<div dir="ltr"><div>Having your server IP in the From header is not necessarily incorrect. They aren't necessarily saying that they are sending from that IP, it could be them saying they are a user registered on your server. I'd block it based on something else such as user-agent or fail2ban. </div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 15 December 2017 at 17:32, Miguel Jesús López Valverde <span dir="ltr"><<a href="mailto:mjlopez@smartic.es" target="_blank">mjlopez@smartic.es</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="ES" link="#0563C1" vlink="#954F72"><div class="m_-8919491363007729199WordSection1"><p class="MsoNormal"><span lang="EN-US">Good afternoon everyone<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">I get a new query regarding a type of attack that our freeswitch servers receive constantly in case someone knows how to block them.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">These are INVITE or REGISTER requests in which the FROM: field arrives with the ip and port equal to the public interface of the server, so the different protection options that I have tried have not blocked these requests:<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">- IpTables can not filter by the information From the INVITE message.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">- Fail2Ban is equally limited than IpTables.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">- ACLs have not resolved to filter these requests.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">Does anyone know any way to block these requests?<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US">I send here a trace with an INVITE message where you can see a request of this type.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal">Thanks and best regards.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">U 2017/12/14 18:32:55.156886 <a href="http://185.107.94.121:11120" target="_blank">185.107.94.121:11120</a> -> <a href="http://182.30.1.194:5060" target="_blank">182.30.1.194:5060</a><u></u><u></u></p><p class="MsoNormal">INVITE sip:390239297988@ 182.30.1.194:5060;transport=<wbr>UDP SIP/2.0.<u></u><u></u></p><p class="MsoNormal">Via: SIP/2.0/UDP 122.221.117.131:5060;branch=<wbr>z9hG4bK-524287-1---<wbr>xi3qy2kz737ni404.<u></u><u></u></p><p class="MsoNormal"><span lang="EN-US">Max-Forwards: 70.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">Contact: <sip:<a href="tel:(571)%20400-0000" value="+15714000000" target="_blank">15714000000</a>@<a href="http://122.221.117.">122.221.117.</a><wbr>131:5060;transport=UDP>.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">To: <sip:390239297988@ 182.30.1.194;transport=UDP>.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">From: <sip:<a href="tel:(571)%20400-0000" value="+15714000000" target="_blank">15714000000</a>@ 182.30.1.194;transport=UDP>;<wbr>tag=hlzg2jcv.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">Call-ID: KaQqH51mAcFv34qN8cGyv3...<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">CSeq: 1 INVITE.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">Content-Type: application/sdp.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">User-Agent: Z 3.14.38765 rv2.8.3.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US">Allow-Events: presence, kpml, talk.<u></u><u></u></span></p><p class="MsoNormal">Content-Length: 0.<u></u><u></u></p><p class="MsoNormal">.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p></div><div id="m_-8919491363007729199DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br> <table style="border-top:1px solid #d3d4de">
<tbody><tr>
<td style="width:55px;padding-top:18px"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" width="46" height="29" style="width:46px;height:29px"></a></td>
<td style="width:470px;padding-top:17px;color:#41424e;font-size:13px;font-family:Arial,Helvetica,sans-serif;line-height:18px">Libre de virus. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" style="color:#4453ea" target="_blank">www.avast.com</a> </td>
</tr>
</tbody></table>
<a href="#m_-8919491363007729199_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></div><br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>