<div dir="ltr"><div><div><div><div><div><div><div><div>Hi,<br><br></div>There is several options:<br><br></div>1) Close your server to outside world with iptables, so only you from secure location can register.<br></div>2) Fail2ban<br></div>3) You can put in front Kamailio sip proxy which will handle security(like allowing registration from specific User-Agent, pike module and etc)<br></div>4) You can use iptables to block unwanted traffic from specific user-agent:<br><a href="http://ithelpblog.com/voice/prevent-or-deny-sip-dos-attack-sip-scanner-by-iptables-firewall/">http://ithelpblog.com/voice/prevent-or-deny-sip-dos-attack-sip-scanner-by-iptables-firewall/</a><br></div>5) You can use iptables hashlimit to stop flood:<br><a href="https://wiki.freeswitch.org/wiki/QoS#DoS_REGISTER_Attack_Prevention">https://wiki.freeswitch.org/wiki/QoS#DoS_REGISTER_Attack_Prevention</a><br><br></div>Maybe there some other options, this is what I now remember.<br><br></div>With kind regards,<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Jurijs<br></div></div></div>
<br><div class="gmail_quote">On Wed, Aug 3, 2016 at 7:57 AM, Jungle Boogie <span dir="ltr"><<a href="mailto:jungleboogie0@gmail.com" target="_blank">jungleboogie0@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi All,<br>
<br>
How do people stop bad registration attempts to freeswitch? Is it pretty<br>
much impossible so don't worry about it as long as you have fail2ban?<br>
<br>
Using sngrep, I see lots of registration attempts like this:<br>
<br>
My actual IP has been replaced with 1.2.3.4.<br>
<br>
2016/08/02 21:35:33.397073 <a href="http://195.154.48.130:5080" rel="noreferrer" target="_blank">195.154.48.130:5080</a> -> <a href="http://192.168.0.137:5060" rel="noreferrer" target="_blank">192.168.0.137:5060</a><br>
REGISTER sip:<a href="http://1.2.3.4:5060" rel="noreferrer" target="_blank">1.2.3.4:5060</a> SIP/2.0<br>
Via: SIP/2.0/UDP<br>
<a href="tel:195.154.48.130" value="+19515448130">195.154.48.130</a>:5080;branch=z9hG4bK23552ce85a146013577b3912;rport<br>
From: "7612" <<a href="http://sip:7612@1.2.3.4:5060" rel="noreferrer" target="_blank">sip:7612@1.2.3.4:5060</a>>;tag=23552ce8ba27<br>
To: "7612" <<a href="http://sip:7612@1.2.3.4:5060" rel="noreferrer" target="_blank">sip:7612@1.2.3.4:5060</a>><br>
Call-ID: <a href="mailto:ce85a14-4c0e6013-577b3912@1.2.3.4">ce85a14-4c0e6013-577b3912@1.2.3.4</a><br>
CSeq: 1 REGISTER<br>
Contact: "7612" <<a href="http://sip:7612@195.154.48.130:5080" rel="noreferrer" target="_blank">sip:7612@195.154.48.130:5080</a>><br>
User-Agent: VaxSIPUserAgent/3.1<br>
Expires: 1800<br>
Max-Forwards: 70<br>
Content-Length: 0<br>
<br>
I have these iptables rules:<br>
-P INPUT ACCEPT<br>
-P FORWARD ACCEPT<br>
-P OUTPUT ACCEPT<br>
-N f2b-freeswitch<br>
-A INPUT -j f2b-freeswitch<br>
-A INPUT -p tcp -m string --string "VaxSIPUserAgent/3.1" --algo bm --to<br>
65535 -j DROP<br>
-A INPUT -p udp -m string --string "VaxSIPUserAgent/3.1" --algo bm --to<br>
65535 -j DROP<br>
-A INPUT -p udp -m udp --dport 5080 -m string --string "sipcli" --algo<br>
bm --to 65535 -j DROP<br>
-A INPUT -p udp -m udp --dport 5080 -m string --string<br>
"friendly-scanner" --algo bm --to 65535 -j DROP<br>
-A INPUT -p udp -m udp --dport 5080 -m string --string "VaxSIPUserAgent"<br>
--algo bm --to 65535 -j DROP<br>
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipcli" --algo<br>
bm --to 65535 -j DROP<br>
-A INPUT -p udp -m udp --dport 5060 -m string --string<br>
"friendly-scanner" --algo bm --to 65535 -j DROP<br>
-A INPUT -p udp -m udp --dport 5060 -m string --string "VaxSIPUserAgent"<br>
--algo bm --to 65535 -j DROP<br>
-A INPUT -j f2b-freeswitch<br>
-A f2b-freeswitch -j RETURN<br>
<br>
Are my rules not stopping this registration because it's not being<br>
recorded in any logs?<br>
<br>
How do you stop (or prevent) unwanted registration attempts, even if<br>
it's a sip scanner?<br>
<br>
Thanks!<br>
<br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br></div>