[Freeswitch-users] Scanners and botnet vulnerability

Raúl Alexis Betancor Santana rbetancor at gmail.com
Mon Jan 25 22:24:01 UTC 2021


You could tell the name, SAS on France and OVH, they are both nest of bots.

On Mon, Jan 25, 2021 at 9:31 PM Ken Rice <krice at freeswitch.org> wrote:

> this is super common. this is more likely a recon attack than an actual
> brute force attempt. Eother that they are looking for something with auth
> turned off. we see tons of these things regularly. Fail to ban helps some
> but using a SIP RBL and  dropping traffic via prefixes associated with
> regions and bad actor hosts seems to be the best course of action these
> days.
>
> I wont name the company, but a mjor european hosting company i drop their
> entire AS as its not worth the hassle.
>
> Sent from my iPhone
>
> > On Jan 25, 2021, at 14:49, Marc Bernard <marcb at voicemeup.com> wrote:
> >
> > Hello All,
> >
> > Is anyone else noticing that there is more and more scanners attempting
> > brute force with no reply to auth request resulting in logging a lot of
> > abandoned calls ?
> >
> > Scenario:
> >
> > - A scanner send an INVITE|REGISTER with no credentials
> > - Freeswitch responds with authentication request and a challenge is
> send to
> > logs;
> > "
> > 2021-01-25 12:27:39.306075 [WARNING] sofia_reg.c:1792 SIP auth challenge
> > (REGISTER) on sofia profile 'public' for [1730 at 1.2.3.4] from ip 5.6.7.8"
> > - Scanner does not respond
> > - After a while, Freeswitch logs the following:
> > 2ae23e93-c929-4089-a594-8e7af633ca88 2021-01-25 12:28:37.506078 [WARNING]
> > switch_core_state_machine.c:687 2ae23e93-c929-4089-a594-8e7af633ca88
> > sofia/public/1730 at 1.2.3.4 Abandoned
> >
> > --
> >
> > In our case, we made fail2ban more sensitive to auth failures logs which
> > does not get triggered because of the scanner not even trying to send
> > credentials.
> >
> > Wouldn't it make more sense for this log to include the IP of sip client
> > that abandoned the call (5.6.7.8) instead of only the IP of the sip
> profile
> > (1.2.3.4) ?
> >
> > This would allow us to have Fail2ban block this scenario more
> aggressively.
> >
> > Thoughts ?
> >
> >
> >
> >
> > _________________________________________________________________________
> >
> > The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> > Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
> services.
> > Build your next product on our scalable cloud platform.
> >
> > Join our online community to chat in real time
> https://signalwire.community
> >
> > Professional FreeSWITCH Services
> > sales at freeswitch.com
> > https://freeswitch.com
> >
> > Official FreeSWITCH Sites
> > https://freeswitch.com/oss
> > https://freeswitch.org/confluence
> > https://cluecon.com
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > https://freeswitch.com
>
> _________________________________________________________________________
>
> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
> services.
> Build your next product on our scalable cloud platform.
>
> Join our online community to chat in real time
> https://signalwire.community
>
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210125/8f3756db/attachment.html>


More information about the FreeSWITCH-users mailing list