[Freeswitch-users] how to ban this spammer?

Michael Jerris mike at jerris.com
Wed Jun 4 22:41:38 MSD 2014


its using a challenge based authentication, so it makes a request, the server challenges, then it makes the request again with auth headers.

On Jun 4, 2014, at 6:32 PM, Neo Haux <neo.haux at gmx.com> wrote:

> Thanks Michael,
> 
> May be it's related to SIP not freeswitch, but how can a sip client ask a FS to make an external call without authentication. Shouldn't be banned from making any request by FS if it doesn't find this user already registred ?
> 
> 
> Here is my list_users:
> 
> freeswitch at internal> list_users 
> userid|context|domain|group|contact|callgroup|effective_caller_id_name|effective_caller_id_number
> 100|default|192.168.1.1|default|sofia/internal/sip:100 at 192.168.1.1:5060|||
> 101|default|192.168.1.1|default|sofia/internal/sip:101 at 192.168.1.1:5061|||
> 102|default|192.168.1.1|default|error/user_not_registered|||
> 103|default|192.168.1.1|default|error/user_not_registered|||
> 104|default|192.168.1.1|default|error/user_not_registered|||
> 
> 
> 
> 
> Subject: Re: [Freeswitch-users] how to ban this spammer?
> From: Michael Jerris <mike at jerris.com>
> Date: 14-06-04 02:20 PM
> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> yes, if you blocked everything that was challenged you would probably block legitimate traffic.  There is no "regex" that can tell you the difference between good and bad traffic like this, perhaps something that looks more specifically at traffic patterns could help, but that would be significant logic to find the right mix.  you could do something with iptables for rate limiting that can minimize the effectiveness of attacks like this.
> 
> Mike
> 
> On Jun 4, 2014, at 5:59 PM, Neo Haux <neo.haux at gmx.com> wrote:
> 
> Hi all,
> 
> I am receiving hundreds of INVITE/minute and in the log I can see:
> 
> 2014-06-04 13:52:30.189371 [WARNING] sofia_reg.c:1532 SIP auth challenge (REGISTER) on sofia profile 'internal' for [340 at MyExternalIP] from ip 62.210.142.39
> 2014-06-04 13:52:42.789530 [WARNING] sofia_reg.c:1532 SIP auth challenge (REGISTER) on sofia profile 'internal' for [341 at MyExternalIP] from ip 62.210.142.39
> 2014-06-04 13:52:55.479999 [WARNING] sofia_reg.c:1532 SIP auth challenge (REGISTER) on sofia profile 'internal' for [341 at MyExternalIP] from ip 62.210.142.39
> 2014-06-04 13:53:08.289660 [WARNING] sofia_reg.c:1532 SIP auth challenge (REGISTER) on sofia profile 'internal' for [342 at MyExternalIP] from ip 62.210.142.39
> 2014-06-04 13:53:21.679512 [WARNING] sofia_reg.c:1532 SIP auth challenge (REGISTER) on sofia profile 'internal' for [342 at MyExternalIP] from ip 62.210.142.39
> 
> 
> In the /etc/fail2ban/filter.d/freeswitch.conf file I have these lines:
> 
> failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
>             \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
> 
> 
> You can see clearly that my logs contain failure word not "auth challange".
> 
> My question is : If I put "auth challange" in my /etc/fail2ban/filter.d/freeswitch.conf  will I block regular known and authenticated SIP clients ? If yes, could you help find the right regex to stop this kind of spammers ?
> 
> Thank you very much in advance.
> _________________________________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140604/c3b48ead/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list