<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">yes, if you blocked everything that was challenged you would probably block legitimate traffic. There is no "regex" that can tell you the difference between good and bad traffic like this, perhaps something that looks more specifically at traffic patterns could help, but that would be significant logic to find the right mix. you could do something with iptables for rate limiting that can minimize the effectiveness of attacks like this.<div><br></div><div>Mike</div><div><br><div><div>On Jun 4, 2014, at 5:59 PM, Neo Haux <<a href="mailto:neo.haux@gmx.com">neo.haux@gmx.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<div bgcolor="#FFFFFF" text="#000000">
Hi all,<br>
<br>
I am receiving hundreds of INVITE/minute and in the log I can see:<br>
<br>
<small><i>2014-06-04 13:52:30.189371 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[340@MyExternalIP] from ip 62.210.142.39</i><i><br>
</i><i>2014-06-04 13:52:42.789530 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[341@MyExternalIP] from ip 62.210.142.39</i><i><br>
</i><i>2014-06-04 13:52:55.479999 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[341@MyExternalIP] from ip 62.210.142.39</i><i><br>
</i><i>2014-06-04 13:53:08.289660 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[342@MyExternalIP] from ip 62.210.142.39</i><i><br>
</i><i>2014-06-04 13:53:21.679512 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[342@MyExternalIP] from ip 62.210.142.39</i></small><br>
<br>
<br>
In the /etc/fail2ban/filter.d/freeswitch.conf file I have these
lines:<br>
<br>
<i><small>failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure
\(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip
<HOST><br>
\[WARNING\] sofia_reg.c:\d+ SIP auth failure
\(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip
<HOST></small></i><br>
<br>
<br>
You can see clearly that my logs contain failure word not "auth
challange".<br>
<br>
My question is : If I put "auth challange" in my
/etc/fail2ban/filter.d/freeswitch.conf will I block regular known
and authenticated SIP clients ? If yes, could you help find the
right regex to stop this kind of spammers ?<br>
<br>
Thank you very much in advance.<br>
<br></div></blockquote></div><br></div></body></html>