[Freeswitch-users] event based sipVicious blocker
Sergey Safarov
s.safarov at gmail.com
Fri Nov 13 10:12:55 MSK 2015
Think solution where INVITE mesages DROP/REJECT action will be implemented
in mod_fail2ban is be have high pefomance
Iprables is good solution, but cannot help for TLS connection.
He is my iptables status where configure fail2ban. At present time 99%
scans is made via UDP transport and 1% for TCP.
Chain f2b-freeswitch-local-tcp (1 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT all -- * * 37.8.37.84
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 195.154.134.220
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.227.169.113
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 104.214.34.182
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.25.218.94
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 80.84.58.173
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.8.47.155
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 23.239.65.132
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.138.33.13
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.138.33.113
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 80.84.55.178
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.227.170.157
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 77.245.68.44
0.0.0.0/0 reject-with icmp-port-unreachable
1 52 REJECT all -- * * 88.150.240.111
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 31.3.230.210
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.8.20.231
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 213.136.75.235
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 195.154.177.146
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.8.77.83
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 88.150.240.169
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.138.33.203
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.138.118.21
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 104.255.70.242
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 77.245.65.98
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 88.150.240.245
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.118.19.157
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.227.170.13
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.172.189.41
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.114.130.146
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.25.207.231
0.0.0.0/0 reject-with icmp-port-unreachable
6 252 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Chain f2b-freeswitch-local-udp (1 references)
pkts bytes target prot opt in out source
destination
4 3122 REJECT all -- * * 37.8.37.84
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 195.154.134.220
0.0.0.0/0 reject-with icmp-port-unreachable
10 7949 REJECT all -- * * 188.227.169.113
0.0.0.0/0 reject-with icmp-port-unreachable
201 158K REJECT all -- * * 104.214.34.182
0.0.0.0/0 reject-with icmp-port-unreachable
15 11677 REJECT all -- * * 85.25.218.94
0.0.0.0/0 reject-with icmp-port-unreachable
11 8635 REJECT all -- * * 80.84.58.173
0.0.0.0/0 reject-with icmp-port-unreachable
11 8649 REJECT all -- * * 37.8.47.155
0.0.0.0/0 reject-with icmp-port-unreachable
48 37438 REJECT all -- * * 23.239.65.132
0.0.0.0/0 reject-with icmp-port-unreachable
144 116K REJECT all -- * * 188.138.33.13
0.0.0.0/0 reject-with icmp-port-unreachable
42 33201 REJECT all -- * * 188.138.33.113
0.0.0.0/0 reject-with icmp-port-unreachable
6 4699 REJECT all -- * * 80.84.55.178
0.0.0.0/0 reject-with icmp-port-unreachable
75 61117 REJECT all -- * * 188.227.170.157
0.0.0.0/0 reject-with icmp-port-unreachable
130 104K REJECT all -- * * 77.245.68.44
0.0.0.0/0 reject-with icmp-port-unreachable
133 108K REJECT all -- * * 88.150.240.111
0.0.0.0/0 reject-with icmp-port-unreachable
29897 14M REJECT all -- * * 31.3.230.210
0.0.0.0/0 reject-with icmp-port-unreachable
26 20426 REJECT all -- * * 37.8.20.231
0.0.0.0/0 reject-with icmp-port-unreachable
312 247K REJECT all -- * * 213.136.75.235
0.0.0.0/0 reject-with icmp-port-unreachable
1133 612K REJECT all -- * * 195.154.177.146
0.0.0.0/0 reject-with icmp-port-unreachable
2 1570 REJECT all -- * * 37.8.77.83
0.0.0.0/0 reject-with icmp-port-unreachable
85917 40M REJECT all -- * * 88.150.240.169
0.0.0.0/0 reject-with icmp-port-unreachable
73 57484 REJECT all -- * * 188.138.33.203
0.0.0.0/0 reject-with icmp-port-unreachable
64 50450 REJECT all -- * * 188.138.118.21
0.0.0.0/0 reject-with icmp-port-unreachable
46 36467 REJECT all -- * * 104.255.70.242
0.0.0.0/0 reject-with icmp-port-unreachable
3077 2388K REJECT all -- * * 77.245.65.98
0.0.0.0/0 reject-with icmp-port-unreachable
21 16564 REJECT all -- * * 88.150.240.245
0.0.0.0/0 reject-with icmp-port-unreachable
104 81759 REJECT all -- * * 217.118.19.157
0.0.0.0/0 reject-with icmp-port-unreachable
95 75254 REJECT all -- * * 188.227.170.13
0.0.0.0/0 reject-with icmp-port-unreachable
62 48840 REJECT all -- * * 217.172.189.41
0.0.0.0/0 reject-with icmp-port-unreachable
2483 1974K REJECT all -- * * 85.114.130.146
0.0.0.0/0 reject-with icmp-port-unreachable
51 39876 REJECT all -- * * 85.25.207.231
0.0.0.0/0 reject-with icmp-port-unreachable
2351K 1204M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Sergey.
On Fri, Nov 13, 2015 at 9:38 AM, jay binks <jaybinks at gmail.com> wrote:
> Doing it like you want is fine for education, however its not the best
> way, because it wont scale efficiently.
> mod_sofia takes significant resources to consume a SIP Invite and generate
> events.
>
> iptables will stop Freeswitch having to process these INVITES, thus saving
> CPU.
> BUT you may not really care, if this is just for a home PBX.
>
> Jay
>
> On 13 November 2015 at 14:18, Russell Treleaven <rtreleaven at bunnykick.ca>
> wrote:
>
>> figured out how to use events without a socket and thought I would share.
>>
>> my $con = new freeswitch::EventConsumer("CHANNEL_CREATE");
>> $con->bind(
>> "CUSTOM",
>> "sofia::pre_register"
>> );
>> while(my $e = $con->pop(1)) {
>> freeswitch::consoleLog(
>> "INFO",
>> $e->serialize . "\n"
>> );
>> }
>>
>> On Wed, Nov 11, 2015 at 11:33 AM, Ken Rice <krice at freeswitch.org> wrote:
>>
>>> Why not just block it with iptables?
>>>
>>>
>>>
>>>
>>>
>>> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>>> "VaxSIPUserAgent" --algo bm
>>>
>>> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>>> "friendly-scanner" --algo bm
>>>
>>> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>>> "sipcli" --algo bm
>>>
>>> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>>> "VaxSIPUserAgent" --algo bm
>>>
>>> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>>> "friendly-scanner" --algo bm
>>>
>>> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>>> "sipcli" --algo bm
>>>
>>>
>>>
>>>
>>>
>>> these will get 99% of it because the script kiddies doing the scanning
>>> aren’t really that bright… there may be some additional strings to want to
>>> block, but these work great when combined with fail2bans log parser
>>>
>>>
>>>
>>> *From:* freeswitch-users-bounces at lists.freeswitch.org [mailto:
>>> freeswitch-users-bounces at lists.freeswitch.org] *On Behalf Of *Russell
>>> Treleaven
>>> *Sent:* Wednesday, November 11, 2015 10:29 AM
>>> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
>>> *Subject:* [Freeswitch-users] event based sipVicious blocker
>>>
>>>
>>>
>>> I am working on a freeswitch sipVicious blocker.
>>>
>>> I would like to run it from within freeswitch.
>>>
>>> Is there a way to get events while running within freeswitch without
>>> running a socket via ESL::ESLconnection?
>>>
>>>
>>>
>>> #!/usr/bin/perl
>>>
>>> use strict;
>>>
>>> use warnings;
>>>
>>> use ESL;
>>>
>>> my $c = new ESL::ESLconnection(
>>>
>>> "localhost",
>>>
>>> "8021",
>>>
>>> "ClueCon"
>>>
>>> );
>>>
>>> $c->events(
>>>
>>> "plain",
>>>
>>> "CHANNEL_CREATE CUSTOM sofia::pre_register"
>>>
>>> );
>>>
>>> while ($c->connected()) {
>>>
>>> my $event = $c->recvEvent();
>>>
>>> #do some stuff
>>>
>>> }
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> Sincerely
>
> Jay
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20151113/0cebd40a/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list