<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi all,<br>
<br>
I am receiving hundreds of INVITE/minute and in the log I can see:<br>
<br>
<small><i>2014-06-04 13:52:30.189371 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[340@MyExternalIP] from ip 62.210.142.39</i><i><br>
</i><i>2014-06-04 13:52:42.789530 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[341@MyExternalIP] from ip 62.210.142.39</i><i><br>
</i><i>2014-06-04 13:52:55.479999 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[341@MyExternalIP] from ip 62.210.142.39</i><i><br>
</i><i>2014-06-04 13:53:08.289660 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[342@MyExternalIP] from ip 62.210.142.39</i><i><br>
</i><i>2014-06-04 13:53:21.679512 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[342@MyExternalIP] from ip 62.210.142.39</i></small><br>
<br>
<br>
In the /etc/fail2ban/filter.d/freeswitch.conf file I have these
lines:<br>
<br>
<i><small>failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure
\(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip
<HOST><br>
\[WARNING\] sofia_reg.c:\d+ SIP auth failure
\(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip
<HOST></small></i><br>
<br>
<br>
You can see clearly that my logs contain failure word not "auth
challange".<br>
<br>
My question is : If I put "auth challange" in my
/etc/fail2ban/filter.d/freeswitch.conf will I block regular known
and authenticated SIP clients ? If yes, could you help find the
right regex to stop this kind of spammers ?<br>
<br>
Thank you very much in advance.<br>
<br>
<br>
</body>
</html>