[Freeswitch-users] Scanners and botnet vulnerability
marcb at voicemeup.com
Mon Jan 25 17:42:14 UTC 2021
Is anyone else noticing that there is more and more scanners attempting
brute force with no reply to auth request resulting in logging a lot of
abandoned calls ?
- A scanner send an INVITE|REGISTER with no credentials
- Freeswitch responds with authentication request and a challenge is send to
2021-01-25 12:27:39.306075 [WARNING] sofia_reg.c:1792 SIP auth challenge
(REGISTER) on sofia profile 'public' for [1730 at 22.214.171.124] from ip 126.96.36.199"
- Scanner does not respond
- After a while, Freeswitch logs the following:
2ae23e93-c929-4089-a594-8e7af633ca88 2021-01-25 12:28:37.506078 [WARNING]
sofia/public/1730 at 188.8.131.52 Abandoned
In our case, we made fail2ban more sensitive to auth failures logs which
does not get triggered because of the scanner not even trying to send
Wouldn't it make more sense for this log to include the IP of sip client
that abandoned the call (184.108.40.206) instead of only the IP of the sip profile
This would allow us to have Fail2ban block this scenario more aggressively.
More information about the FreeSWITCH-users