<div dir="ltr">You could tell the name, SAS on France and OVH, they are both nest of bots.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jan 25, 2021 at 9:31 PM Ken Rice <<a href="mailto:krice@freeswitch.org">krice@freeswitch.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">this is super common. this is more likely a recon attack than an actual brute force attempt. Eother that they are looking for something with auth turned off. we see tons of these things regularly. Fail to ban helps some but using a SIP RBL and dropping traffic via prefixes associated with regions and bad actor hosts seems to be the best course of action these days.<br>
<br>
I wont name the company, but a mjor european hosting company i drop their entire AS as its not worth the hassle.<br>
<br>
Sent from my iPhone<br>
<br>
> On Jan 25, 2021, at 14:49, Marc Bernard <<a href="mailto:marcb@voicemeup.com" target="_blank">marcb@voicemeup.com</a>> wrote:<br>
> <br>
> Hello All,<br>
> <br>
> Is anyone else noticing that there is more and more scanners attempting<br>
> brute force with no reply to auth request resulting in logging a lot of<br>
> abandoned calls ?<br>
> <br>
> Scenario:<br>
> <br>
> - A scanner send an INVITE|REGISTER with no credentials<br>
> - Freeswitch responds with authentication request and a challenge is send to<br>
> logs;<br>
> "<br>
> 2021-01-25 12:27:39.306075 [WARNING] sofia_reg.c:1792 SIP auth challenge<br>
> (REGISTER) on sofia profile 'public' for [<a href="mailto:1730@1.2.3.4" target="_blank">1730@1.2.3.4</a>] from ip 5.6.7.8"<br>
> - Scanner does not respond<br>
> - After a while, Freeswitch logs the following:<br>
> 2ae23e93-c929-4089-a594-8e7af633ca88 2021-01-25 12:28:37.506078 [WARNING]<br>
> switch_core_state_machine.c:687 2ae23e93-c929-4089-a594-8e7af633ca88<br>
> sofia/public/<a href="mailto:1730@1.2.3.4" target="_blank">1730@1.2.3.4</a> Abandoned<br>
> <br>
> --<br>
> <br>
> In our case, we made fail2ban more sensitive to auth failures logs which<br>
> does not get triggered because of the scanner not even trying to send<br>
> credentials.<br>
> <br>
> Wouldn't it make more sense for this log to include the IP of sip client<br>
> that abandoned the call (5.6.7.8) instead of only the IP of the sip profile<br>
> (1.2.3.4) ?<br>
> <br>
> This would allow us to have Fail2ban block this scenario more aggressively.<br>
> <br>
> Thoughts ?<br>
> <br>
> <br>
> <br>
> <br>
> _________________________________________________________________________<br>
> <br>
> The FreeSWITCH project is sponsored by SignalWire <a href="https://signalwire.com" rel="noreferrer" target="_blank">https://signalwire.com</a><br>
> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.<br>
> Build your next product on our scalable cloud platform.<br>
> <br>
> Join our online community to chat in real time <a href="https://signalwire.community" rel="noreferrer" target="_blank">https://signalwire.community</a><br>
> <br>
> Professional FreeSWITCH Services<br>
> <a href="mailto:sales@freeswitch.com" target="_blank">sales@freeswitch.com</a><br>
> <a href="https://freeswitch.com" rel="noreferrer" target="_blank">https://freeswitch.com</a><br>
> <br>
> Official FreeSWITCH Sites<br>
> <a href="https://freeswitch.com/oss" rel="noreferrer" target="_blank">https://freeswitch.com/oss</a><br>
> <a href="https://freeswitch.org/confluence" rel="noreferrer" target="_blank">https://freeswitch.org/confluence</a><br>
> <a href="https://cluecon.com" rel="noreferrer" target="_blank">https://cluecon.com</a><br>
> <br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
> <a href="https://freeswitch.com" rel="noreferrer" target="_blank">https://freeswitch.com</a><br>
<br>
_________________________________________________________________________<br>
<br>
The FreeSWITCH project is sponsored by SignalWire <a href="https://signalwire.com" rel="noreferrer" target="_blank">https://signalwire.com</a><br>
Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.<br>
Build your next product on our scalable cloud platform.<br>
<br>
Join our online community to chat in real time <a href="https://signalwire.community" rel="noreferrer" target="_blank">https://signalwire.community</a><br>
<br>
Professional FreeSWITCH Services<br>
<a href="mailto:sales@freeswitch.com" target="_blank">sales@freeswitch.com</a><br>
<a href="https://freeswitch.com" rel="noreferrer" target="_blank">https://freeswitch.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="https://freeswitch.com/oss" rel="noreferrer" target="_blank">https://freeswitch.com/oss</a><br>
<a href="https://freeswitch.org/confluence" rel="noreferrer" target="_blank">https://freeswitch.org/confluence</a><br>
<a href="https://cluecon.com" rel="noreferrer" target="_blank">https://cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="https://freeswitch.com" rel="noreferrer" target="_blank">https://freeswitch.com</a></blockquote></div>