[Freeswitch-users] Fail to ban rule for detecting INVITES with no challenge

Thu Mar 12 22:27:27 MSK 2015

I set the JIRA status as Needs Review, hope it get merged soon.

On Thu, Mar 12, 2015 at 4:03 PM, Sergey Safarov <s.safarov at gmail.com> wrote:

> Ítalo I am not rewrite patch set use network_addr in caller profile and
> path not merget to master.
>
> Sergey
>
> On Thu, Mar 12, 2015 at 7:51 PM, Ítalo Rossi <italorossib at gmail.com>
> wrote:
>
>> Version?
>>
>> I'm almost sure this is already implemented in master.
>> Em 12/03/2015 13:43, "Kyle King" <kyle.king at quentustech.com> escreveu:
>>
>>> Have you tried mod_fail2ban?
>>>
>>> On March 12, 2015 12:28:16 PM EDT, Peter Steinbach <lists at telefaks.de>
>>> wrote:
>>>>
>>>> Hello,
>>>>
>>>> we receive a number of Invites from certain IPs, who want to break into
>>>> our system and call external premium rate numbers
>>>> Unwanted registers we can block already, but we still have the issue to
>>>> block specific invites from fraudulent IPs inside the iptables firewall.
>>>>
>>>> In the Freeswitch log we see:
>>>> 2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055 New Channel
>>>> sofia/internal/149 at 10.11.12.13 [167bb9ee-c8d0-11e4-9f31-b39e581405c5]
>>>> 2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
>>>> signal sofia/internal/149 at 10.11.12.13 [BREAK]
>>>> 2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send
>>>> signal sofia/internal/149 at 10.11.12.13 [BREAK]
>>>> 2015-03-12 16:54:38.381552 [DEBUG] switch_core_state_machine.c:472 (
>>>> sofia/internal/149 at 10.11.12.13) Running State Change CS_NEW
>>>> 2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841
>>>> sofia/internal/149 at 10.11.12.13 receiving invite from 155.94.64.26:5076
>>>> version: 1.5.15b git 82f267a 2015-02-16 22:59:55Z 64bit
>>>> 2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP 15.194.164.26
>>>> Rejected by acl "domains". Falling back to Digest auth.
>>>> 2015-03-12 16:54:38.441582 [DEBUG] switch_core_state_machine.c:491 (
>>>> sofia/internal/149 at 10.11.12.13) State NEW
>>>> 2015-03-12 16:54:38.441582 [DEBUG] switch_core_session.c:1061 Send
>>>> signal sofia/internal/149 at 10.11.12.13 [BREAK]
>>>> 2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching session
>>>> 167bb9ee-c8d0-11e4-9f31-b39e581405c5
>>>> 2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
>>>> 167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13
>>>> Abandoned
>>>>
>>>> The fraudulent IP here is 15.194.164.26 (anonymized of course). The IP
>>>> 10.11.12.13 is the (anonymized) IP of our server.
>>>>
>>>> The point here is: 15.194.164.26 is sending an INVITE, Freeswitch then
>>>> sends "authentication required". Freeswitch then logs this entry with
>>>> "Abandoned" (see last line above) and that's it.
>>>>
>>>> So Is there any way to make Freeswitch show up a log line with the
>>>> fraudulent IP 15.194.164.26 and some text like "abandonned"?
>>>> Example for extending a current log line
>>>>     2015-03-12 16:54:48.461568 [WARNING]
>>>> switch_core_state_machine.c:572 167bb9ee-c8d0-11e4-9f31-b39e581405c5
>>>> sofia/internal/149 at 10.11.12.13 Abandoned for IP 15.194.164.26
>>>> This would enable us to process this entry with fail2ban and block this
>>>> IP in the Firewall.
>>>>
>>>> Any other hint is welcome.
>>>>
>>>> --
>>>> With kind regards
>>>> Marvin Keil
>>>>
>>>> Telefaks Services GmbHmailto:lists <lists> (att) telefaks.de
>>>> Internet: www.telefaks.de
>>>>
>>>> ------------------------------
>>>>
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>> --
>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>

-- 
Ítalo Rossi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150312/a6d7fce8/attachment-0001.html 