[Freeswitch-users] Scanners and botnet vulnerability
Gregor Nanger
gregor at infomedia.si
Tue Jan 26 04:05:05 UTC 2021
😁
On Tue, Jan 26, 2021, 04:05 Ken Rice <krice at freeswitch.org> wrote:
> exactly those 2 lol
>
> Sent from my iPhone
>
> On Jan 25, 2021, at 16:24, Raúl Alexis Betancor Santana <
> rbetancor at gmail.com> wrote:
>
>
> You could tell the name, SAS on France and OVH, they are both nest of bots.
>
> On Mon, Jan 25, 2021 at 9:31 PM Ken Rice <krice at freeswitch.org> wrote:
>
>> this is super common. this is more likely a recon attack than an actual
>> brute force attempt. Eother that they are looking for something with auth
>> turned off. we see tons of these things regularly. Fail to ban helps some
>> but using a SIP RBL and dropping traffic via prefixes associated with
>> regions and bad actor hosts seems to be the best course of action these
>> days.
>>
>> I wont name the company, but a mjor european hosting company i drop their
>> entire AS as its not worth the hassle.
>>
>> Sent from my iPhone
>>
>> > On Jan 25, 2021, at 14:49, Marc Bernard <marcb at voicemeup.com> wrote:
>> >
>> > Hello All,
>> >
>> > Is anyone else noticing that there is more and more scanners attempting
>> > brute force with no reply to auth request resulting in logging a lot of
>> > abandoned calls ?
>> >
>> > Scenario:
>> >
>> > - A scanner send an INVITE|REGISTER with no credentials
>> > - Freeswitch responds with authentication request and a challenge is
>> send to
>> > logs;
>> > "
>> > 2021-01-25 12:27:39.306075 [WARNING] sofia_reg.c:1792 SIP auth challenge
>> > (REGISTER) on sofia profile 'public' for [1730 at 1.2.3.4] from ip
>> 5.6.7.8"
>> > - Scanner does not respond
>> > - After a while, Freeswitch logs the following:
>> > 2ae23e93-c929-4089-a594-8e7af633ca88 2021-01-25 12:28:37.506078
>> [WARNING]
>> > switch_core_state_machine.c:687 2ae23e93-c929-4089-a594-8e7af633ca88
>> > sofia/public/1730 at 1.2.3.4 Abandoned
>> >
>> > --
>> >
>> > In our case, we made fail2ban more sensitive to auth failures logs which
>> > does not get triggered because of the scanner not even trying to send
>> > credentials.
>> >
>> > Wouldn't it make more sense for this log to include the IP of sip client
>> > that abandoned the call (5.6.7.8) instead of only the IP of the sip
>> profile
>> > (1.2.3.4) ?
>> >
>> > This would allow us to have Fail2ban block this scenario more
>> aggressively.
>> >
>> > Thoughts ?
>> >
>> >
>> >
>> >
>> >
>> _________________________________________________________________________
>> >
>> > The FreeSWITCH project is sponsored by SignalWire
>> https://signalwire.com
>> > Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>> services.
>> > Build your next product on our scalable cloud platform.
>> >
>> > Join our online community to chat in real time
>> https://signalwire.community
>> >
>> > Professional FreeSWITCH Services
>> > sales at freeswitch.com
>> > https://freeswitch.com
>> >
>> > Official FreeSWITCH Sites
>> > https://freeswitch.com/oss
>> > https://freeswitch.org/confluence
>> > https://cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > https://freeswitch.com
>>
>> _________________________________________________________________________
>>
>> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
>> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>> services.
>> Build your next product on our scalable cloud platform.
>>
>> Join our online community to chat in real time
>> https://signalwire.community
>>
>> Professional FreeSWITCH Services
>> sales at freeswitch.com
>> https://freeswitch.com
>>
>> Official FreeSWITCH Sites
>> https://freeswitch.com/oss
>> https://freeswitch.org/confluence
>> https://cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> https://freeswitch.com
>
> _________________________________________________________________________
>
> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
> services.
> Build your next product on our scalable cloud platform.
>
> Join our online community to chat in real time
> https://signalwire.community
>
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
>
> _________________________________________________________________________
>
> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
> services.
> Build your next product on our scalable cloud platform.
>
> Join our online community to chat in real time
> https://signalwire.community
>
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210126/795e34b4/attachment-0001.html>
More information about the FreeSWITCH-users
mailing list