<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">You can create and tweak another

      fail2ban rule specifically for this:<br>

      <a class="moz-txt-link-freetext" href="https://wiki.freeswitch.org/wiki/Fail2ban#SIP_DOS_Attack">https://wiki.freeswitch.org/wiki/Fail2ban#SIP_DOS_Attack</a><br>

      <pre class="moz-signature" cols="72">

</pre>

      On 14-06-04 01:59 PM, Neo Haux wrote:<br>

    </div>

    <blockquote cite="mid:538F5E6A.1040507@gmx.com" type="cite">

      <meta http-equiv="content-type" content="text/html;

        charset=ISO-8859-1">

      Hi all,<br>

      <br>

      I am receiving hundreds of INVITE/minute and in the log I can see:<br>

      <br>

      <small><i>2014-06-04 13:52:30.189371 [WARNING] sofia_reg.c:1532

          SIP auth challenge (REGISTER) on sofia profile 'internal' for

          [340@MyExternalIP] from ip 62.210.142.39</i><i><br>

        </i><i>2014-06-04 13:52:42.789530 [WARNING] sofia_reg.c:1532 SIP

          auth challenge (REGISTER) on sofia profile 'internal' for

          [341@MyExternalIP] from ip 62.210.142.39</i><i><br>

        </i><i>2014-06-04 13:52:55.479999 [WARNING] sofia_reg.c:1532 SIP

          auth challenge (REGISTER) on sofia profile 'internal' for

          [341@MyExternalIP] from ip 62.210.142.39</i><i><br>

        </i><i>2014-06-04 13:53:08.289660 [WARNING] sofia_reg.c:1532 SIP

          auth challenge (REGISTER) on sofia profile 'internal' for

          [342@MyExternalIP] from ip 62.210.142.39</i><i><br>

        </i><i>2014-06-04 13:53:21.679512 [WARNING] sofia_reg.c:1532 SIP

          auth challenge (REGISTER) on sofia profile 'internal' for

          [342@MyExternalIP] from ip 62.210.142.39</i></small><br>

      <br>

      <br>

      In the /etc/fail2ban/filter.d/freeswitch.conf file I have these

      lines:<br>

      <br>

      <i><small>failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure

          \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip

          &lt;HOST&gt;<br>

          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \[WARNING\] sofia_reg.c:\d+ SIP auth failure

          \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip

          &lt;HOST&gt;</small></i><br>

      <br>

      <br>

      You can see clearly that my logs contain failure word not "auth

      challange".<br>

      <br>

      My question is : If I put "auth challange" in my

      /etc/fail2ban/filter.d/freeswitch.conf&nbsp; will I block regular known

      and authenticated SIP clients ? If yes, could you help find the

      right regex to stop this kind of spammers ?<br>

      <br>

      Thank you very much in advance.<br>

      <br>

      <br>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_________________________________________________________________________

Professional FreeSWITCH Consulting Services:

<a class="moz-txt-link-abbreviated" href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a>

<a class="moz-txt-link-freetext" href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a>

FreeSWITCH-powered IP PBX: The CudaTel Communication Server

<a class="moz-txt-link-freetext" href="http://www.cudatel.com">http://www.cudatel.com</a>

Official FreeSWITCH Sites

<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>

<a class="moz-txt-link-freetext" href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a>

<a class="moz-txt-link-freetext" href="http://www.cluecon.com">http://www.cluecon.com</a>

FreeSWITCH-users mailing list

<a class="moz-txt-link-abbreviated" href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a>

<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>

UNSUBSCRIBE:<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>

<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>