Add signature: Freeswitch

Issue #55 new
sean farrell created an issue

Hello,

I would like sshguard to block unwanted attempts. Here's a sample from my freeswitch log of an unwanted attempt:

9568ef4e-ce58-11e6-a604-736db5881309 2016-12-29 22:24:14.034837 [DEBUG] sofia.c:9851 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:57347 version: 1.9.0 git eef2313 2016-12-20 22:19:30Z 32bit
2016-12-29 22:24:14.034837 [DEBUG] sofia.c:10018 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2016-12-29 22:24:14.054870 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
9568ef4e-ce58-11e6-a604-736db5881309 2016-12-29 22:24:14.294838 [DEBUG] sofia.c:9851 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:57347 version: 1.9.0 git eef2313 2016-12-20 22:19:30Z 32bit
2016-12-29 22:24:14.294838 [DEBUG] sofia.c:10018 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2016-12-29 22:24:14.294838 [WARNING] sofia_reg.c:2906 Can't find user [a'or'3=3--@192.168.0.137] from 163.172.125.91
2016-12-29 22:24:14.294838 [WARNING] sofia_reg.c:1737 SIP auth failure (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
e9e650b6-ce58-11e6-a606-736db5881309 2016-12-29 22:26:35.794835 [DEBUG] sofia.c:9851 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:58453 version: 1.9.0 git eef2313 2016-12-20 22:19:30Z 32bit
2016-12-29 22:26:35.794835 [DEBUG] sofia.c:10018 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2016-12-29 22:26:35.794835 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
e9e650b6-ce58-11e6-a606-736db5881309 2016-12-29 22:26:36.194842 [DEBUG] sofia.c:9851 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:58453 version: 1.9.0 git eef2313 2016-12-20 22:19:30Z 32bit
2016-12-29 22:26:36.194842 [DEBUG] sofia.c:10018 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2016-12-29 22:26:36.194842 [WARNING] sofia_reg.c:2906 Can't find user [a'or'3=3--@192.168.0.137] from 163.172.125.91
2016-12-29 22:26:36.194842 [WARNING] sofia_reg.c:1737 SIP auth failure (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
0743ceba-d00f-11e6-93e5-c903981bcc16 2017-01-01 02:42:45.633351 [DEBUG] sofia.c:9977 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:53681 version: 1.9.0 git 0248d38 2016-12-31 00:53:27Z 32bit
2017-01-01 02:42:45.633351 [DEBUG] sofia.c:10144 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2017-01-01 02:42:45.633351 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
0743ceba-d00f-11e6-93e5-c903981bcc16 2017-01-01 02:42:45.813334 [DEBUG] sofia.c:9977 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:53681 version: 1.9.0 git 0248d38 2016-12-31 00:53:27Z 32bit
2017-01-01 02:42:45.813334 [DEBUG] sofia.c:10144 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2017-01-01 02:42:45.813334 [WARNING] sofia_reg.c:2906 Can't find user [a'or'3=3--@192.168.0.137] from 163.172.125.91
2017-01-01 02:42:45.823375 [WARNING] sofia_reg.c:1737 SIP auth failure (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
658285de-d00f-11e6-93e7-c903981bcc16 2017-01-01 02:45:23.743340 [DEBUG] sofia.c:9977 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:54790 version: 1.9.0 git 0248d38 2016-12-31 00:53:27Z 32bit
2017-01-01 02:45:23.753394 [DEBUG] sofia.c:10144 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2017-01-01 02:45:23.753394 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
658285de-d00f-11e6-93e7-c903981bcc16 2017-01-01 02:45:24.213502 [DEBUG] sofia.c:9977 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:54790 version: 1.9.0 git 0248d38 2016-12-31 00:53:27Z 32bit
2017-01-01 02:45:24.213502 [DEBUG] sofia.c:10144 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2017-01-01 02:45:24.213502 [WARNING] sofia_reg.c:2906 Can't find user [a'or'3=3--@192.168.0.137] from 163.172.125.91
2017-01-01 02:45:24.213502 [WARNING] sofia_reg.c:1737 SIP auth failure (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91

Here's a fail2ban example of the regex: https://github.com/fail2ban/fail2ban/blob/8d9fe5d3da0147da121897821c11ddab58698ea1/config/filter.d/freeswitch.conf

Thanks for the consideration!

Comments (6)

  1. Kevin Zheng

    We'd be happy to include a filter for FreeSwitch, but it basically depends on if anyone can sit down and put together a set of rules for it.

    The parser we have isn't the easiest to work with, but I'm happy to lend a hand if you want to take a look.

  2. sean farrell reporter

    Hi Kevin, Daniel,

    Thanks for the reply!

    Sorry, I don't quite know how I would go about implementing the code for the parser.

    I also don't have ipv6 traffic enabled at the moment.

  3. Log in to comment