[Freeswitch-users] how to block requests with From Ip equal to server interface IP?

Miguel Jesús López Valverde mjlopez at smartic.es
Mon Dec 18 13:03:49 UTC 2017


Thank you very much, Peter!.

 

 

De: FreeSWITCH-users [mailto:freeswitch-users-bounces at lists.freeswitch.org] En nombre de Peter Steinbach
Enviado el: viernes, 15 de diciembre de 2017 18:46
Para: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
Asunto: Re: [Freeswitch-users] how to block requests with From Ip equal to server interface IP?

 

Hello Miguel,

see here
http://lists.freeswitch.org/pipermail/freeswitch-users/2011-April/071796.html
You will need to change the line 
search="friendly-scanner"
to
search="Z 3.14.38765 rv2.8.3"

This worked for me.
Best regards Peter


On 12/15/17 18:32, Miguel Jesús López Valverde wrote:

Good afternoon everyone

 

I get a new query regarding a type of attack that our freeswitch servers receive constantly in case someone knows how to block them.

 

These are INVITE or REGISTER requests in which the FROM: field arrives with the ip and port equal to the public interface of the server, so the different protection options that I have tried have not blocked these requests:

 

- IpTables can not filter by the information From the INVITE message.

- Fail2Ban is equally limited than IpTables.

- ACLs have not resolved to filter these requests.

 

Does anyone know any way to block these requests?

 

I send here a trace with an INVITE message where you can see a request of this type.

 

Thanks and best regards.

 

U 2017/12/14 18:32:55.156886 185.107.94.121:11120 -> 182.30.1.194:5060

INVITE sip:390239297988@ 182.30.1.194:5060;transport=UDP SIP/2.0.

Via: SIP/2.0/UDP 122.221.117.131:5060;branch=z9hG4bK-524287-1---xi3qy2kz737ni404.

Max-Forwards: 70.

Contact:  <mailto:sip:15714000000 at 122.221.117.131:5060;transport=UDP> <sip:15714000000 at 122.221.117.131:5060;transport=UDP>.

To: <sip:390239297988@ 182.30.1.194;transport=UDP <sip:390239297988@%20182.30.1.194;transport=UDP> >.

From:  <mailto:sip:15714000000 at 182.30.1.194;transport=UDP> <sip:15714000000@ 182.30.1.194;transport=UDP>;tag=hlzg2jcv.

Call-ID: KaQqH51mAcFv34qN8cGyv3...

CSeq: 1 INVITE.

Content-Type: application/sdp.

User-Agent: Z 3.14.38765 rv2.8.3.

Allow-Events: presence, kpml, talk.

Content-Length: 0.

.

 

 


 <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 

Libre de virus.  <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> www.avast.com 






_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org <mailto:consulting at freeswitch.org> 
http://www.freeswitchsolutions.com
 
Official FreeSWITCH Sites
http://www.freeswitch.org
http://confluence.freeswitch.org
http://www.cluecon.com
 
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org> 
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org






-- 
With kind regards
Peter Steinbach 
 
Telefaks Services GmbH
mailto:lists (att) telefaks.de
Internet: www.telefaks.de <http://www.telefaks.de> 
 


---
El software de antivirus Avast ha analizado este correo electrónico en busca de virus.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20171218/4d9379b6/attachment.html>


More information about the FreeSWITCH-users mailing list