[Freeswitch-users] Scanners and botnet vulnerability

[Marc Bernard]

Hello All,

Is anyone else noticing that there is more and more scanners attempting
brute force with no reply to auth request resulting in logging a lot of
abandoned calls ?

Scenario:

- A scanner send an INVITE|REGISTER with no credentials
- Freeswitch responds with authentication request and a challenge is send to
logs;
"
2021-01-25 12:27:39.306075 [WARNING] sofia_reg.c:1792 SIP auth challenge
(REGISTER) on sofia profile 'public' for [1730 at 1.2.3.4] from ip 5.6.7.8"
- Scanner does not respond
- After a while, Freeswitch logs the following:
2ae23e93-c929-4089-a594-8e7af633ca88 2021-01-25 12:28:37.506078 [WARNING]
switch_core_state_machine.c:687 2ae23e93-c929-4089-a594-8e7af633ca88
sofia/public/1730 at 1.2.3.4 Abandoned

--

In our case, we made fail2ban more sensitive to auth failures logs which
does not get triggered because of the scanner not even trying to send
credentials.

Wouldn't it make more sense for this log to include the IP of sip client
that abandoned the call (5.6.7.8) instead of only the IP of the sip profile
(1.2.3.4) ?

This would allow us to have Fail2ban block this scenario more aggressively.

Thoughts ?