[Freeswitch-users] Scanners and botnet vulnerability

Marc Bernard marcb at voicemeup.com
Mon Jan 25 17:42:14 UTC 2021

Hello All,

Is anyone else noticing that there is more and more scanners attempting
brute force with no reply to auth request resulting in logging a lot of
abandoned calls ?


- A scanner send an INVITE|REGISTER with no credentials
- Freeswitch responds with authentication request and a challenge is send to
2021-01-25 12:27:39.306075 [WARNING] sofia_reg.c:1792 SIP auth challenge
(REGISTER) on sofia profile 'public' for [1730 at] from ip"
- Scanner does not respond
- After a while, Freeswitch logs the following:
2ae23e93-c929-4089-a594-8e7af633ca88 2021-01-25 12:28:37.506078 [WARNING]
switch_core_state_machine.c:687 2ae23e93-c929-4089-a594-8e7af633ca88
sofia/public/1730 at Abandoned


In our case, we made fail2ban more sensitive to auth failures logs which
does not get triggered because of the scanner not even trying to send

Wouldn't it make more sense for this log to include the IP of sip client
that abandoned the call ( instead of only the IP of the sip profile
( ?

This would allow us to have Fail2ban block this scenario more aggressively.

Thoughts ?

More information about the FreeSWITCH-users mailing list