[Freeswitch-users] Fail to ban rule for detecting INVITES with no challenge

Kyle King kyle.king at quentustech.com
Thu Mar 12 19:43:30 MSK 2015


Have you tried mod_fail2ban? 

On March 12, 2015 12:28:16 PM EDT, Peter Steinbach <lists at telefaks.de> wrote:
>Hello,
>
>we receive a number of Invites from certain IPs, who want to break into
>our system and call external premium rate numbers
>Unwanted registers we can block already, but we still have the issue to
>block specific invites from fraudulent IPs inside the iptables
>firewall.
>
>In the Freeswitch log we see:
>2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055 New Channel
>sofia/internal/149 at 10.11.12.13 [167bb9ee-c8d0-11e4-9f31-b39e581405c5]
>2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
>signal sofia/internal/149 at 10.11.12.13 [BREAK]
>2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
>signal sofia/internal/149 at 10.11.12.13 [BREAK]
>2015-03-12 16:54:38.381552 [DEBUG] switch_core_state_machine.c:472
>(sofia/internal/149 at 10.11.12.13) Running State Change CS_NEW
>2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841
>sofia/internal/149 at 10.11.12.13 receiving invite from 155.94.64.26:5076
>version: 1.5.15b git 82f267a 2015-02-16 22:59:55Z 64bit
>2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP 15.194.164.26
>Rejected by acl "domains". Falling back to Digest auth.
>2015-03-12 16:54:38.441582 [DEBUG] switch_core_state_machine.c:491
>(sofia/internal/149 at 10.11.12.13) State NEW
>2015-03-12 16:54:38.441582 [DEBUG] switch_core_session.c:1061 Send
>signal sofia/internal/149 at 10.11.12.13 [BREAK]
>2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching session
>167bb9ee-c8d0-11e4-9f31-b39e581405c5
>2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
>167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13
>Abandoned   
>
>The fraudulent IP here is 15.194.164.26 (anonymized of course). The IP
>10.11.12.13 is the (anonymized) IP of our server.
>
>The point here is: 15.194.164.26 is sending an INVITE, Freeswitch then
>sends "authentication required". Freeswitch then logs this entry with
>"Abandoned" (see last line above) and that's it.
>
>So Is there any way to make Freeswitch show up a log line with the
>fraudulent IP 15.194.164.26 and some text like "abandonned"?
>Example for extending a current log line
>   2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
>167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13
>Abandoned for IP 15.194.164.26
>This would enable us to process this entry with fail2ban and block this
>IP in the Firewall.
>
>Any other hint is welcome.
>
>-- 
>With kind regards
>Marvin Keil 
>
>Telefaks Services GmbH
>mailto:lists (att) telefaks.de
>Internet: www.telefaks.de
>
>
>
>------------------------------------------------------------------------
>
>_________________________________________________________________________
>Professional FreeSWITCH Consulting Services: 
>consulting at freeswitch.org
>http://www.freeswitchsolutions.com
>
>Official FreeSWITCH Sites
>http://www.freeswitch.org
>http://confluence.freeswitch.org
>http://www.cluecon.com
>
>FreeSWITCH-users mailing list
>FreeSWITCH-users at lists.freeswitch.org
>http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>http://www.freeswitch.org

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150312/b4aa5fc3/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list