<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
we receive a number of Invites from certain IPs, who want to break
into our system and call external premium rate numbers<br>
Unwanted registers we can block already, but we still have the issue
to block specific invites from fraudulent IPs inside the iptables
firewall.<br>
<br>
In the Freeswitch log we see:<br>
2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055 New
Channel <a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a>
[167bb9ee-c8d0-11e4-9f31-b39e581405c5]<br>
2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
signal <a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> [BREAK]<br>
2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
signal <a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> [BREAK]<br>
2015-03-12 16:54:38.381552 [DEBUG] switch_core_state_machine.c:472
(<a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a>) Running State Change CS_NEW<br>
2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841
<a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> receiving invite from
155.94.64.26:5076 version: 1.5.15b git 82f267a 2015-02-16 22:59:55Z
64bit<br>
2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP <big>15.194.164.26</big>
Rejected by acl "domains". Falling back to Digest auth.<br>
2015-03-12 16:54:38.441582 [DEBUG] switch_core_state_machine.c:491
(<a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a>) State NEW<br>
2015-03-12 16:54:38.441582 [DEBUG] switch_core_session.c:1061 Send
signal <a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> [BREAK]<br>
2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching session
167bb9ee-c8d0-11e4-9f31-b39e581405c5<br>
2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
167bb9ee-c8d0-11e4-9f31-b39e581405c5 <a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a>
Abandoned <br>
<br>
The fraudulent IP here is 15.194.164.26 (anonymized of course). The
IP 10.11.12.13 is the (anonymized) IP of our server.<br>
<br>
The point here is: 15.194.164.26 is sending an INVITE, Freeswitch
then sends "authentication required". Freeswitch then logs this
entry with "Abandoned" (see last line above) and that's it. <br>
<br>
So Is there any way to make Freeswitch show up a log line with the
fraudulent IP 15.194.164.26 and some text like "abandonned"?<br>
Example for extending a current log line<br>
2015-03-12 16:54:48.461568 [WARNING]
switch_core_state_machine.c:572 167bb9ee-c8d0-11e4-9f31-b39e581405c5
<a class="moz-txt-link-abbreviated" href="mailto:sofia/internal/149@10.11.12.13">sofia/internal/149@10.11.12.13</a> Abandoned <big>for IP 15.194.164.26</big>
<br>
This would enable us to process this entry with fail2ban and block
this IP in the Firewall.<br>
<br>
Any other hint is welcome.<br>
<pre class="moz-signature" cols="72">--
With kind regards
Marvin Keil
Telefaks Services GmbH
<a class="moz-txt-link-freetext" href="mailto:lists">mailto:lists</a> (att) telefaks.de
Internet: <a class="moz-txt-link-abbreviated" href="http://www.telefaks.de">www.telefaks.de</a>
</pre>
</body>
</html>