User-Agent: Z 3.14.38765 rv2.8.3.
>
> Allow-Events: presence, kpml, talk.
>
> Content-Length: 0.
>
> .
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Libre
> de virus. www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> <#m_-1760520282224978735_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>
> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://confluence.freeswitch.orghttp://www.cluecon.com
>
> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>
>
>
> --
> With kind regards
> Peter Steinbach
>
> Telefaks Services GmbHmailto:lists <lists> (att) telefaks.de
> Internet: www.telefaks.de
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20171216/3dee809a/attachment.html>
More information about the FreeSWITCH-users
mailing list