then setup and run Fail2Ban <div><meta http-equiv="content-type" content="text/html; charset=utf-8"><a href="http://wiki.freeswitch.org/wiki/Fail2ban">http://wiki.freeswitch.org/wiki/Fail2ban</a></div><div><br></div><div>and to help with the register flood you should look at using kristian's </div>
<div>SIP Dos script to put packet per sec limits on registers.</div><div><br></div><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><a href="http://etel.wiki.oreilly.com/wiki/index.php/SIP_DoS/DDoS_Mitigation">http://etel.wiki.oreilly.com/wiki/index.php/SIP_DoS/DDoS_Mitigation</a></div>
<div><br></div><div>Jay</div><div><br></div><div><br><div class="gmail_quote">On Thu, Mar 31, 2011 at 8:46 AM, Michael Collins <span dir="ltr"><<a href="mailto:msc@freeswitch.org">msc@freeswitch.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Sounds like the friend-scanner. Check this out:<div><a href="http://wiki.freeswitch.org/wiki/FS_weekly_2011_02_23#Featured_Presentation" target="_blank">http://wiki.freeswitch.org/wiki/FS_weekly_2011_02_23#Featured_Presentation</a></div>
<div>
<br></div><div>Of course, you should look into those packets to see what, exactly they are. Also, if you can block that IP address outright on your firewall that would be good, too.</div><div><br></div><div><font color="#888888">-MC</font><div>
<div></div><div class="h5"><br><br><div class="gmail_quote">
On Wed, Mar 30, 2011 at 3:39 PM, Brian May <span dir="ltr"><<a href="mailto:brian@microcomaustralia.com.au" target="_blank">brian@microcomaustralia.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,<br>
<br>
This morning, I got the following message:<br>
<br>
[241824.279299] Out of memory: kill process 20570 (freeswitch) score<br>
17388 or a child<br>
<br>
Since then I have plenty of memory.<br>
<br>
Since then I have noticed that I am receiving almost 400 packets a<br>
second along the lines of:<br>
<br>
2011-03-31 06:57:25.541284 [WARNING] sofia_reg.c:1246 SIP auth<br>
challenge (REGISTER) on sofia profile 'internal' for<br>
[<a href="mailto:224586792@59.167.180.194" target="_blank">224586792@59.167.180.194</a>] from ip <a href="tel:95.154.248.17" target="_blank">95.154.248.17</a><br>
2011-03-31 06:57:25.543256 [WARNING] sofia_reg.c:1246 SIP auth<br>
challenge (REGISTER) on sofia profile 'internal' for<br>
[<a href="mailto:3728015026@59.167.180.194" target="_blank">3728015026@59.167.180.194</a>] from ip <a href="tel:95.154.248.17" target="_blank">95.154.248.17</a><br>
2011-03-31 06:57:25.547261 [WARNING] sofia_reg.c:1246 SIP auth<br>
challenge (REGISTER) on sofia profile 'internal' for<br>
[<a href="mailto:224586792@59.167.180.194" target="_blank">224586792@59.167.180.194</a>] from ip <a href="tel:95.154.248.17" target="_blank">95.154.248.17</a><br>
2011-03-31 06:57:25.559259 [WARNING] sofia_reg.c:1246 SIP auth<br>
challenge (REGISTER) on sofia profile 'internal' for<br>
[<a href="mailto:3728015026@59.167.180.194" target="_blank">3728015026@59.167.180.194</a>] from ip <a href="tel:95.154.248.17" target="_blank">95.154.248.17</a><br>
2011-03-31 06:57:25.564311 [WARNING] sofia_reg.c:1246 SIP auth<br>
challenge (REGISTER) on sofia profile 'internal' for<br>
[<a href="mailto:224586792@59.167.180.194" target="_blank">224586792@59.167.180.194</a>] from ip <a href="tel:95.154.248.17" target="_blank">95.154.248.17</a><br>
2011-03-31 06:57:25.574287 [WARNING] sofia_reg.c:1246 SIP auth<br>
challenge (REGISTER) on sofia profile 'internal' for<br>
[<a href="mailto:3728015026@59.167.180.194" target="_blank">3728015026@59.167.180.194</a>] from ip <a href="tel:95.154.248.17" target="_blank">95.154.248.17</a><br>
2011-03-31 06:57:25.578259 [WARNING] sofia_reg.c:1246 SIP auth<br>
challenge (REGISTER) on sofia profile 'internal' for<br>
[<a href="mailto:3728015026@59.167.180.194" target="_blank">3728015026@59.167.180.194</a>] from ip <a href="tel:95.154.248.17" target="_blank">95.154.248.17</a><br>
2011-03-31 06:57:25.587276 [WARNING] sofia_reg.c:1246 SIP auth<br>
challenge (REGISTER) on sofia profile 'internal' for<br>
[<a href="mailto:224586792@59.167.180.194" target="_blank">224586792@59.167.180.194</a>] from ip <a href="tel:95.154.248.17" target="_blank">95.154.248.17</a><br>
2011-03-31 06:57:25.593266 [WARNING] sofia_reg.c:1246 SIP auth<br>
challenge (REGISTER) on sofia profile 'internal' for<br>
[<a href="mailto:3728015026@59.167.180.194" target="_blank">3728015026@59.167.180.194</a>] from ip <a href="tel:95.154.248.17" target="_blank">95.154.248.17</a><br>
2011-03-31 06:57:25.595256 [WARNING] sofia_reg.c:1246 SIP auth<br>
challenge (REGISTER) on sofia profile 'internal' for<br>
[<a href="mailto:3728015026@59.167.180.194" target="_blank">3728015026@59.167.180.194</a>] from ip <a href="tel:95.154.248.17" target="_blank">95.154.248.17</a><br>
<br>
These packets continue even though I stoped freeswitch:<br>
<br>
09:38:30.132408 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 362<br>
09:38:30.132915 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 366<br>
09:38:30.137077 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 362<br>
09:38:30.138790 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 364<br>
09:38:30.142020 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 361<br>
09:38:30.144696 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 366<br>
09:38:30.147442 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 362<br>
09:38:30.150147 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 366<br>
09:38:30.153407 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 362<br>
09:38:30.155827 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 367<br>
09:38:30.159236 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 363<br>
09:38:30.161730 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 366<br>
09:38:30.165435 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 363<br>
09:38:30.168153 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 366<br>
<br>
I don't recognise this IP address - <a href="tel:95.154.248.17" target="_blank">95.154.248.17</a>.<br>
<br>
Could this be related to the out of memory issue? If so, does this<br>
indicate some sort of memory leak inside freeswitch? Or is this normal<br>
expected behaviour when receiving so many connection attempts?<br>
<br>
Thanks<br>
--<br>
Brian May <<a href="mailto:brian@microcomaustralia.com.au" target="_blank">brian@microcomaustralia.com.au</a>><br>
<br>
_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Sincerely<br><br>Jay<br>
</div>