[Freeswitch-users] Open and closing channels continously

Jose David Jurado Alonso josedavid at zennio.com
Thu Aug 23 05:37:46 UTC 2018 

Thanks to all.

Effectively, in this case I had not detected it since the previous scans
were much clearer and more abusive. I already had fail2ban in mind for that
purpose.

I also use a database for the users so I do not rule out applying any
specific functionality like Don's.

Thanks again.

José David Jurado Alonso

El mié., 22 ago. 2018 a las 21:57, Don Hawkins (<hawkins at hawkinsegroup.com>)
escribió:

> Yea, just to backup Michael and provide a little more detail - this is
> totally normal. We've been dealing with SIP scanners since day one and 1001
> is for sure their favorite username.
>
> fail2ban has it's benefits in this area but at least in my case tends to
> ban valid ip's/sip endpoints that register too often regardless of what
> settings/rules we provide.
>
> Since your using a database for SIP users I'd recommend creating a custom
> solution as we've been forced to do. Basically authentication attempts
> using unrecognized usernanes have their IP blocked after 10 or so attempts.
> Also any registration attempted via IP and not a authorized domain
> (1001 at myip vs 1001 at thesipdomain) is automatically blocked using iptables.
>
> Hope this helps!
>
> Sent from my NationPCS Galaxy Note 5
>
> On Tue, Aug 21, 2018, 5:51 PM Jose David Jurado Alonso <
> josedavid at zennio.com> wrote:
>
>> Hi,
>>
>>
>> I'm just observing in the log that user 1001 (and other random users like
>> '55340115419480247') is continuously creating and closing channels.
>>
>> That users doesn't exist (I delete the folder "directory" since I use
>> database with different user names, no numbers).
>>
>> I've done a search some reference to user 1001 in all the configuration
>> and haven't found anything (using "grep -r '1001' /etc/freeswitch/*")
>>
>> Any idea why this happens? A bot or spider maybe?
>>
>>
>>
>> Log trace example:
>>
>> 2018-08-21 09:34:50.448541 [WARNING] switch_core_state_machine.c:687
>> 1f89de01-b82f-44fa-9b91-9d111c44e220 sofia/internal/1001 at 192.168.1.120
>> Abandoned
>> 2018-08-21 09:34:50.448541 [NOTICE] switch_core_state_machine.c:690
>> Hangup sofia/internal/1001 at 192.168.1.120 [CS_NEW] [WRONG_CALL_STATE]
>> 2018-08-21 09:34:50.448541 [NOTICE] switch_core_session.c:1731 Session
>> 291 (sofia/internal/1001 at 192.168.1.120) Ended
>> 2018-08-21 09:34:50.448541 [NOTICE] switch_core_session.c:1735 Close
>> Channel sofia/internal/1001 at 192.168.1.120 [CS_DESTROY]
>> 2018-08-21 09:34:51.288542 [NOTICE] switch_channel.c:1104 New Channel
>> sofia/internal/1001 at 192.168.1.120 [f8be20e3-1244-48bb-a89b-7b49382726af]
>> 2018-08-21 09:34:52.568543 [WARNING] switch_core_state_machine.c:687
>> bae7044c-4915-4a9a-9265-6e48e969ffec sofia/internal/
>> 55340115419480247 at 192.168.1.120 Abandoned
>> 2018-08-21 09:34:52.568543 [NOTICE] switch_core_state_machine.c:690
>> Hangup sofia/internal/55340115419480247 at 192.168.1.120 [CS_NEW]
>> [WRONG_CALL_STATE]
>> 2018-08-21 09:34:52.568543 [NOTICE] switch_core_session.c:1731 Session
>> 292 (sofia/internal/55340115419480247 at 192.168.1.120) Ended
>> 2018-08-21 09:34:52.568543 [NOTICE] switch_core_session.c:1735 Close
>> Channel sofia/internal/55340115419480247 at 192.168.1.120 [CS_DESTROY]
>> 2018-08-21 09:34:52.848563 [WARNING] switch_core_state_machine.c:687
>> a0a39ab8-f109-468b-8136-3ebf044c2ffd sofia/internal/1001 at 192.168.1.120
>> Abandoned
>> 2018-08-21 09:34:52.848563 [NOTICE] switch_core_state_machine.c:690
>> Hangup sofia/internal/1001 at 192.168.1.120 [CS_NEW] [WRONG_CALL_STATE]
>> 2018-08-21 09:34:52.848563 [NOTICE] switch_core_session.c:1731 Session
>> 293 (sofia/internal/1001 at 192.168.1.120) Ended
>> 2018-08-21 09:34:52.848563 [NOTICE] switch_core_session.c:1735 Close
>> Channel sofia/internal/1001 at 192.168.1.120 [CS_DESTROY]
>> 2018-08-21 09:34:54.248541 [NOTICE] switch_channel.c:1104 New Channel
>> sofia/internal/1001 at 192.168.1.120 [ef2d84f4-89e5-453d-89df-8280b129b42b]
>> 2018-08-21 09:34:55.148543 [WARNING] switch_core_state_machine.c:687
>> 9f1804f2-80d0-4fad-8e43-40f0cf2777e9 sofia/internal/1001 at 192.168.1.120
>> Abandoned
>>
>>
>> José D. Jurado Alonso
>> _________________________________________________________________________
>> Professional FreeSWITCH Services
>> sales at freeswitch.com
>> https://freeswitch.com
>>
>> Official FreeSWITCH Sites
>> https://freeswitch.com/oss
>> https://freeswitch.org/confluence
>> https://cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> https://freeswitch.com
>
> _________________________________________________________________________
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180823/d57e0c4a/attachment-0001.html>

More information about the FreeSWITCH-users mailing list