<html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" /></head><body bgcolor="#FFFFFF" text="#000000">Have you tried mod_fail2ban? <br><br><div class="gmail_quote">On March 12, 2015 12:28:16 PM EDT, Peter Steinbach <lists@telefaks.de> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Hello,<br />
<br />
we receive a number of Invites from certain IPs, who want to break
into our system and call external premium rate numbers<br />
Unwanted registers we can block already, but we still have the issue
to block specific invites from fraudulent IPs inside the iptables
firewall.<br />
<br />
In the Freeswitch log we see:<br />
2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055 New
Channel <a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a>
[167bb9ee-c8d0-11e4-9f31-b39e581405c5]<br />
2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
signal <a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> [BREAK]<br />
2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
signal <a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> [BREAK]<br />
2015-03-12 16:54:38.381552 [DEBUG] switch_core_state_machine.c:472
(<a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a>) Running State Change CS_NEW<br />
2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841
<a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> receiving invite from
155.94.64.26:5076 version: 1.5.15b git 82f267a 2015-02-16 22:59:55Z
64bit<br />
2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP <big>15.194.164.26</big>
Rejected by acl "domains". Falling back to Digest auth.<br />
2015-03-12 16:54:38.441582 [DEBUG] switch_core_state_machine.c:491
(<a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a>) State NEW<br />
2015-03-12 16:54:38.441582 [DEBUG] switch_core_session.c:1061 Send
signal <a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> [BREAK]<br />
2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching session
167bb9ee-c8d0-11e4-9f31-b39e581405c5<br />
2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
167bb9ee-c8d0-11e4-9f31-b39e581405c5 <a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a>
Abandoned <br />
<br />
The fraudulent IP here is 15.194.164.26 (anonymized of course). The
IP 10.11.12.13 is the (anonymized) IP of our server.<br />
<br />
The point here is: 15.194.164.26 is sending an INVITE, Freeswitch
then sends "authentication required". Freeswitch then logs this
entry with "Abandoned" (see last line above) and that's it. <br />
<br />
So Is there any way to make Freeswitch show up a log line with the
fraudulent IP 15.194.164.26 and some text like "abandonned"?<br />
Example for extending a current log line<br />
2015-03-12 16:54:48.461568 [WARNING]
switch_core_state_machine.c:572 167bb9ee-c8d0-11e4-9f31-b39e581405c5
<a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> Abandoned <big>for IP 15.194.164.26</big>
<br />
This would enable us to process this entry with fail2ban and block
this IP in the Firewall.<br />
<br />
Any other hint is welcome.<br />
<pre class="moz-signature" cols="72">--
With kind regards
Marvin Keil
Telefaks Services GmbH
<a class="moz-txt-link-freetext" href="mailto:lists">mailto:lists</a> (att) telefaks.de
Internet: <a class="moz-txt-link-abbreviated" href="http://www.telefaks.de">www.telefaks.de</a>
</pre>
<p style="margin-top: 2.5em; margin-bottom: 1em; border-bottom: 1px solid #000"></p><pre class="k9mail"><hr /><br />Professional FreeSWITCH Consulting Services: <br />consulting@freeswitch.org<br /><a href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a><br /><br />Official FreeSWITCH Sites<br /><a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br /><a href="http://confluence.freeswitch.org">http://confluence.freeswitch.org</a><br /><a href="http://www.cluecon.com">http://www.cluecon.com</a><br /><br />FreeSWITCH-users mailing list<br />FreeSWITCH-users@lists.freeswitch.org<br /><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br />UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br /><a
href="http://www.freeswitch.org">http://www.freeswitch.org</a></pre></blockquote></div><br>
-- <br>
Sent from my Android device with K-9 Mail. Please excuse my brevity.</body></html>