<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Thanks Sergey<br>
<br>
i've installed it. That was rather simple.<br>
<br>
I will look at the output in some next hours.<br>
<br>
<br>
On 03/12/15 19:44, Sergey Safarov wrote:<br>
</div>
<blockquote
cite="mid:CAHtxdDejv19mdR2iozv3ciYPNX3OLGYwZXuW0njxtvKpspgYAg@mail.gmail.com"
type="cite">
<div dir="ltr">Marvin you can use solution published at <a
moz-do-not-send="true"
href="https://freeswitch.org/jira/browse/FS-7125">https://freeswitch.org/jira/browse/FS-7125</a>
<div><a moz-do-not-send="true"
href="https://freeswitch.org/stash/projects/FS/repos/freeswitch/commits/63a622decc0994d69a8e4ec223cb5359430f03d9">https://freeswitch.org/stash/projects/FS/repos/freeswitch/commits/63a622decc0994d69a8e4ec223cb5359430f03d9</a><br>
</div>
<div><br>
</div>
<div>Currently I successfully block that calls</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Mar 12, 2015 at 7:28 PM, Peter
Steinbach <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:lists@telefaks.de" target="_blank">lists@telefaks.de</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hello,<br>
<br>
we receive a number of Invites from certain IPs, who want
to break into our system and call external premium rate
numbers<br>
Unwanted registers we can block already, but we still have
the issue to block specific invites from fraudulent IPs
inside the iptables firewall.<br>
<br>
In the Freeswitch log we see:<br>
2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055
New Channel <a moz-do-not-send="true"
href="mailto:sofia/internal/149@10.11.12.13"
target="_blank">sofia/internal/149@10.11.12.13</a>
[167bb9ee-c8d0-11e4-9f31-b39e581405c5]<br>
2015-03-12 16:54:38.381552 [DEBUG]
switch_core_session.c:1061 Send signal <a
moz-do-not-send="true"
href="mailto:sofia/internal/149@10.11.12.13"
target="_blank">sofia/internal/149@10.11.12.13</a>
[BREAK]<br>
2015-03-12 16:54:38.381552 [DEBUG]
switch_core_session.c:1061 Send signal <a
moz-do-not-send="true"
href="mailto:sofia/internal/149@10.11.12.13"
target="_blank">sofia/internal/149@10.11.12.13</a>
[BREAK]<br>
2015-03-12 16:54:38.381552 [DEBUG]
switch_core_state_machine.c:472 (<a moz-do-not-send="true"
href="mailto:sofia/internal/149@10.11.12.13"
target="_blank">sofia/internal/149@10.11.12.13</a>)
Running State Change CS_NEW<br>
2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841 <a
moz-do-not-send="true"
href="mailto:sofia/internal/149@10.11.12.13"
target="_blank">sofia/internal/149@10.11.12.13</a>
receiving invite from <a moz-do-not-send="true"
href="http://155.94.64.26:5076" target="_blank">155.94.64.26:5076</a>
version: 1.5.15b git 82f267a 2015-02-16 22:59:55Z 64bit<br>
2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP <big>15.194.164.26</big>
Rejected by acl "domains". Falling back to Digest auth.<br>
2015-03-12 16:54:38.441582 [DEBUG]
switch_core_state_machine.c:491 (<a moz-do-not-send="true"
href="mailto:sofia/internal/149@10.11.12.13"
target="_blank">sofia/internal/149@10.11.12.13</a>)
State NEW<br>
2015-03-12 16:54:38.441582 [DEBUG]
switch_core_session.c:1061 Send signal <a
moz-do-not-send="true"
href="mailto:sofia/internal/149@10.11.12.13"
target="_blank">sofia/internal/149@10.11.12.13</a>
[BREAK]<br>
2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching
session 167bb9ee-c8d0-11e4-9f31-b39e581405c5<br>
2015-03-12 16:54:48.461568 [WARNING]
switch_core_state_machine.c:572
167bb9ee-c8d0-11e4-9f31-b39e581405c5 <a
moz-do-not-send="true"
href="mailto:sofia/internal/149@10.11.12.13"
target="_blank">sofia/internal/149@10.11.12.13</a>
Abandoned <br>
<br>
The fraudulent IP here is 15.194.164.26 (anonymized of
course). The IP 10.11.12.13 is the (anonymized) IP of our
server.<br>
<br>
The point here is: 15.194.164.26 is sending an INVITE,
Freeswitch then sends "authentication required".
Freeswitch then logs this entry with "Abandoned" (see last
line above) and that's it. <br>
<br>
So Is there any way to make Freeswitch show up a log line
with the fraudulent IP 15.194.164.26 and some text like
"abandonned"?<br>
Example for extending a current log line<br>
2015-03-12 16:54:48.461568 [WARNING]
switch_core_state_machine.c:572
167bb9ee-c8d0-11e4-9f31-b39e581405c5 <a
moz-do-not-send="true"
href="mailto:sofia/internal/149@10.11.12.13"
target="_blank">sofia/internal/149@10.11.12.13</a>
Abandoned <big>for IP 15.194.164.26</big> <br>
This would enable us to process this entry with fail2ban
and block this IP in the Firewall.<br>
<br>
Any other hint is welcome.<span class="HOEnZb"><font
color="#888888"><br>
<pre cols="72">--
With kind regards
Marvin Keil
Telefaks Services GmbH
<a moz-do-not-send="true" href="mailto:lists" target="_blank">mailto:lists</a> (att) <a moz-do-not-send="true" href="http://telefaks.de" target="_blank">telefaks.de</a>
Internet: <a moz-do-not-send="true" href="http://www.telefaks.de" target="_blank">www.telefaks.de</a>
</pre>
</font></span></div>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a moz-do-not-send="true"
href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a moz-do-not-send="true" href="http://www.freeswitch.org"
target="_blank">http://www.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a moz-do-not-send="true" href="http://www.cluecon.com"
target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/options/freeswitch-users"
target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a moz-do-not-send="true" href="http://www.freeswitch.org"
target="_blank">http://www.freeswitch.org</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a class="moz-txt-link-abbreviated" href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a>
Official FreeSWITCH Sites
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://confluence.freeswitch.org">http://confluence.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.cluecon.com">http://www.cluecon.com</a>
FreeSWITCH-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
With kind regards
Peter Steinbach
Telefaks Services GmbH
<a class="moz-txt-link-freetext" href="mailto:lists">mailto:lists</a> (att) telefaks.de
Internet: <a class="moz-txt-link-abbreviated" href="http://www.telefaks.de">www.telefaks.de</a>
</pre>
</body>
</html>