[Freeswitch-users] how to block requests with From Ip equal to server interface IP?
Steven Ayre
steveayre at gmail.com
Sun Dec 17 22:21:25 UTC 2017
Having your server IP in the From header is not necessarily incorrect. They
aren't necessarily saying that they are sending from that IP, it could be
them saying they are a user registered on your server. I'd block it based
on something else such as user-agent or fail2ban.
On 15 December 2017 at 17:32, Miguel Jesús López Valverde <
mjlopez at smartic.es> wrote:
> Good afternoon everyone
>
>
>
> I get a new query regarding a type of attack that our freeswitch servers
> receive constantly in case someone knows how to block them.
>
>
>
> These are INVITE or REGISTER requests in which the FROM: field arrives
> with the ip and port equal to the public interface of the server, so the
> different protection options that I have tried have not blocked these
> requests:
>
>
>
> - IpTables can not filter by the information From the INVITE message.
>
> - Fail2Ban is equally limited than IpTables.
>
> - ACLs have not resolved to filter these requests.
>
>
>
> Does anyone know any way to block these requests?
>
>
>
> I send here a trace with an INVITE message where you can see a request of
> this type.
>
>
>
> Thanks and best regards.
>
>
>
> U 2017/12/14 18:32:55.156886 185.107.94.121:11120 -> 182.30.1.194:5060
>
> INVITE sip:390239297988@ 182.30.1.194:5060;transport=UDP SIP/2.0.
>
> Via: SIP/2.0/UDP 122.221.117.131:5060;branch=z9hG4bK-524287-1---
> xi3qy2kz737ni404.
>
> Max-Forwards: 70.
>
> Contact: <sip:15714000000 <(571)%20400-0000>@122.221.117.
> 131:5060;transport=UDP>.
>
> To: <sip:390239297988@ 182.30.1.194;transport=UDP>.
>
> From: <sip:15714000000 <(571)%20400-0000>@ 182.30.1.194;transport=UDP>;
> tag=hlzg2jcv.
>
> Call-ID: KaQqH51mAcFv34qN8cGyv3...
>
> CSeq: 1 INVITE.
>
> Content-Type: application/sdp.
>
> User-Agent: Z 3.14.38765 rv2.8.3.
>
> Allow-Events: presence, kpml, talk.
>
> Content-Length: 0.
>
> .
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Libre
> de virus. www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> <#m_-8919491363007729199_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20171217/ccacaf24/attachment.html>
More information about the FreeSWITCH-users
mailing list