VoIP Mailing List Archives

[schoch+freeswitch.org ...]

I just set up a new FreeSWITCH system on my home network, and set a forward for port 5080 to connect to Flowroute. While I'm debugging some call routing stuff, my logs are getting overrun with stuff like this: 


2021-03-16 15:52:02.267501 [NOTICE] switch_channel.c:1118 New Channel sofia/external/7750@<my IP> [2de89b87-cd07-4c0f-b9fb-3da8e5a68d37]
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:585 (sofia/external/7750@<my IP>) Running State Change CS_NEW (Cur 1 Tot 7822)
2021-03-16 15:52:02.267501 [DEBUG] sofia.c:10280 sofia/external/7750@<my IP> receiving invite from 80.94.93.12:62635 version: 1.10.5 -release-17-25569c1631 64bit
2021-03-16 15:52:02.267501 [DEBUG] sofia.c:7326 Channel sofia/external/7750@<my IP> entering state [received][100]
2021-03-16 15:52:02.267501 [DEBUG] sofia.c:7336 Remote SDP:
v=0
o=- 81921704 81921704 IN IP4 0.0.0.0
s=pplsip
c=IN IP4 0.0.0.0
t=0 0
m=audio 7628 RTP/AVP 100 6 0 8 3 18 5 101
a=rtpmap:100 speex/16000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-11
a=alt:1 1 : DF50DC48 0000001F 0.0.0.0 7628


2021-03-16 15:52:02.267501 [DEBUG] sofia.c:7739 (sofia/external/7750@<my IP>) State Change CS_NEW -> CS_INIT
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:604 (sofia/external/7750@<my IP>) State NEW
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:585 (sofia/external/7750@<my IP>) Running State Change CS_INIT (Cur 1 Tot 7822)
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:628 (sofia/external/7750@<my IP>) State INIT
2021-03-16 15:52:02.267501 [DEBUG] mod_sofia.c:93 sofia/external/7750@<my IP> SOFIA INIT
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:40 sofia/external/7750@<my IP> Standard INIT
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:48 (sofia/external/7750@<my IP>) State Change CS_INIT -> CS_ROUTING
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:628 (sofia/external/7750@<my IP>) State INIT going to sleep
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:585 (sofia/external/7750@<my IP>) Running State Change CS_ROUTING (Cur 1 Tot 7822)
2021-03-16 15:52:02.267501 [DEBUG] switch_channel.c:2332 (sofia/external/7750@<my IP>) Callstate Change DOWN -> RINGING
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:644 (sofia/external/7750@<my IP>) State ROUTING
2021-03-16 15:52:02.267501 [DEBUG] mod_sofia.c:154 sofia/external/7750@<my IP> SOFIA ROUTING
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:236 sofia/external/7750@<my IP> Standard ROUTING
2021-03-16 15:52:02.267501 [INFO] mod_dialplan_xml.c:637 Processing 7750 <7750>->900442037697855 in context public

I thought fail2ban was designed for stuff like this, but I don't see any auth attempts here (I set "log-auth-failures" to "true"). These are coming in a bit faster than 1 per second. It appears they are dialing random extensions. How can I make them stop?


-- 
Steve

[david.villasmil.work a...]

It works, sure. But needs to be configured.
https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban should help you, especially the configuration part.


For fail2ban to work, it needs to see a line in the logfile with the originating IP address, for that to work on failed call attempts you need to add a specific failure log. Something like adding a catch-all extension at the very end of the dialplan and log the originating IP. Then grab that with fail2ban.


something like:


<extension name="catch-all">
  <condition field="destination_number" expression="^.*$">
<condition field="${sip_authorized}" expression="^false$">

     <action application="log" data="CRIT caught ${variable_sip_received_ip} trying to call."/>
     <action application="hangup" data=""/>
</condition>
  </condition>

</extension> 



Then a regexp on filter.d/freeswitch.local

[Definition]
failregex = ^.* caught <HOST> trying to call$



NOTE: I didn't test any of this, you'll need to test yourself, but it should be a starting point.




Another option, which i like on top of the already mentioned, is to _not_ use a default port 5080, use something like 9909 (security by obscurity)






Regards,


David Villasmilemail: david.villasmil.work@gmail.com (david.villasmil.work@gmail.com)
phone: +34669448337








On Tue, Mar 16, 2021 at 11:40 PM Steven Schoch <schoch+freeswitch.org@xwin32.com ([email]schoch%2Bfreeswitch.org@xwin32.com[/email])> wrote:

[schoch+freeswitch.org ...]

I like your 2nd option. I always assumed 5080 was safe because it isn't the SIP port. It is listed as the "OnScreen Data Collection Service" in the official port number database (https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=89), but I guess the hackers know the SIP people like to use it. I'll try switching to another port.

-- 
Steve


On Tue, Mar 16, 2021 at 6:30 PM David Villasmil <david.villasmil.work@gmail.com (david.villasmil.work@gmail.com)> wrote:

[mayamatakeshi at gmail...]

On Wed, Mar 17, 2021 at 8:37 AM Steven Schoch <schoch+freeswitch.org@xwin32.com ([email]schoch%2Bfreeswitch.org@xwin32.com[/email])> wrote:

[s.safarov at gmail.com]

mod_failban designed to log auth failure.So not need to parse all FreeSwitch logs by failban daemon.


Sergey


On Wed, Mar 17, 2021 at 5:48 AM mayamatakeshi <mayamatakeshi@gmail.com (mayamatakeshi@gmail.com)> wrote:

[rbetancor at gmail.com]

Switching SIP port, is not the solution, sooner than later, they will find you.

The best approach is to use a combination of solutions, like a blacklist of know hackers IPs as voipbl.org, correctly setup fail2ban, put your FS behind a Kamailio with the pike module and other security measures, etc.


On Wed, Mar 17, 2021 at 2:19 AM Steven Schoch <schoch+freeswitch.org@xwin32.com ([email]schoch%2Bfreeswitch.org@xwin32.com[/email])> wrote: