[Freeswitch-users] Scanners and botnet vulnerability
Raúl Alexis Betancor Santana
rbetancor at gmail.com
Tue Jan 26 07:48:17 UTC 2021
You could not block an AS from iptables, you should get the IP ranges that
belongs to that AS and block them.
There are scripts/extensions for shorewall (linux firewalling suite), that
allow you to do geoip/AS based rules.
On Tue, Jan 26, 2021 at 4:47 AM Lloyd Aloysius <lloyd.aloysius at gmail.com>
wrote:
> Ken, thank you for the information. Can you please let me know how to
> block AS numbers from IPTables?
>
>
> On Mon, Jan 25, 2021 at 10:06 PM Ken Rice <krice at freeswitch.org> wrote:
>
>> exactly those 2 lol
>>
>> Sent from my iPhone
>>
>> On Jan 25, 2021, at 16:24, Raúl Alexis Betancor Santana <
>> rbetancor at gmail.com> wrote:
>>
>>
>> You could tell the name, SAS on France and OVH, they are both nest of
>> bots.
>>
>> On Mon, Jan 25, 2021 at 9:31 PM Ken Rice <krice at freeswitch.org> wrote:
>>
>>> this is super common. this is more likely a recon attack than an actual
>>> brute force attempt. Eother that they are looking for something with auth
>>> turned off. we see tons of these things regularly. Fail to ban helps some
>>> but using a SIP RBL and dropping traffic via prefixes associated with
>>> regions and bad actor hosts seems to be the best course of action these
>>> days.
>>>
>>> I wont name the company, but a mjor european hosting company i drop
>>> their entire AS as its not worth the hassle.
>>>
>>> Sent from my iPhone
>>>
>>> > On Jan 25, 2021, at 14:49, Marc Bernard <marcb at voicemeup.com> wrote:
>>> >
>>> > Hello All,
>>> >
>>> > Is anyone else noticing that there is more and more scanners attempting
>>> > brute force with no reply to auth request resulting in logging a lot of
>>> > abandoned calls ?
>>> >
>>> > Scenario:
>>> >
>>> > - A scanner send an INVITE|REGISTER with no credentials
>>> > - Freeswitch responds with authentication request and a challenge is
>>> send to
>>> > logs;
>>> > "
>>> > 2021-01-25 12:27:39.306075 [WARNING] sofia_reg.c:1792 SIP auth
>>> challenge
>>> > (REGISTER) on sofia profile 'public' for [1730 at 1.2.3.4] from ip
>>> 5.6.7.8"
>>> > - Scanner does not respond
>>> > - After a while, Freeswitch logs the following:
>>> > 2ae23e93-c929-4089-a594-8e7af633ca88 2021-01-25 12:28:37.506078
>>> [WARNING]
>>> > switch_core_state_machine.c:687 2ae23e93-c929-4089-a594-8e7af633ca88
>>> > sofia/public/1730 at 1.2.3.4 Abandoned
>>> >
>>> > --
>>> >
>>> > In our case, we made fail2ban more sensitive to auth failures logs
>>> which
>>> > does not get triggered because of the scanner not even trying to send
>>> > credentials.
>>> >
>>> > Wouldn't it make more sense for this log to include the IP of sip
>>> client
>>> > that abandoned the call (5.6.7.8) instead of only the IP of the sip
>>> profile
>>> > (1.2.3.4) ?
>>> >
>>> > This would allow us to have Fail2ban block this scenario more
>>> aggressively.
>>> >
>>> > Thoughts ?
>>> >
>>> >
>>> >
>>> >
>>> >
>>> _________________________________________________________________________
>>> >
>>> > The FreeSWITCH project is sponsored by SignalWire
>>> https://signalwire.com
>>> > Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>>> services.
>>> > Build your next product on our scalable cloud platform.
>>> >
>>> > Join our online community to chat in real time
>>> https://signalwire.community
>>> >
>>> > Professional FreeSWITCH Services
>>> > sales at freeswitch.com
>>> > https://freeswitch.com
>>> >
>>> > Official FreeSWITCH Sites
>>> > https://freeswitch.com/oss
>>> > https://freeswitch.org/confluence
>>> > https://cluecon.com
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > UNSUBSCRIBE:
>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> > https://freeswitch.com
>>>
>>> _________________________________________________________________________
>>>
>>> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
>>> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>>> services.
>>> Build your next product on our scalable cloud platform.
>>>
>>> Join our online community to chat in real time
>>> https://signalwire.community
>>>
>>> Professional FreeSWITCH Services
>>> sales at freeswitch.com
>>> https://freeswitch.com
>>>
>>> Official FreeSWITCH Sites
>>> https://freeswitch.com/oss
>>> https://freeswitch.org/confluence
>>> https://cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> https://freeswitch.com
>>
>> _________________________________________________________________________
>>
>> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
>> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>> services.
>> Build your next product on our scalable cloud platform.
>>
>> Join our online community to chat in real time
>> https://signalwire.community
>>
>> Professional FreeSWITCH Services
>> sales at freeswitch.com
>> https://freeswitch.com
>>
>> Official FreeSWITCH Sites
>> https://freeswitch.com/oss
>> https://freeswitch.org/confluence
>> https://cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> https://freeswitch.com
>>
>> _________________________________________________________________________
>>
>> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
>> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>> services.
>> Build your next product on our scalable cloud platform.
>>
>> Join our online community to chat in real time
>> https://signalwire.community
>>
>> Professional FreeSWITCH Services
>> sales at freeswitch.com
>> https://freeswitch.com
>>
>> Official FreeSWITCH Sites
>> https://freeswitch.com/oss
>> https://freeswitch.org/confluence
>> https://cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> https://freeswitch.com
>
> _________________________________________________________________________
>
> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
> services.
> Build your next product on our scalable cloud platform.
>
> Join our online community to chat in real time
> https://signalwire.community
>
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210126/11dfb76c/attachment-0001.html>
More information about the FreeSWITCH-users
mailing list