[Freeswitch-users] event based sipVicious blocker
Russell Treleaven
rtreleaven at bunnykick.ca
Fri Nov 13 19:51:11 MSK 2015
That is is already under the hood. :)
On Fri, Nov 13, 2015 at 11:23 AM, Michael Giagnocavo <mgg at giagnocavo.net>
wrote:
> Of perhaps some interest if you’re blocking a large amount of IP addresses
> (or whitelisting client IPs) is ipset.
>
> http://ipset.netfilter.org/
>
>
>
> Allows you to create a set then just have on rule in iptables. Plus has an
> atomic swap feature so you can build up new sets “offline” then flip them
> in.
>
>
>
> -Michael
>
>
>
> *From:* freeswitch-users-bounces at lists.freeswitch.org [mailto:
> freeswitch-users-bounces at lists.freeswitch.org] *On Behalf Of *Sergey
> Safarov
> *Sent:* Friday, November 13, 2015 2:13 AM
> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> *Subject:* Re: [Freeswitch-users] event based sipVicious blocker
>
>
>
> Think solution where INVITE mesages DROP/REJECT action will be implemented
> in mod_fail2ban is be have high pefomance
>
>
>
> Iprables is good solution, but cannot help for TLS connection.
>
>
>
> He is my iptables status where configure fail2ban. At present time 99%
> scans is made via UDP transport and 1% for TCP.
>
>
>
>
>
> Chain f2b-freeswitch-local-tcp (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 0 0 REJECT all -- * * 37.8.37.84
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 195.154.134.220
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 188.227.169.113
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 104.214.34.182
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 85.25.218.94
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 80.84.58.173
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 37.8.47.155
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 23.239.65.132
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 188.138.33.13
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 188.138.33.113
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 80.84.55.178
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 188.227.170.157
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 77.245.68.44
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 1 52 REJECT all -- * * 88.150.240.111
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 31.3.230.210
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 37.8.20.231
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 213.136.75.235
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 195.154.177.146
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 37.8.77.83
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 88.150.240.169
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 188.138.33.203
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 188.138.118.21
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 104.255.70.242
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 77.245.65.98
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 88.150.240.245
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 217.118.19.157
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 188.227.170.13
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 217.172.189.41
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 85.114.130.146
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 85.25.207.231
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 6 252 RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain f2b-freeswitch-local-udp (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 4 3122 REJECT all -- * * 37.8.37.84
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- * * 195.154.134.220
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 10 7949 REJECT all -- * * 188.227.169.113
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 201 158K REJECT all -- * * 104.214.34.182
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 15 11677 REJECT all -- * * 85.25.218.94
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 11 8635 REJECT all -- * * 80.84.58.173
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 11 8649 REJECT all -- * * 37.8.47.155
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 48 37438 REJECT all -- * * 23.239.65.132
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 144 116K REJECT all -- * * 188.138.33.13
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 42 33201 REJECT all -- * * 188.138.33.113
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 6 4699 REJECT all -- * * 80.84.55.178
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 75 61117 REJECT all -- * * 188.227.170.157
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 130 104K REJECT all -- * * 77.245.68.44
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 133 108K REJECT all -- * * 88.150.240.111
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 29897 14M REJECT all -- * * 31.3.230.210
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 26 20426 REJECT all -- * * 37.8.20.231
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 312 247K REJECT all -- * * 213.136.75.235
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 1133 612K REJECT all -- * * 195.154.177.146
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 2 1570 REJECT all -- * * 37.8.77.83
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 85917 40M REJECT all -- * * 88.150.240.169
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 73 57484 REJECT all -- * * 188.138.33.203
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 64 50450 REJECT all -- * * 188.138.118.21
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 46 36467 REJECT all -- * * 104.255.70.242
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 3077 2388K REJECT all -- * * 77.245.65.98
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 21 16564 REJECT all -- * * 88.150.240.245
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 104 81759 REJECT all -- * * 217.118.19.157
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 95 75254 REJECT all -- * * 188.227.170.13
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 62 48840 REJECT all -- * * 217.172.189.41
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 2483 1974K REJECT all -- * * 85.114.130.146
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 51 39876 REJECT all -- * * 85.25.207.231
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 2351K 1204M RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
>
>
> Sergey.
>
>
>
> On Fri, Nov 13, 2015 at 9:38 AM, jay binks <jaybinks at gmail.com> wrote:
>
> Doing it like you want is fine for education, however its not the best
> way, because it wont scale efficiently.
>
> mod_sofia takes significant resources to consume a SIP Invite and generate
> events.
>
>
>
> iptables will stop Freeswitch having to process these INVITES, thus saving
> CPU.
>
> BUT you may not really care, if this is just for a home PBX.
>
>
>
> Jay
>
>
>
> On 13 November 2015 at 14:18, Russell Treleaven <rtreleaven at bunnykick.ca>
> wrote:
>
> figured out how to use events without a socket and thought I would share.
>
>
>
> my $con = new freeswitch::EventConsumer("CHANNEL_CREATE");
>
> $con->bind(
>
> "CUSTOM",
>
> "sofia::pre_register"
>
> );
>
> while(my $e = $con->pop(1)) {
>
> freeswitch::consoleLog(
>
> "INFO",
>
> $e->serialize . "\n"
>
> );
>
> }
>
>
>
> On Wed, Nov 11, 2015 at 11:33 AM, Ken Rice <krice at freeswitch.org> wrote:
>
> Why not just block it with iptables?
>
>
>
>
>
> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
> "VaxSIPUserAgent" --algo bm
>
> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
> "friendly-scanner" --algo bm
>
> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli"
> --algo bm
>
> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
> "VaxSIPUserAgent" --algo bm
>
> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
> "friendly-scanner" --algo bm
>
> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "sipcli"
> --algo bm
>
>
>
>
>
> these will get 99% of it because the script kiddies doing the scanning
> aren’t really that bright… there may be some additional strings to want to
> block, but these work great when combined with fail2bans log parser
>
>
>
> *From:* freeswitch-users-bounces at lists.freeswitch.org [mailto:
> freeswitch-users-bounces at lists.freeswitch.org] *On Behalf Of *Russell
> Treleaven
> *Sent:* Wednesday, November 11, 2015 10:29 AM
> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> *Subject:* [Freeswitch-users] event based sipVicious blocker
>
>
>
> I am working on a freeswitch sipVicious blocker.
>
> I would like to run it from within freeswitch.
>
> Is there a way to get events while running within freeswitch without
> running a socket via ESL::ESLconnection?
>
>
>
> #!/usr/bin/perl
>
> use strict;
>
> use warnings;
>
> use ESL;
>
> my $c = new ESL::ESLconnection(
>
> "localhost",
>
> "8021",
>
> "ClueCon"
>
> );
>
> $c->events(
>
> "plain",
>
> "CHANNEL_CREATE CUSTOM sofia::pre_register"
>
> );
>
> while ($c->connected()) {
>
> my $event = $c->recvEvent();
>
> #do some stuff
>
> }
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
>
> --
>
> Sincerely
>
> Jay
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20151113/959cbf4b/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list