VoIP Mailing List Archives

[marcb at voicemeup.com]

Hello All,

Is anyone else noticing that there is more and more scanners attempting
brute force with no reply to auth request resulting in logging a lot of
abandoned calls ?

Scenario:

- A scanner send an INVITE|REGISTER with no credentials
- Freeswitch responds with authentication request and a challenge is send to
logs;
"
2021-01-25 12:27:39.306075 [WARNING] sofia_reg.c:1792 SIP auth challenge
(REGISTER) on sofia profile 'public' for [1730@1.2.3.4] from ip 5.6.7.8"
- Scanner does not respond
- After a while, Freeswitch logs the following:
2ae23e93-c929-4089-a594-8e7af633ca88 2021-01-25 12:28:37.506078 [WARNING]
switch_core_state_machine.c:687 2ae23e93-c929-4089-a594-8e7af633ca88
sofia/public/1730@1.2.3.4 Abandoned

--

In our case, we made fail2ban more sensitive to auth failures logs which
does not get triggered because of the scanner not even trying to send
credentials.

Wouldn't it make more sense for this log to include the IP of sip client
that abandoned the call (5.6.7. instead of only the IP of the sip profile
(1.2.3.4) ?

This would allow us to have Fail2ban block this scenario more aggressively.

Thoughts ?




_________________________________________________________________________

The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.
Build your next product on our scalable cloud platform.

Join our online community to chat in real time https://signalwire.community

Professional FreeSWITCH Services
sales@freeswitch.com
https://freeswitch.com

Official FreeSWITCH Sites
https://freeswitch.com/oss
https://freeswitch.org/confluence
https://cluecon.com

FreeSWITCH-users mailing list
FreeSWITCH-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
https://freeswitch.com

[krice at freeswitch.org]

this is super common. this is more likely a recon attack than an actual brute force attempt. Eother that they are looking for something with auth turned off. we see tons of these things regularly. Fail to ban helps some but using a SIP RBL and dropping traffic via prefixes associated with regions and bad actor hosts seems to be the best course of action these days.

I wont name the company, but a mjor european hosting company i drop their entire AS as its not worth the hassle.

Sent from my iPhone

[rbetancor at gmail.com]

You could tell the name, SAS on France and OVH, they are both nest of bots.

On Mon, Jan 25, 2021 at 9:31 PM Ken Rice <krice@freeswitch.org (krice@freeswitch.org)> wrote:

[krice at freeswitch.org]

exactly those 2 lol

Sent from my iPhone

[gregor at infomedia.si]

😁

On Tue, Jan 26, 2021, 04:05 Ken Rice <krice@freeswitch.org (krice@freeswitch.org)> wrote:

[lloyd.aloysius at gmai...]

Ken, thank you for the information. Can you please let me know how to block AS numbers from IPTables?




On Mon, Jan 25, 2021 at 10:06 PM Ken Rice <krice@freeswitch.org (krice@freeswitch.org)> wrote:

[rbetancor at gmail.com]

And the worst thing, is that they fully ignore all the abuse claims, we also ended blacklisting their full ASs and when some of their customers or ours claims not able to access some service/company that are under their umbrella or ours, we just raise up the flag of "they are just a nest of bots and crackers, we do no talk to them".

On Tue, Jan 26, 2021 at 3:15 AM Ken Rice <krice@freeswitch.org (krice@freeswitch.org)> wrote:

[rbetancor at gmail.com]

You could not block an AS from iptables, you should get the IP ranges that belongs to that AS and block them.

There are scripts/extensions for shorewall (linux firewalling suite), that allow you to do geoip/AS based rules.


On Tue, Jan 26, 2021 at 4:47 AM Lloyd Aloysius <lloyd.aloysius@gmail.com (lloyd.aloysius@gmail.com)> wrote:

[krice at freeswitch.org]

There are various tools like https://www.countryipblocks.net/acl.php (and more) that will create the datasets you need to feed iptables. There is also things like https://www.apiban.org/ that you might want to look at or proactively blocking bad actors. APIBAN is like a good old RBL you’d use to combat spam but collects data on SIP bad actors.

K


From: FreeSWITCH-users <freeswitch-users-bounces@lists.freeswitch.org> on behalf of Lloyd Aloysius <lloyd.aloysius@gmail.com>
Reply-To: FreeSWITCH Users Help <freeswitch-users@lists.freeswitch.org>
Date: Monday, January 25, 2021 at 10:21 PM
To: FreeSWITCH Users Help <freeswitch-users@lists.freeswitch.org>
Subject: Re: [Freeswitch-users] Scanners and botnet vulnerability



Ken, thank you for the information. Can you please let me know how to block AS numbers from IPTables?





On Mon, Jan 25, 2021 at 10:06 PM Ken Rice <krice@freeswitch.org (krice@freeswitch.org)> wrote:

[marcb at voicemeup.com]

Hi Ken,

[brian at freeswitch.com]

It would log it, unless you have it misconfigured.

On Mon, Feb 1, 2021 at 11:02 AM Marc Bernard <marcb@voicemeup.com (marcb@voicemeup.com)> wrote: