[Freeswitch-users] Scanners and botnet vulnerability

Raúl Alexis Betancor Santana rbetancor at gmail.com
Tue Jan 26 07:51:07 UTC 2021


And the worst thing, is that they fully ignore all the abuse claims, we
also ended blacklisting their full ASs and when some of their customers or
ours claims not able to access some service/company that are under their
umbrella or ours, we just raise up the flag of "they are just a nest of
bots and crackers, we do no talk to them".

On Tue, Jan 26, 2021 at 3:15 AM Ken Rice <krice at freeswitch.org> wrote:

> exactly those 2 lol
>
> Sent from my iPhone
>
> On Jan 25, 2021, at 16:24, Raúl Alexis Betancor Santana <
> rbetancor at gmail.com> wrote:
>
> 
> You could tell the name, SAS on France and OVH, they are both nest of bots.
>
> On Mon, Jan 25, 2021 at 9:31 PM Ken Rice <krice at freeswitch.org> wrote:
>
>> this is super common. this is more likely a recon attack than an actual
>> brute force attempt. Eother that they are looking for something with auth
>> turned off. we see tons of these things regularly. Fail to ban helps some
>> but using a SIP RBL and  dropping traffic via prefixes associated with
>> regions and bad actor hosts seems to be the best course of action these
>> days.
>>
>> I wont name the company, but a mjor european hosting company i drop their
>> entire AS as its not worth the hassle.
>>
>> Sent from my iPhone
>>
>> > On Jan 25, 2021, at 14:49, Marc Bernard <marcb at voicemeup.com> wrote:
>> >
>> > Hello All,
>> >
>> > Is anyone else noticing that there is more and more scanners attempting
>> > brute force with no reply to auth request resulting in logging a lot of
>> > abandoned calls ?
>> >
>> > Scenario:
>> >
>> > - A scanner send an INVITE|REGISTER with no credentials
>> > - Freeswitch responds with authentication request and a challenge is
>> send to
>> > logs;
>> > "
>> > 2021-01-25 12:27:39.306075 [WARNING] sofia_reg.c:1792 SIP auth challenge
>> > (REGISTER) on sofia profile 'public' for [1730 at 1.2.3.4] from ip
>> 5.6.7.8"
>> > - Scanner does not respond
>> > - After a while, Freeswitch logs the following:
>> > 2ae23e93-c929-4089-a594-8e7af633ca88 2021-01-25 12:28:37.506078
>> [WARNING]
>> > switch_core_state_machine.c:687 2ae23e93-c929-4089-a594-8e7af633ca88
>> > sofia/public/1730 at 1.2.3.4 Abandoned
>> >
>> > --
>> >
>> > In our case, we made fail2ban more sensitive to auth failures logs which
>> > does not get triggered because of the scanner not even trying to send
>> > credentials.
>> >
>> > Wouldn't it make more sense for this log to include the IP of sip client
>> > that abandoned the call (5.6.7.8) instead of only the IP of the sip
>> profile
>> > (1.2.3.4) ?
>> >
>> > This would allow us to have Fail2ban block this scenario more
>> aggressively.
>> >
>> > Thoughts ?
>> >
>> >
>> >
>> >
>> >
>> _________________________________________________________________________
>> >
>> > The FreeSWITCH project is sponsored by SignalWire
>> https://signalwire.com
>> > Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>> services.
>> > Build your next product on our scalable cloud platform.
>> >
>> > Join our online community to chat in real time
>> https://signalwire.community
>> >
>> > Professional FreeSWITCH Services
>> > sales at freeswitch.com
>> > https://freeswitch.com
>> >
>> > Official FreeSWITCH Sites
>> > https://freeswitch.com/oss
>> > https://freeswitch.org/confluence
>> > https://cluecon.com
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > https://freeswitch.com
>>
>> _________________________________________________________________________
>>
>> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
>> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>> services.
>> Build your next product on our scalable cloud platform.
>>
>> Join our online community to chat in real time
>> https://signalwire.community
>>
>> Professional FreeSWITCH Services
>> sales at freeswitch.com
>> https://freeswitch.com
>>
>> Official FreeSWITCH Sites
>> https://freeswitch.com/oss
>> https://freeswitch.org/confluence
>> https://cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> https://freeswitch.com
>
> _________________________________________________________________________
>
> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
> services.
> Build your next product on our scalable cloud platform.
>
> Join our online community to chat in real time
> https://signalwire.community
>
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
>
> _________________________________________________________________________
>
> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
> services.
> Build your next product on our scalable cloud platform.
>
> Join our online community to chat in real time
> https://signalwire.community
>
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210126/94664566/attachment.html>


More information about the FreeSWITCH-users mailing list