[Freeswitch-users] how to ban this spammer?
Neo Haux
neo.haux at gmx.com
Wed Jun 4 21:59:06 MSD 2014
Hi all,
I am receiving hundreds of INVITE/minute and in the log I can see:
/2014-06-04 13:52:30.189371 [WARNING] sofia_reg.c:1532 SIP auth
challenge (REGISTER) on sofia profile 'internal' for [340 at MyExternalIP]
from ip 62.210.142.39//
//2014-06-04 13:52:42.789530 [WARNING] sofia_reg.c:1532 SIP auth
challenge (REGISTER) on sofia profile 'internal' for [341 at MyExternalIP]
from ip 62.210.142.39//
//2014-06-04 13:52:55.479999 [WARNING] sofia_reg.c:1532 SIP auth
challenge (REGISTER) on sofia profile 'internal' for [341 at MyExternalIP]
from ip 62.210.142.39//
//2014-06-04 13:53:08.289660 [WARNING] sofia_reg.c:1532 SIP auth
challenge (REGISTER) on sofia profile 'internal' for [342 at MyExternalIP]
from ip 62.210.142.39//
//2014-06-04 13:53:21.679512 [WARNING] sofia_reg.c:1532 SIP auth
challenge (REGISTER) on sofia profile 'internal' for [342 at MyExternalIP]
from ip 62.210.142.39/
In the /etc/fail2ban/filter.d/freeswitch.conf file I have these lines:
/failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\)
on sofia profile \'\w+\' for \[.*\] from ip <HOST>
\[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on
sofia profile \'\w+\' for \[.*\] from ip <HOST>/
You can see clearly that my logs contain failure word not "auth challange".
My question is : If I put "auth challange" in my
/etc/fail2ban/filter.d/freeswitch.conf will I block regular known and
authenticated SIP clients ? If yes, could you help find the right regex
to stop this kind of spammers ?
Thank you very much in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140604/51ffbe97/attachment.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list