<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">its using a challenge based authentication, so it makes a request, the server challenges, then it makes the request again with auth headers.<div><br><div><div>On Jun 4, 2014, at 6:32 PM, Neo Haux <<a href="mailto:neo.haux@gmx.com">neo.haux@gmx.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<div bgcolor="#FFFFFF" text="#000000">
<fieldset class="mimeAttachmentHeader"><legend class="mimeAttachmentHeaderName">Thanks Michael,<br>
<br>
May be it's related to SIP not freeswitch, but how can a sip
client ask a FS to make an external call without authentication.
Shouldn't be banned from making any request by FS if it doesn't
find this user already registred ?<br>
<br>
<br>
Here is my list_users:<br>
<br>
freeswitch@internal> list_users <br>
userid|context|domain|group|contact|callgroup|effective_caller_id_name|effective_caller_id_number<br>
100|default|192.168.1.1|default|<a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/sip:100@192.168.1.1:5060">sofia/internal/sip:100@192.168.1.1:5060</a>|||<br>
101|default|192.168.1.1|default|<a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/sip:101@192.168.1.1:5061">sofia/internal/sip:101@192.168.1.1:5061</a>|||<br>
102|default|192.168.1.1|default|error/user_not_registered|||<br>
103|default|192.168.1.1|default|error/user_not_registered|||<br>
104|default|192.168.1.1|default|error/user_not_registered|||<br>
<br>
<br>
<br>
<br>
<small></small></legend></fieldset>
<table class="header-part1" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td>
<div class="headerdisplayname" style="display:inline;"><small>Subject:
</small></div>
<small>Re: [Freeswitch-users] how to ban this spammer?</small></td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display:inline;"><small>From:
</small></div>
<small>Michael Jerris <a class="moz-txt-link-rfc2396E" href="mailto:mike@jerris.com"><mike@jerris.com></a></small></td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display:inline;"><small>Date:
</small></div>
<small>14-06-04 02:20 PM</small></td>
</tr>
</tbody>
</table>
<table class="header-part2" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td>
<div class="headerdisplayname" style="display:inline;"><small>To:
</small></div>
<small>FreeSWITCH Users Help
<a class="moz-txt-link-rfc2396E" href="mailto:freeswitch-users@lists.freeswitch.org"><freeswitch-users@lists.freeswitch.org></a></small></td>
</tr>
</tbody>
</table>
<small><br>
yes, if you blocked everything that was challenged you would
probably block legitimate traffic. There is no "regex" that can
tell you the difference between good and bad traffic like this,
perhaps something that looks more specifically at traffic patterns
could help, but that would be significant logic to find the right
mix. you could do something with iptables for rate limiting that
can minimize the effectiveness of attacks like this.</small>
<div><small><br>
</small></div>
<div><small>Mike</small></div>
<small><br>
</small>
<div><small>On Jun 4, 2014, at 5:59 PM, Neo Haux <<a href="mailto:neo.haux@gmx.com">neo.haux@gmx.com</a>> wrote:</small></div>
<small><br class="Apple-interchange-newline">
Hi all,<br>
<br>
I am receiving hundreds of INVITE/minute and in the log I can see:<br>
<br>
<small><i>2014-06-04 13:52:30.189371 [WARNING] sofia_reg.c:1532
SIP auth challenge (REGISTER) on sofia profile 'internal' for
[340@MyExternalIP] from ip 62.210.142.39</i><i><br>
</i><i>2014-06-04 13:52:42.789530 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[341@MyExternalIP] from ip 62.210.142.39</i><i><br>
</i><i>2014-06-04 13:52:55.479999 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[341@MyExternalIP] from ip 62.210.142.39</i><i><br>
</i><i>2014-06-04 13:53:08.289660 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[342@MyExternalIP] from ip 62.210.142.39</i><i><br>
</i><i>2014-06-04 13:53:21.679512 [WARNING] sofia_reg.c:1532 SIP
auth challenge (REGISTER) on sofia profile 'internal' for
[342@MyExternalIP] from ip 62.210.142.39</i></small><br>
<br>
<br>
In the /etc/fail2ban/filter.d/freeswitch.conf file I have these
lines:<br>
<br>
<i><small>failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure
\(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip
<HOST><br>
\[WARNING\] sofia_reg.c:\d+ SIP auth failure
\(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip
<HOST></small></i><br>
<br>
<br>
You can see clearly that my logs contain failure word not "auth
challange".<br>
<br>
My question is : If I put "auth challange" in my
/etc/fail2ban/filter.d/freeswitch.conf will I block regular known
and authenticated SIP clients ? If yes, could you help find the
right regex to stop this kind of spammers ?<br>
<br>
Thank you very much in advance.</small><br>
</div>
_________________________________________________________________________<br></blockquote></div><br></div></body></html>