[Freeswitch-users] Fail to ban rule for detecting INVITES with no challenge

Peter Steinbach lists at telefaks.de
Thu Mar 12 19:28:16 MSK 2015


Hello,

we receive a number of Invites from certain IPs, who want to break into
our system and call external premium rate numbers
Unwanted registers we can block already, but we still have the issue to
block specific invites from fraudulent IPs inside the iptables firewall.

In the Freeswitch log we see:
2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055 New Channel
sofia/internal/149 at 10.11.12.13 [167bb9ee-c8d0-11e4-9f31-b39e581405c5]
2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
signal sofia/internal/149 at 10.11.12.13 [BREAK]
2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
signal sofia/internal/149 at 10.11.12.13 [BREAK]
2015-03-12 16:54:38.381552 [DEBUG] switch_core_state_machine.c:472
(sofia/internal/149 at 10.11.12.13) Running State Change CS_NEW
2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841
sofia/internal/149 at 10.11.12.13 receiving invite from 155.94.64.26:5076
version: 1.5.15b git 82f267a 2015-02-16 22:59:55Z 64bit
2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP 15.194.164.26
Rejected by acl "domains". Falling back to Digest auth.
2015-03-12 16:54:38.441582 [DEBUG] switch_core_state_machine.c:491
(sofia/internal/149 at 10.11.12.13) State NEW
2015-03-12 16:54:38.441582 [DEBUG] switch_core_session.c:1061 Send
signal sofia/internal/149 at 10.11.12.13 [BREAK]
2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching session
167bb9ee-c8d0-11e4-9f31-b39e581405c5
2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13
Abandoned   

The fraudulent IP here is 15.194.164.26 (anonymized of course). The IP
10.11.12.13 is the (anonymized) IP of our server.

The point here is: 15.194.164.26 is sending an INVITE, Freeswitch then
sends "authentication required". Freeswitch then logs this entry with
"Abandoned" (see last line above) and that's it.

So Is there any way to make Freeswitch show up a log line with the
fraudulent IP 15.194.164.26 and some text like "abandonned"?
Example for extending a current log line
    2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13
Abandoned for IP 15.194.164.26
This would enable us to process this entry with fail2ban and block this
IP in the Firewall.

Any other hint is welcome.

-- 
With kind regards
Marvin Keil 

Telefaks Services GmbH
mailto:lists (att) telefaks.de
Internet: www.telefaks.de

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150312/db1fb7c9/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list