<HTML>
<HEAD>
<TITLE>Re: [Freeswitch-users] Fail to ban rule for detecting INVITES with no challenge</TITLE>
</HEAD>
<BODY>
<FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'>Is there a pull request on that?<BR>
<BR>
<BR>
On 3/12/15, 1:27 PM, "Ítalo Rossi" <<a href="italorossib@gmail.com">italorossib@gmail.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'>I set the JIRA status as Needs Review, hope it get merged soon.<BR>
<BR>
On Thu, Mar 12, 2015 at 4:03 PM, Sergey Safarov <<a href="s.safarov@gmail.com">s.safarov@gmail.com</a>> wrote:<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'>Ítalo I am not rewrite patch set use network_addr in caller profile and path not merget to master.<BR>
<FONT COLOR="#888888"><BR>
Sergey<BR>
</FONT><BR>
On Thu, Mar 12, 2015 at 7:51 PM, Ítalo Rossi <<a href="italorossib@gmail.com">italorossib@gmail.com</a>> wrote:<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'><BR>
Version?<BR>
<BR>
I'm almost sure this is already implemented in master. <BR>
<BR>
Em 12/03/2015 13:43, "Kyle King" <<a href="kyle.king@quentustech.com">kyle.king@quentustech.com</a>> escreveu:<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'>Have you tried mod_fail2ban? <BR>
<BR>
On March 12, 2015 12:28:16 PM EDT, Peter Steinbach <<a href="lists@telefaks.de">lists@telefaks.de</a>> wrote:<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'> Hello,<BR>
<BR>
we receive a number of Invites from certain IPs, who want to break into our system and call external premium rate numbers<BR>
Unwanted registers we can block already, but we still have the issue to block specific invites from fraudulent IPs inside the iptables firewall.<BR>
<BR>
In the Freeswitch log we see:<BR>
2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055 New Channel <a href="sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> [167bb9ee-c8d0-11e4-9f31-b39e581405c5]<BR>
2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send signal <a href="sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> [BREAK]<BR>
2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send signal <a href="sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> [BREAK]<BR>
2015-03-12 16:54:38.381552 [DEBUG] switch_core_state_machine.c:472 (<a href="sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a>) Running State Change CS_NEW<BR>
2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841 <a href="sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> receiving invite from 155.94.64.26:5076 <<a href="http://155.94.64.26:5076">http://155.94.64.26:5076</a>> version: 1.5.15b git 82f267a 2015-02-16 22:59:55Z 64bit<BR>
2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP 15.194.164.26 Rejected by acl "domains". Falling back to Digest auth.<BR>
2015-03-12 16:54:38.441582 [DEBUG] switch_core_state_machine.c:491 (<a href="sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a>) State NEW<BR>
2015-03-12 16:54:38.441582 [DEBUG] switch_core_session.c:1061 Send signal <a href="sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> [BREAK]<BR>
2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching session 167bb9ee-c8d0-11e4-9f31-b39e581405c5<BR>
2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572 167bb9ee-c8d0-11e4-9f31-b39e581405c5 <a href="sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> Abandoned <BR>
<BR>
The fraudulent IP here is 15.194.164.26 (anonymized of course). The IP 10.11.12.13 is the (anonymized) IP of our server.<BR>
<BR>
The point here is: 15.194.164.26 is sending an INVITE, Freeswitch then sends "authentication required". Freeswitch then logs this entry with "Abandoned" (see last line above) and that's it. <BR>
<BR>
So Is there any way to make Freeswitch show up a log line with the fraudulent IP 15.194.164.26 and some text like "abandonned"?<BR>
Example for extending a current log line<BR>
2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572 167bb9ee-c8d0-11e4-9f31-b39e581405c5 <a href="sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> Abandoned for IP 15.194.164.26 <BR>
This would enable us to process this entry with fail2ban and block this IP in the Firewall.<BR>
<BR>
Any other hint is welcome.<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE><FONT FACE="Monaco, Courier New"><SPAN STYLE='font-size:11pt'><BR>
-- <BR>
Ken<BR>
<FONT COLOR="#0000FF"><U><a href="http://www.FreeSWITCH.org">http://www.FreeSWITCH.org</a><BR>
<a href="http://www.ClueCon.com">http://www.ClueCon.com</a><BR>
<a href="http://www.OSTAG.org">http://www.OSTAG.org</a><BR>
</U></FONT>irc.freenode.net #freeswitch<BR>
Twitter: @FreeSWITCH<BR>
<BR>
</SPAN></FONT>
</BODY>
</HTML>