[Freeswitch-users] Will fail2ban work for this?

Sergey Safarov s.safarov at gmail.com
Wed Mar 17 05:30:01 UTC 2021 

mod_failban designed to log auth failure.
So not need to parse all FreeSwitch logs by failban daemon.

Sergey

On Wed, Mar 17, 2021 at 5:48 AM mayamatakeshi <mayamatakeshi at gmail.com>
wrote:

>
>
> On Wed, Mar 17, 2021 at 8:37 AM Steven Schoch <
> schoch+freeswitch.org at xwin32.com> wrote:
>
>> I just set up a new FreeSWITCH system on my home network, and set a
>> forward for port 5080 to connect to Flowroute. While I'm debugging some
>> call routing stuff, my logs are getting overrun with stuff like this:
>>
>> 2021-03-16 15:52:02.267501 [NOTICE] switch_channel.c:1118 New Channel
>> sofia/external/7750@<my IP> [2de89b87-cd07-4c0f-b9fb-3da8e5a68d37]
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:585
>> (sofia/external/7750@<my IP>) Running State Change CS_NEW (Cur 1 Tot
>> 7822)
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] sofia.c:10280 sofia/external/7750@<my
>> IP> receiving invite from 80.94.93.12:62635 version: 1.10.5
>> -release-17-25569c1631 64bit
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] sofia.c:7326 Channel
>> sofia/external/7750@<my IP> entering state [received][100]
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] sofia.c:7336 Remote SDP:
>>
>> v=0
>>
>> o=- 81921704 81921704 IN IP4 0.0.0.0
>>
>> s=pplsip
>>
>> c=IN IP4 0.0.0.0
>>
>> t=0 0
>>
>> m=audio 7628 RTP/AVP 100 6 0 8 3 18 5 101
>>
>> a=rtpmap:100 speex/16000
>>
>> a=rtpmap:101 telephone-event/8000
>>
>> a=fmtp:101 0-11
>>
>> a=alt:1 1 : DF50DC48 0000001F 0.0.0.0 7628
>>
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] sofia.c:7739 (sofia/external/7750@<my
>> IP>) State Change CS_NEW -> CS_INIT
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:604
>> (sofia/external/7750@<my IP>) State NEW
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:585
>> (sofia/external/7750@<my IP>) Running State Change CS_INIT (Cur 1 Tot
>> 7822)
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:628
>> (sofia/external/7750@<my IP>) State INIT
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] mod_sofia.c:93 sofia/external/7750@<my
>> IP> SOFIA INIT
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:40
>> sofia/external/7750@<my IP> Standard INIT
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:48
>> (sofia/external/7750@<my IP>) State Change CS_INIT -> CS_ROUTING
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:628
>> (sofia/external/7750@<my IP>) State INIT going to sleep
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:585
>> (sofia/external/7750@<my IP>) Running State Change CS_ROUTING (Cur 1 Tot
>> 7822)
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] switch_channel.c:2332
>> (sofia/external/7750@<my IP>) Callstate Change DOWN -> RINGING
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:644
>> (sofia/external/7750@<my IP>) State ROUTING
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] mod_sofia.c:154 sofia/external/7750@<my
>> IP> SOFIA ROUTING
>>
>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:236
>> sofia/external/7750@<my IP> Standard ROUTING
>>
>> 2021-03-16 15:52:02.267501 [INFO] mod_dialplan_xml.c:637 Processing 7750
>> <7750>->900442037697855 in context public
>>
>>
>> I thought fail2ban was designed for stuff like this, but I don't see any
>> auth attempts here (I set "log-auth-failures" to "true"). These are coming
>> in a bit faster than 1 per second. It appears they are dialing random
>> extensions. How can I make them stop?
>>
>
> I suppose:
>   "in context public"
> in the above log indicates the call entered your FS without need for
> authentication.
> So you should switch to a context/profile that requires authentication.,
> then log-auth-failures should work.
>
>
>
> _________________________________________________________________________
>
> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
> services.
> Build your next product on our scalable cloud platform.
>
> Join our online community to chat in real time
> https://signalwire.community
>
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210317/e0f36390/attachment-0001.html>

More information about the FreeSWITCH-users mailing list