<div dir="ltr">if you use domain names, then you can place FreeSwitch behind Kamailio and implement filter on Kamailio side.<div>Filter logic:</div><div>1) if To header like \d+\.\d+\.\d+\.\d+ then drop packet;</div><div><div>2) if From header like \d+\.\d+\.\d+\.\d+ then drop packet;</div><div><br></div></div><div>Example of such filter logic you can find here</div><div><a href="https://github.com/2600hz/kazoo-configs-kamailio/blob/master/kamailio/traffic-filter-role.cfg">https://github.com/2600hz/kazoo-configs-kamailio/blob/master/kamailio/traffic-filter-role.cfg</a><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">пт, 15 дек. 2017 г. в 20:46, Peter Steinbach <<a href="mailto:lists@telefaks.de">lists@telefaks.de</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="m_-1760520282224978735moz-cite-prefix">Hello Miguel,<br>
<br>
see here<br>
<a class="m_-1760520282224978735moz-txt-link-freetext" href="http://lists.freeswitch.org/pipermail/freeswitch-users/2011-April/071796.html" target="_blank">http://lists.freeswitch.org/pipermail/freeswitch-users/2011-April/071796.html</a><br>
You will need to change the line <br>
search="friendly-scanner"<br>
to<br>
search="<span lang="EN-US">Z 3.14.38765 rv2.8.3</span>"<br>
<br>
This worked for me.<br>
Best regards Peter</div></div><div bgcolor="#FFFFFF" text="#000000"><div class="m_-1760520282224978735moz-cite-prefix"><br>
<br>
<br>
On 12/15/17 18:32, Miguel Jesús López Valverde wrote:<br>
</div></div><div bgcolor="#FFFFFF" text="#000000">
<blockquote type="cite">
<div class="m_-1760520282224978735WordSection1">
<p class="MsoNormal"><span lang="EN-US">Good afternoon everyone<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I get a new query
regarding a type of attack that our freeswitch servers
receive constantly in case someone knows how to block them.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">These are INVITE or
REGISTER requests in which the FROM: field arrives with the
ip and port equal to the public interface of the server, so
the different protection options that I have tried have not
blocked these requests:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">- IpTables can not
filter by the information From the INVITE message.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">- Fail2Ban is equally
limited than IpTables.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">- ACLs have not resolved
to filter these requests.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Does anyone know any way
to block these requests?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I send here a trace with
an INVITE message where you can see a request of this type.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal">Thanks and best regards.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">U 2017/12/14 18:32:55.156886
<a href="http://185.107.94.121:11120" target="_blank">185.107.94.121:11120</a> -> <a href="http://182.30.1.194:5060" target="_blank">182.30.1.194:5060</a><u></u><u></u></p>
<p class="MsoNormal">INVITE sip:390239297988@
182.30.1.194:5060;transport=UDP SIP/2.0.<u></u><u></u></p>
<p class="MsoNormal">Via: SIP/2.0/UDP
122.221.117.131:5060;branch=z9hG4bK-524287-1---xi3qy2kz737ni404.<u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-US">Max-Forwards: 70.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Contact:
<a class="m_-1760520282224978735moz-txt-link-rfc2396E" href="mailto:sip:15714000000@122.221.117.131:5060;transport=UDP" target="_blank"><sip:15714000000@122.221.117.131:5060;transport=UDP></a>.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">To:
<sip:390239297988@ 182.30.1.194;transport=UDP>.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">From:
<a class="m_-1760520282224978735moz-txt-link-rfc2396E" href="mailto:sip:15714000000@182.30.1.194;transport=UDP" target="_blank"><sip:15714000000@
182.30.1.194;transport=UDP></a>;tag=hlzg2jcv.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Call-ID:
KaQqH51mAcFv34qN8cGyv3...<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">CSeq: 1 INVITE.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Content-Type:
application/sdp.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">User-Agent: Z 3.14.38765
rv2.8.3.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Allow-Events: presence,
kpml, talk.<u></u><u></u></span></p>
<p class="MsoNormal">Content-Length: 0.<u></u><u></u></p>
<p class="MsoNormal">.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div id="m_-1760520282224978735DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
<table style="border-top:1px solid #d3d4de">
<tbody>
<tr>
<td style="width:55px;padding-top:18px"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" style="width:46px;height:29px" height="29" width="46"></a></td>
<td style="width:470px;padding-top:17px;color:#41424e;font-size:13px;font-family:Arial,Helvetica,sans-serif;line-height:18px">Libre de virus. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" style="color:#4453ea" target="_blank">www.avast.com</a>
</td>
</tr>
</tbody>
</table>
<a href="#m_-1760520282224978735_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div>
<br>
<fieldset class="m_-1760520282224978735mimeAttachmentHeader"></fieldset>
<br>
<pre>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a class="m_-1760520282224978735moz-txt-link-abbreviated" href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a>
<a class="m_-1760520282224978735moz-txt-link-freetext" href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a>
Official FreeSWITCH Sites
<a class="m_-1760520282224978735moz-txt-link-freetext" href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
<a class="m_-1760520282224978735moz-txt-link-freetext" href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a>
<a class="m_-1760520282224978735moz-txt-link-freetext" href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a>
FreeSWITCH-users mailing list
<a class="m_-1760520282224978735moz-txt-link-abbreviated" href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a>
<a class="m_-1760520282224978735moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a>
UNSUBSCRIBE:<a class="m_-1760520282224978735moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a>
<a class="m_-1760520282224978735moz-txt-link-freetext" href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a></pre>
</blockquote>
<br>
<br>
</div><div bgcolor="#FFFFFF" text="#000000"><pre class="m_-1760520282224978735moz-signature" cols="72">--
With kind regards
Peter Steinbach
Telefaks Services GmbH
<a class="m_-1760520282224978735moz-txt-link-freetext" href="mailto:lists" target="_blank">mailto:lists</a> (att) <a href="http://telefaks.de" target="_blank">telefaks.de</a>
Internet: <a class="m_-1760520282224978735moz-txt-link-abbreviated" href="http://www.telefaks.de" target="_blank">www.telefaks.de</a>
</pre>
</div>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a></blockquote></div>