It's pretty normal to see a crawler every so often that tries to brute-force the username/password combo on SIP servers. Most of them are kiddie scripts online and shouldn't last long. If you want to make sure they don't even talk to the FS, iptable is a good way, but you can only do so much by banning 1 ip address. fail2ban is a much better solution for the future Denial of Service (DoS) attacks.<div>
<br></div><div>Regardless of any preventative you go with, make sure you don't have any sip accounts with easy to guess passwords. Depending on their script, it wouldn't take too long to brute-force a dictionary-based passwords.</div>
<div><br></div><div>Frank</div><div><br></div><div><br><br><div class="gmail_quote">On Sat, Jan 29, 2011 at 7:45 PM, Madovsky <span dir="ltr"><<a href="mailto:infos@madovsky.org">infos@madovsky.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#ffffff">
<div><font size="2">fail2ban on wiki</font></div>
<blockquote style="border-left:#000000 2px solid;padding-left:5px;padding-right:0px;margin-left:5px;margin-right:0px"><div><div></div><div class="h5">
<div style="font:10pt arial">----- Original Message ----- </div>
<div style="font:10pt arial;background:#e4e4e4"><b>From:</b>
<a title="joaocarlosleme@gmail.com" href="mailto:joaocarlosleme@gmail.com" target="_blank">Joao
Leme</a> </div>
<div style="font:10pt arial"><b>To:</b> <a title="freeswitch-users@lists.freeswitch.org" href="mailto:freeswitch-users@lists.freeswitch.org" target="_blank">FreeSWITCH Users Help</a>
</div>
<div style="font:10pt arial"><b>Sent:</b> Saturday, January 29, 2011 7:20
PM</div>
<div style="font:10pt arial"><b>Subject:</b> Re: [Freeswitch-users] Hacker
Attack?</div>
<div><br></div>How do I do that?
<div>Thanks!</div>
<div><br>
<div class="gmail_quote">On Sat, Jan 29, 2011 at 4:12 PM, curriegrad2004 <span dir="ltr"><<a href="mailto:curriegrad2004@gmail.com" target="_blank">curriegrad2004@gmail.com</a>></span>
wrote:<br>
<blockquote style="border-left:#ccc 1px solid;margin:0px 0px 0px 0.8ex;padding-left:1ex" class="gmail_quote">Try using iptables and block all incoming traffic from
this specific host?<br>
<div>
<div></div>
<div><br>On Sat, Jan 29, 2011 at 3:39 PM, Joao Leme <<a href="mailto:joaocarlosleme@gmail.com" target="_blank">joaocarlosleme@gmail.com</a>>
wrote:<br>> I just downloaded and compiled the latest Git and a little
after starting<br>> freeswitch I'm getting non stop the
following:<br>> [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER)
on sofia profile<br>> ‘internal’ for [140@76.XXX.XX.XXX] from ip
212.224.71.236<br>> [WARNING] sofia_reg.c:1247 SIP auth challenge
(REGISTER) on sofia profile<br>> ‘internal’ for [140@76.XXX.XX.XXX] from
ip 212.224.71.236<br>> [WARNING] sofia_reg.c:1247 SIP auth challenge
(REGISTER) on sofia profile<br>> ‘internal’ for [thomas@76.XXX.XX.XXX]
from ip 212.224.71.236<br>> [WARNING] sofia_reg.c:1247 SIP auth challenge
(REGISTER) on sofia profile<br>> ‘internal’ for [thomas@76.XXX.XX.XXX]
from ip 212.224.71.236<br>> [WARNING] sofia_reg.c:1247 SIP auth challenge
(REGISTER) on sofia profile<br>> ‘internal’ for [140@76.XXX.XX.XXX] from
ip 212.224.71.236<br>> [WARNING] sofia_reg.c:1247 SIP auth challenge
(REGISTER) on sofia profile<br>> ‘internal’ for [140@76.XXX.XX.XXX] from
ip 212.224.71.236<br>> [WARNING] sofia_reg.c:1247 SIP auth challenge
(REGISTER) on sofia profile<br>> ‘internal’ for [thomas@76.XXX.XX.XXX]
from ip 212.224.71.236<br>> [WARNING] sofia_reg.c:1247 SIP auth challenge
(REGISTER) on sofia profile<br>> ‘internal’ for [thomas@76.XXX.XX.XXX]
from ip 212.224.71.236<br>> [WARNING] sofia_reg.c:1247 SIP auth challenge
(REGISTER) on sofia profile<br>> ‘internal’ for [140@76.XXX.XX.XXX] from
ip 212.224.71.236<br>> [WARNING] sofia_reg.c:1247 SIP auth challenge
(REGISTER) on sofia profile<br>> ‘internal’ for [140@76.XXX.XX.XXX] from
ip 212.224.71.236<br>> [WARNING] sofia_reg.c:1247 SIP auth challenge
(REGISTER) on sofia profile<br>> ‘internal’ for [thomas@76.XXX.XX.XXX]
from ip 212.224.71.236<br>> [WARNING] sofia_reg.c:1247 SIP auth challenge
(REGISTER) on sofia profile<br>> ‘internal’ for [thomas@76.XXX.XX.XXX]
from ip 212.224.71.236<br>> it's non-stop and doesn't let me do nothing
else. After the first time I<br>> went on to vars and changed the 1234
password....restarted and same thing<br>> happened, I also try denying
the ip on acl.conf (not sure if has something<br>> to do with it but gave
it a try):<br>><br>> <configuration name="acl.conf"
description="Network Lists"><br>>
<network-lists><br>> <list
name="test2" default="allow"><br>>
<node type="deny" host="212.224.71.236"
mask="255.255.255.0"/><br>>
</list><br>>
</network-lists><br>>
</configuration><br>><br>> Restarted the computer but nothing,
he (thomas I guess) was back on my<br>> console.<br>><br>> Any
ideas??? p.s. My computer is on DMZ (I know DMZ is not ideal but is
the<br>> only way I got to be able to connect to the internal profile
from out of the<br>> office etc).<br></div></div>>
_______________________________________________<br>> FreeSWITCH-users
mailing list<br>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>><br>><br><br>_______________________________________________<br>FreeSWITCH-users
mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br></div>
</div></div><p>
</p><hr><div class="im">
<p></p>_______________________________________________<br>FreeSWITCH-users
mailing
list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</div><p></p></blockquote></div>
<br>_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div><br></div><div>----=======================----</div><div>Frank Park</div><div>Telonium Communications, LLC</div><div><a href="mailto:frank@telonium.com" target="_blank">frank@telonium.com</a></div>
<div><a href="http://www.telonium.com" target="_blank">http://www.telonium.com</a></div><div>Follow Us on Twitter: @GetTelonium</div><div>404-566-8888 x1001 Office</div><div>404-939-4242 Cell</div><div>----=======================----</div>
<div><br></div><br>
</div>