[Freeswitch-users] Scanners and botnet vulnerability

Marc Bernard marcb at voicemeup.com
Fri Jan 29 15:34:39 UTC 2021


Hi Ken,

>> Wouldn't it make more sense for this log to include the IP of sip client that abandoned the call (5.6.7.8) instead of only the IP of the sip profile
(1.2.3.4) ?

What about my suggestion though, which would allow us to block IPs when there is a lot of abandoned calls ?

This could also be added to fail2ban by default with a more aggressive ban.

Cheers,


-----Original Message-----

this is super common. this is more likely a recon attack than an actual brute force attempt. Eother that they are looking for something with auth turned off. we see tons of these things regularly. Fail to ban helps some but using a SIP RBL and  dropping traffic via prefixes associated with regions and bad actor hosts seems to be the best course of action these days.

I wont name the company, but a mjor european hosting company i drop their entire AS as its not worth the hassle.




More information about the FreeSWITCH-users mailing list