[Freeswitch-users] Fail to ban rule for detecting INVITES with no challenge

Ken Rice krice at freeswitch.org
Thu Mar 12 23:46:00 MSK 2015


Is there a pull request on that?


On 3/12/15, 1:27 PM, "Ítalo Rossi" <italorossib at gmail.com> wrote:

> I set the JIRA status as Needs Review, hope it get merged soon.
> 
> On Thu, Mar 12, 2015 at 4:03 PM, Sergey Safarov <s.safarov at gmail.com> wrote:
>> Ítalo I am not rewrite patch set use network_addr in caller profile and path
>> not merget to master.
>> 
>> Sergey
>> 
>> On Thu, Mar 12, 2015 at 7:51 PM, Ítalo Rossi <italorossib at gmail.com> wrote:
>>> 
>>> Version?
>>> 
>>> I'm almost sure this is already implemented in master.
>>> 
>>> Em 12/03/2015 13:43, "Kyle King" <kyle.king at quentustech.com> escreveu:
>>>> Have you tried mod_fail2ban?
>>>> 
>>>> On March 12, 2015 12:28:16 PM EDT, Peter Steinbach <lists at telefaks.de>
>>>> wrote:
>>>>>      Hello,
>>>>>  
>>>>>  we receive a number of Invites from certain IPs, who want to break into
>>>>> our system and call external premium rate numbers
>>>>>  Unwanted registers we can block already, but we still have the issue to
>>>>> block specific invites from fraudulent IPs inside the iptables firewall.
>>>>>  
>>>>>  In the Freeswitch log we see:
>>>>>  2015-03-12 16:54:38.381552 [NOTICE] switch_channel.c:1055 New Channel
>>>>> sofia/internal/149 at 10.11.12.13 [167bb9ee-c8d0-11e4-9f31-b39e581405c5]
>>>>>  2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send signal
>>>>> sofia/internal/149 at 10.11.12.13 [BREAK]
>>>>>  2015-03-12 16:54:38.381552 [DEBUG] switch_core_session.c:1061 Send signal
>>>>> sofia/internal/149 at 10.11.12.13 [BREAK]
>>>>>  2015-03-12 16:54:38.381552 [DEBUG] switch_core_state_machine.c:472
>>>>> (sofia/internal/149 at 10.11.12.13) Running State Change CS_NEW
>>>>>  2015-03-12 16:54:38.381552 [DEBUG] sofia.c:8841
>>>>> sofia/internal/149 at 10.11.12.13 receiving invite from 155.94.64.26:5076
>>>>> <http://155.94.64.26:5076>  version: 1.5.15b git 82f267a 2015-02-16
>>>>> 22:59:55Z 64bit
>>>>>  2015-03-12 16:54:38.381552 [DEBUG] sofia.c:9008 IP 15.194.164.26 Rejected
>>>>> by acl "domains". Falling back to Digest auth.
>>>>>  2015-03-12 16:54:38.441582 [DEBUG] switch_core_state_machine.c:491
>>>>> (sofia/internal/149 at 10.11.12.13) State NEW
>>>>>  2015-03-12 16:54:38.441582 [DEBUG] switch_core_session.c:1061 Send signal
>>>>> sofia/internal/149 at 10.11.12.13 [BREAK]
>>>>>  2015-03-12 16:54:38.441582 [DEBUG] sofia.c:2067 detaching session
>>>>> 167bb9ee-c8d0-11e4-9f31-b39e581405c5
>>>>>  2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
>>>>> 167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13
>>>>> Abandoned    
>>>>>  
>>>>>  The fraudulent IP here is 15.194.164.26 (anonymized of course). The IP
>>>>> 10.11.12.13 is the (anonymized) IP of our server.
>>>>>  
>>>>>  The point here is: 15.194.164.26 is sending an INVITE, Freeswitch then
>>>>> sends "authentication required". Freeswitch then logs this entry with
>>>>> "Abandoned" (see last line above) and that's it.
>>>>>  
>>>>>  So Is there any way to make Freeswitch show up a log line with the
>>>>> fraudulent IP 15.194.164.26 and some text like "abandonned"?
>>>>>  Example for extending a current log line
>>>>>      2015-03-12 16:54:48.461568 [WARNING] switch_core_state_machine.c:572
>>>>> 167bb9ee-c8d0-11e4-9f31-b39e581405c5 sofia/internal/149 at 10.11.12.13
>>>>> Abandoned for IP 15.194.164.26
>>>>>  This would enable us to process this entry with fail2ban and block this
>>>>> IP in the Firewall.
>>>>>  
>>>>>  Any other hint is welcome.
>>>>>  

-- 
Ken
http://www.FreeSWITCH.org
http://www.ClueCon.com
http://www.OSTAG.org
irc.freenode.net #freeswitch
Twitter: @FreeSWITCH


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150312/8253e051/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list