Add signature: Freeswitch
Issue #55
open
Hello,
I would like sshguard to block unwanted attempts. Here's a sample from my freeswitch log of an unwanted attempt:
9568ef4e-ce58-11e6-a604-736db5881309 2016-12-29 22:24:14.034837 [DEBUG] sofia.c:9851 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:57347 version: 1.9.0 git eef2313 2016-12-20 22:19:30Z 32bit
2016-12-29 22:24:14.034837 [DEBUG] sofia.c:10018 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2016-12-29 22:24:14.054870 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
9568ef4e-ce58-11e6-a604-736db5881309 2016-12-29 22:24:14.294838 [DEBUG] sofia.c:9851 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:57347 version: 1.9.0 git eef2313 2016-12-20 22:19:30Z 32bit
2016-12-29 22:24:14.294838 [DEBUG] sofia.c:10018 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2016-12-29 22:24:14.294838 [WARNING] sofia_reg.c:2906 Can't find user [a'or'3=3--@192.168.0.137] from 163.172.125.91
2016-12-29 22:24:14.294838 [WARNING] sofia_reg.c:1737 SIP auth failure (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
e9e650b6-ce58-11e6-a606-736db5881309 2016-12-29 22:26:35.794835 [DEBUG] sofia.c:9851 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:58453 version: 1.9.0 git eef2313 2016-12-20 22:19:30Z 32bit
2016-12-29 22:26:35.794835 [DEBUG] sofia.c:10018 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2016-12-29 22:26:35.794835 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
e9e650b6-ce58-11e6-a606-736db5881309 2016-12-29 22:26:36.194842 [DEBUG] sofia.c:9851 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:58453 version: 1.9.0 git eef2313 2016-12-20 22:19:30Z 32bit
2016-12-29 22:26:36.194842 [DEBUG] sofia.c:10018 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2016-12-29 22:26:36.194842 [WARNING] sofia_reg.c:2906 Can't find user [a'or'3=3--@192.168.0.137] from 163.172.125.91
2016-12-29 22:26:36.194842 [WARNING] sofia_reg.c:1737 SIP auth failure (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
0743ceba-d00f-11e6-93e5-c903981bcc16 2017-01-01 02:42:45.633351 [DEBUG] sofia.c:9977 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:53681 version: 1.9.0 git 0248d38 2016-12-31 00:53:27Z 32bit
2017-01-01 02:42:45.633351 [DEBUG] sofia.c:10144 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2017-01-01 02:42:45.633351 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
0743ceba-d00f-11e6-93e5-c903981bcc16 2017-01-01 02:42:45.813334 [DEBUG] sofia.c:9977 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:53681 version: 1.9.0 git 0248d38 2016-12-31 00:53:27Z 32bit
2017-01-01 02:42:45.813334 [DEBUG] sofia.c:10144 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2017-01-01 02:42:45.813334 [WARNING] sofia_reg.c:2906 Can't find user [a'or'3=3--@192.168.0.137] from 163.172.125.91
2017-01-01 02:42:45.823375 [WARNING] sofia_reg.c:1737 SIP auth failure (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
658285de-d00f-11e6-93e7-c903981bcc16 2017-01-01 02:45:23.743340 [DEBUG] sofia.c:9977 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:54790 version: 1.9.0 git 0248d38 2016-12-31 00:53:27Z 32bit
2017-01-01 02:45:23.753394 [DEBUG] sofia.c:10144 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2017-01-01 02:45:23.753394 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
658285de-d00f-11e6-93e7-c903981bcc16 2017-01-01 02:45:24.213502 [DEBUG] sofia.c:9977 sofia/internal/aor3=3--@68.96.222.9 receiving invite from 163.172.125.91:54790 version: 1.9.0 git 0248d38 2016-12-31 00:53:27Z 32bit
2017-01-01 02:45:24.213502 [DEBUG] sofia.c:10144 IP 163.172.125.91 Rejected by acl "domains". Falling back to Digest auth.
2017-01-01 02:45:24.213502 [WARNING] sofia_reg.c:2906 Can't find user [a'or'3=3--@192.168.0.137] from 163.172.125.91
2017-01-01 02:45:24.213502 [WARNING] sofia_reg.c:1737 SIP auth failure (INVITE) on sofia profile 'internal' for [0048678887178@68.96.222.9] from ip 163.172.125.91
Here's a fail2ban example of the regex: https://github.com/fail2ban/fail2ban/blob/8d9fe5d3da0147da121897821c11ddab58698ea1/config/filter.d/freeswitch.conf
Thanks for the consideration!
Comments (7)
-
reporter
-
We'd be happy to include a filter for FreeSwitch, but it basically depends on if anyone can sit down and put together a set of rules for it.
The parser we have isn't the easiest to work with, but I'm happy to lend a hand if you want to take a look.
-
Please provide some IPv6 log samples as well. I can have a look at it then.
-
reporter
Hi Kevin, Daniel,
Thanks for the reply!
Sorry, I don't quite know how I would go about implementing the code for the parser.
I also don't have ipv6 traffic enabled at the moment.
-
- changed component to parser
-
- changed title to Add signature: Freeswitch
-
- changed status to open
- Log in to comment
Hi All,
Is there anything more you'll need to create a filter for this? I know the FusionPBX group would really prefer to use sshguard instead of fail2ban. https://github.com/fusionpbx/
Thanks!