<div dir="ltr">Thanks to all.<br><br>Effectively, in this case I had not detected it since the previous scans were much clearer and more abusive. I already had fail2ban in mind for that purpose.<br><br>I also use a database for the users so I do not rule out applying any specific functionality like Don's.<br><br>Thanks again.<div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><p style="font-size:12.8px"><span style="font-size:12.8px">José David Jurado Alonso</span></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">El mié., 22 ago. 2018 a las 21:57, Don Hawkins (<<a href="mailto:hawkins@hawkinsegroup.com">hawkins@hawkinsegroup.com</a>>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Yea, just to backup Michael and provide a little more detail - this is totally normal. We've been dealing with SIP scanners since day one and 1001 is for sure their favorite username.<div dir="auto"><br></div><div dir="auto">fail2ban has it's benefits in this area but at least in my case tends to ban valid ip's/sip endpoints that register too often regardless of what settings/rules we provide.</div><div dir="auto"><br></div><div dir="auto">Since your using a database for SIP users I'd recommend creating a custom solution as we've been forced to do. Basically authentication attempts using unrecognized usernanes have their IP blocked after 10 or so attempts. Also any registration attempted via IP and not a authorized domain (1001@myip vs 1001@thesipdomain) is automatically blocked using iptables.</div><div dir="auto"><br></div><div dir="auto">Hope this helps!<br><br><div data-smartmail="gmail_signature" dir="auto">Sent from my NationPCS Galaxy Note 5</div></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Aug 21, 2018, 5:51 PM Jose David Jurado Alonso <<a href="mailto:josedavid@zennio.com" target="_blank">josedavid@zennio.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<br><br><br>I'm just observing in the log that user 1001 (and other random users like '55340115419480247') is continuously creating and closing channels.<br><br>That users doesn't exist (I delete the folder "directory" since I use database with different user names, no numbers).<br><br>I've done a search some reference to user 1001 in all the configuration and haven't found anything (using "grep -r '1001' /etc/freeswitch/*")<br><br>Any idea why this happens? A bot or spider maybe?<div><br></div><div><br><br>Log trace example:<br><br></div><div><div>2018-08-21 09:34:50.448541 [WARNING] switch_core_state_machine.c:687 1f89de01-b82f-44fa-9b91-9d111c44e220 sofia/internal/<a href="mailto:1001@192.168.1.120" rel="noreferrer" target="_blank">1001@192.168.1.120</a> Abandoned</div><div>2018-08-21 09:34:50.448541 [NOTICE] switch_core_state_machine.c:690 Hangup sofia/internal/<a href="mailto:1001@192.168.1.120" rel="noreferrer" target="_blank">1001@192.168.1.120</a> [CS_NEW] [WRONG_CALL_STATE]</div><div>2018-08-21 09:34:50.448541 [NOTICE] switch_core_session.c:1731 Session 291 (sofia/internal/<a href="mailto:1001@192.168.1.120" rel="noreferrer" target="_blank">1001@192.168.1.120</a>) Ended</div><div>2018-08-21 09:34:50.448541 [NOTICE] switch_core_session.c:1735 Close Channel sofia/internal/<a href="mailto:1001@192.168.1.120" rel="noreferrer" target="_blank">1001@192.168.1.120</a> [CS_DESTROY]</div><div>2018-08-21 09:34:51.288542 [NOTICE] switch_channel.c:1104 New Channel sofia/internal/<a href="mailto:1001@192.168.1.120" rel="noreferrer" target="_blank">1001@192.168.1.120</a> [f8be20e3-1244-48bb-a89b-7b49382726af]</div><div>2018-08-21 09:34:52.568543 [WARNING] switch_core_state_machine.c:687 bae7044c-4915-4a9a-9265-6e48e969ffec sofia/internal/<a href="mailto:55340115419480247@192.168.1.120" rel="noreferrer" target="_blank">55340115419480247@192.168.1.120</a> Abandoned</div><div>2018-08-21 09:34:52.568543 [NOTICE] switch_core_state_machine.c:690 Hangup sofia/internal/<a href="mailto:55340115419480247@192.168.1.120" rel="noreferrer" target="_blank">55340115419480247@192.168.1.120</a> [CS_NEW] [WRONG_CALL_STATE]</div><div>2018-08-21 09:34:52.568543 [NOTICE] switch_core_session.c:1731 Session 292 (sofia/internal/<a href="mailto:55340115419480247@192.168.1.120" rel="noreferrer" target="_blank">55340115419480247@192.168.1.120</a>) Ended</div><div>2018-08-21 09:34:52.568543 [NOTICE] switch_core_session.c:1735 Close Channel sofia/internal/<a href="mailto:55340115419480247@192.168.1.120" rel="noreferrer" target="_blank">55340115419480247@192.168.1.120</a> [CS_DESTROY]</div><div>2018-08-21 09:34:52.848563 [WARNING] switch_core_state_machine.c:687 a0a39ab8-f109-468b-8136-3ebf044c2ffd sofia/internal/<a href="mailto:1001@192.168.1.120" rel="noreferrer" target="_blank">1001@192.168.1.120</a> Abandoned</div><div>2018-08-21 09:34:52.848563 [NOTICE] switch_core_state_machine.c:690 Hangup sofia/internal/<a href="mailto:1001@192.168.1.120" rel="noreferrer" target="_blank">1001@192.168.1.120</a> [CS_NEW] [WRONG_CALL_STATE]</div><div>2018-08-21 09:34:52.848563 [NOTICE] switch_core_session.c:1731 Session 293 (sofia/internal/<a href="mailto:1001@192.168.1.120" rel="noreferrer" target="_blank">1001@192.168.1.120</a>) Ended</div><div>2018-08-21 09:34:52.848563 [NOTICE] switch_core_session.c:1735 Close Channel sofia/internal/<a href="mailto:1001@192.168.1.120" rel="noreferrer" target="_blank">1001@192.168.1.120</a> [CS_DESTROY]</div><div>2018-08-21 09:34:54.248541 [NOTICE] switch_channel.c:1104 New Channel sofia/internal/<a href="mailto:1001@192.168.1.120" rel="noreferrer" target="_blank">1001@192.168.1.120</a> [ef2d84f4-89e5-453d-89df-8280b129b42b]</div><div>2018-08-21 09:34:55.148543 [WARNING] switch_core_state_machine.c:687 9f1804f2-80d0-4fad-8e43-40f0cf2777e9 sofia/internal/<a href="mailto:1001@192.168.1.120" rel="noreferrer" target="_blank">1001@192.168.1.120</a> Abandoned</div></div><div><br></div><div><br></div><div>José D. Jurado Alonso</div></div>
_________________________________________________________________________<br>
Professional FreeSWITCH Services<br>
<a href="mailto:sales@freeswitch.com" rel="noreferrer" target="_blank">sales@freeswitch.com</a><br>
<a href="https://freeswitch.com" rel="noreferrer noreferrer" target="_blank">https://freeswitch.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="https://freeswitch.com/oss" rel="noreferrer noreferrer" target="_blank">https://freeswitch.com/oss</a><br>
<a href="https://freeswitch.org/confluence" rel="noreferrer noreferrer" target="_blank">https://freeswitch.org/confluence</a><br>
<a href="https://cluecon.com" rel="noreferrer noreferrer" target="_blank">https://cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" rel="noreferrer" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="https://freeswitch.com" rel="noreferrer noreferrer" target="_blank">https://freeswitch.com</a></blockquote></div>
_________________________________________________________________________<br>
Professional FreeSWITCH Services<br>
<a href="mailto:sales@freeswitch.com" target="_blank">sales@freeswitch.com</a><br>
<a href="https://freeswitch.com" rel="noreferrer" target="_blank">https://freeswitch.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="https://freeswitch.com/oss" rel="noreferrer" target="_blank">https://freeswitch.com/oss</a><br>
<a href="https://freeswitch.org/confluence" rel="noreferrer" target="_blank">https://freeswitch.org/confluence</a><br>
<a href="https://cluecon.com" rel="noreferrer" target="_blank">https://cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="https://freeswitch.com" rel="noreferrer" target="_blank">https://freeswitch.com</a></blockquote></div>