[Freeswitch-users] Scanners and botnet vulnerability
Raúl Alexis Betancor Santana
rbetancor at gmail.com
Mon Jan 25 22:24:01 UTC 2021
You could tell the name, SAS on France and OVH, they are both nest of bots.
On Mon, Jan 25, 2021 at 9:31 PM Ken Rice <krice at freeswitch.org> wrote:
> this is super common. this is more likely a recon attack than an actual
> brute force attempt. Eother that they are looking for something with auth
> turned off. we see tons of these things regularly. Fail to ban helps some
> but using a SIP RBL and dropping traffic via prefixes associated with
> regions and bad actor hosts seems to be the best course of action these
> I wont name the company, but a mjor european hosting company i drop their
> entire AS as its not worth the hassle.
> Sent from my iPhone
> > On Jan 25, 2021, at 14:49, Marc Bernard <marcb at voicemeup.com> wrote:
> > Hello All,
> > Is anyone else noticing that there is more and more scanners attempting
> > brute force with no reply to auth request resulting in logging a lot of
> > abandoned calls ?
> > Scenario:
> > - A scanner send an INVITE|REGISTER with no credentials
> > - Freeswitch responds with authentication request and a challenge is
> send to
> > logs;
> > "
> > 2021-01-25 12:27:39.306075 [WARNING] sofia_reg.c:1792 SIP auth challenge
> > (REGISTER) on sofia profile 'public' for [1730 at 188.8.131.52] from ip 184.108.40.206"
> > - Scanner does not respond
> > - After a while, Freeswitch logs the following:
> > 2ae23e93-c929-4089-a594-8e7af633ca88 2021-01-25 12:28:37.506078 [WARNING]
> > switch_core_state_machine.c:687 2ae23e93-c929-4089-a594-8e7af633ca88
> > sofia/public/1730 at 220.127.116.11 Abandoned
> > --
> > In our case, we made fail2ban more sensitive to auth failures logs which
> > does not get triggered because of the scanner not even trying to send
> > credentials.
> > Wouldn't it make more sense for this log to include the IP of sip client
> > that abandoned the call (18.104.22.168) instead of only the IP of the sip
> > (22.214.171.124) ?
> > This would allow us to have Fail2ban block this scenario more
> > Thoughts ?
> > _________________________________________________________________________
> > The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> > Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
> > Build your next product on our scalable cloud platform.
> > Join our online community to chat in real time
> > Professional FreeSWITCH Services
> > sales at freeswitch.com
> > https://freeswitch.com
> > Official FreeSWITCH Sites
> > https://freeswitch.com/oss
> > https://freeswitch.org/confluence
> > https://cluecon.com
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > https://freeswitch.com
> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
> Build your next product on our scalable cloud platform.
> Join our online community to chat in real time
> Professional FreeSWITCH Services
> sales at freeswitch.com
> Official FreeSWITCH Sites
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the FreeSWITCH-users