<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML con formato previo Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EstiloCorreo17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLconformatoprevioCar
{mso-style-name:"HTML con formato previo Car";
mso-style-priority:99;
mso-style-link:"HTML con formato previo";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.EstiloCorreo20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=ES link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Thank you very much, Peter!.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='color:windowtext;mso-fareast-language:ES'>De:</span></b><span lang=EN-US style='color:windowtext;mso-fareast-language:ES'> FreeSWITCH-users [mailto:freeswitch-users-bounces@lists.freeswitch.org] <b>En nombre de </b>Peter Steinbach<br><b>Enviado el:</b> viernes, 15 de diciembre de 2017 18:46<br><b>Para:</b> FreeSWITCH Users Help <freeswitch-users@lists.freeswitch.org><br><b>Asunto:</b> Re: [Freeswitch-users] how to block requests with From Ip equal to server interface IP?<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><p class=MsoNormal>Hello Miguel,<br><br>see here<br><a href="http://lists.freeswitch.org/pipermail/freeswitch-users/2011-April/071796.html">http://lists.freeswitch.org/pipermail/freeswitch-users/2011-April/071796.html</a><br>You will need to change the line <br>search="friendly-scanner"<br>to<br>search="<span lang=EN-US>Z 3.14.38765 rv2.8.3</span>"<br><br>This worked for me.<br>Best regards Peter<br><br><br>On 12/15/17 18:32, Miguel Jesús López Valverde wrote:<span style='font-size:12.0pt;mso-fareast-language:ES'><o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US>Good afternoon everyone</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>I get a new query regarding a type of attack that our freeswitch servers receive constantly in case someone knows how to block them.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>These are INVITE or REGISTER requests in which the FROM: field arrives with the ip and port equal to the public interface of the server, so the different protection options that I have tried have not blocked these requests:</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>- IpTables can not filter by the information From the INVITE message.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>- Fail2Ban is equally limited than IpTables.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>- ACLs have not resolved to filter these requests.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>Does anyone know any way to block these requests?</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>I send here a trace with an INVITE message where you can see a request of this type.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal>Thanks and best regards.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>U 2017/12/14 18:32:55.156886 185.107.94.121:11120 -> 182.30.1.194:5060<o:p></o:p></p><p class=MsoNormal>INVITE <a href="sip:390239297988@">sip:390239297988@</a> 182.30.1.194:5060;transport=UDP SIP/2.0.<o:p></o:p></p><p class=MsoNormal>Via: SIP/2.0/UDP 122.221.117.131:5060;branch=z9hG4bK-524287-1---xi3qy2kz737ni404.<o:p></o:p></p><p class=MsoNormal><span lang=EN-US>Max-Forwards: 70.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>Contact: <a href="mailto:sip:15714000000@122.221.117.131:5060;transport=UDP"><sip:15714000000@122.221.117.131:5060;transport=UDP></a>.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>To: <<a href="sip:390239297988@%20182.30.1.194;transport=UDP">sip:390239297988@ 182.30.1.194;transport=UDP</a>>.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>From: <a href="mailto:sip:15714000000@182.30.1.194;transport=UDP"><sip:15714000000@ 182.30.1.194;transport=UDP></a>;tag=hlzg2jcv.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>Call-ID: KaQqH51mAcFv34qN8cGyv3...</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>CSeq: 1 INVITE.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>Content-Type: application/sdp.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>User-Agent: Z 3.14.38765 rv2.8.3.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>Allow-Events: presence, kpml, talk.</span><o:p></o:p></p><p class=MsoNormal>Content-Length: 0.<o:p></o:p></p><p class=MsoNormal>.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div id=DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:ES'><o:p> </o:p></span></p><table class=MsoNormalTable border=1 cellpadding=0 style='border:none;border-top:solid #D3D4DE 1.0pt'><tr><td width=55 style='width:41.25pt;border:none;padding:13.5pt .75pt .75pt .75pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:ES'><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank"><span style='text-decoration:none'><img border=0 width=46 height=29 id="_x0000_i1025" src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif"></span></a><o:p></o:p></span></p></td><td width=470 style='width:352.5pt;border:none;padding:12.75pt .75pt .75pt .75pt'><p class=MsoNormal style='line-height:13.5pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:#41424E;mso-fareast-language:ES'>Libre de virus. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank"><span style='color:#4453EA'>www.avast.com</span></a> <o:p></o:p></span></p></td></tr></table></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:ES'><br><br><br><o:p></o:p></span></p><pre>_________________________________________________________________________<o:p></o:p></pre><pre>Professional FreeSWITCH Consulting Services:<o:p></o:p></pre><pre><a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><o:p></o:p></pre><pre><a href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Official FreeSWITCH Sites<o:p></o:p></pre><pre><a href="http://www.freeswitch.org">http://www.freeswitch.org</a><o:p></o:p></pre><pre><a href="http://confluence.freeswitch.org">http://confluence.freeswitch.org</a><o:p></o:p></pre><pre><a href="http://www.cluecon.com">http://www.cluecon.com</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>FreeSWITCH-users mailing list<o:p></o:p></pre><pre><a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><o:p></o:p></pre><pre><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><o:p></o:p></pre><pre>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><o:p></o:p></pre><pre><a href="http://www.freeswitch.org">http://www.freeswitch.org</a><o:p></o:p></pre></blockquote><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:ES'><br><br><br><o:p></o:p></span></p><pre>-- <o:p></o:p></pre><pre>With kind regards<o:p></o:p></pre><pre>Peter Steinbach <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Telefaks Services GmbH<o:p></o:p></pre><pre><a href="mailto:lists">mailto:lists</a> (att) telefaks.de<o:p></o:p></pre><pre>Internet: <a href="http://www.telefaks.de">www.telefaks.de</a><o:p></o:p></pre><pre><o:p> </o:p></pre></div></body></html>