Hack attempt

Pavyolo

unread,

Dec 4, 2017, 1:26:03 AM12/4/17

to ASTPP

So this morning I have the below on my console, first off 13100000000 is not an account on my system, 185.107.83.134 is not one of my client IP's, this attempt kept getting "wrong call state"

I have fail2ban working, how did this account get recognized by my ASTPP in the first place if iot's bogus, what can I do to stop whatever exploit this is?

2017-12-04 08:15:16.331883 [NOTICE] switch_channel.c:1104 New Channel sofia/Internet/13100...@1.1.1.1 [7ef38a5e-d8ba-11e7-9ecb-b388ec33d968]

2017-12-04 08:15:16.331883 [DEBUG] switch_core_state_machine.c:584 (sofia/Internet/13100...@1.1.1.1) Running State Change CS_NEW (Cur 1 Tot 253)

2017-12-04 08:15:16.331883 [DEBUG] sofia.c:9873 sofia/Internet/13100...@1.1.1.1 receiving invite from 185.107.83.134:15431 version: 1.6.19 git 7a77e0b 2017-07-13 12:01:45Z 64bit

2017-12-04 08:15:16.331883 [DEBUG] sofia.c:10044 IP 185.107.83.134 Rejected by acl "default". Falling back to Digest auth.

2017-12-04 08:15:16.331883 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'Internet' for [99011487...@1.1.1.1] from ip 185.107.83.134

2017-12-04 08:15:16.331883 [DEBUG] switch_core_state_machine.c:603 (sofia/Internet/13100...@1.1.1.1) State NEW

2017-12-04 08:15:16.331883 [DEBUG] sofia.c:2334 detaching session 7ef38a5e-d8ba-11e7-9ecb-b388ec33d968

2017-12-04 08:15:26.332986 [WARNING] switch_core_state_machine.c:687 7ef38a5e-d8ba-11e7-9ecb-b388ec33d968 sofia/Internet/13100...@1.1.1.1 Abandoned

2017-12-04 08:15:26.332986 [NOTICE] switch_core_state_machine.c:690 Hangup sofia/Internet/13100...@1.1.1.1 [CS_NEW] [WRONG_CALL_STATE]

2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:584 (sofia/Internet/13100...@1.1.1.1) Running State Change CS_HANGUP (Cur 1 Tot 253)

2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:850 (sofia/Internet/13100...@1.1.1.1) Callstate Change DOWN -> HANGUP

2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:852 (sofia/Internet/13100...@1.1.1.1) State HANGUP

2017-12-04 08:15:26.332986 [DEBUG] mod_sofia.c:438 Channel sofia/Internet/13100...@1.1.1.1 hanging up, cause: WRONG_CALL_STATE

2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:60 sofia/Internet/13100...@1.1.1.1 Standard HANGUP, cause: WRONG_CALL_STATE

2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:852 (sofia/Internet/13100...@1.1.1.1) State HANGUP going to sleep

2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:619 (sofia/Internet/13100...@1.1.1.1) State Change CS_HANGUP -> CS_REPORTING

2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:584 (sofia/Internet/13100...@1.1.1.1) Running State Change CS_REPORTING (Cur 1 Tot 253)

2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:938 (sofia/Internet/13100...@1.1.1.1) State REPORTING

2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:174 sofia/Internet/13100...@1.1.1.1 Standard REPORTING, cause: WRONG_CALL_STATE

2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:938 (sofia/Internet/13100...@1.1.1.1) State REPORTING going to sleep

2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:610 (sofia/Internet/13100...@1.1.1.1) State Change CS_REPORTING -> CS_DESTROY

2017-12-04 08:15:26.332986 [DEBUG] switch_core_session.c:1665 Session 253 (sofia/Internet/13100...@1.1.1.1) Locked, Waiting on external entities

Message has been deleted

Samir Doshi

unread,

Dec 4, 2017, 7:41:09 AM12/4/17

to ASTPP

System didn't recognize the account code yet. This is the Freeswitch which is giving them error "WRONG_CALL_STATE" as its not able to authenticate IP.

If you have fail2ban installed then ip should get blocked after few attempts.

‌

Sent with Mailtrack

Best Regards
--
Samir Doshi
iNextrix Technologies Pvt. Ltd.
http://www.inextrix.com

Disclaimer:
The information contained in this communication is confidential and may be legally privileged. It is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it.

On Mon, Dec 4, 2017 at 11:56 AM, 'Pavyolo' via ASTPP <as...@googlegroups.com> wrote:

So this morning I have the below on my console, first off 13100000000 is not an account on my system, 185.107.83.134 is not one of my client IP's, this attempt kept getting "wrong call state"

I have fail2ban working, how did this account get recognized by my ASTPP in the first place if iot's bogus, what can I do to stop whatever exploit this is?

2017-12-04 08:15:16.331883 [NOTICE] switch_channel.c:1104 New Channel sofia/Internet/13100000000@1.1.1.1 [7ef38a5e-d8ba-11e7-9ecb-b388ec33d968]
2017-12-04 08:15:16.331883 [DEBUG] switch_core_state_machine.c:584 (sofia/Internet/13100000000@1.1.1.1) Running State Change CS_NEW (Cur 1 Tot 253)
2017-12-04 08:15:16.331883 [DEBUG] sofia.c:9873 sofia/Internet/13100000000@1.1.1.1 receiving invite from 185.107.83.134:15431 version: 1.6.19 git 7a77e0b 2017-07-13 12:01:45Z 64bit

2017-12-04 08:15:16.331883 [DEBUG] sofia.c:10044 IP 185.107.83.134 Rejected by acl "default". Falling back to Digest auth.
2017-12-04 08:15:16.331883 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'Internet' for [99011487...@1.1.1.1] from ip 185.107.83.134

2017-12-04 08:15:16.331883 [DEBUG] switch_core_state_machine.c:603 (sofia/Internet/13100000000@1.1.1.1) State NEW

2017-12-04 08:15:16.331883 [DEBUG] sofia.c:2334 detaching session 7ef38a5e-d8ba-11e7-9ecb-b388ec33d968

2017-12-04 08:15:26.332986 [WARNING] switch_core_state_machine.c:687 7ef38a5e-d8ba-11e7-9ecb-b388ec33d968 sofia/Internet/13100000000@1.1.1.1 Abandoned
2017-12-04 08:15:26.332986 [NOTICE] switch_core_state_machine.c:690 Hangup sofia/Internet/13100000000@1.1.1.1 [CS_NEW] [WRONG_CALL_STATE]
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:584 (sofia/Internet/13100000000@1.1.1.1) Running State Change CS_HANGUP (Cur 1 Tot 253)
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:850 (sofia/Internet/13100000000@1.1.1.1) Callstate Change DOWN -> HANGUP
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:852 (sofia/Internet/13100000000@1.1.1.1) State HANGUP
2017-12-04 08:15:26.332986 [DEBUG] mod_sofia.c:438 Channel sofia/Internet/13100000000@1.1.1.1 hanging up, cause: WRONG_CALL_STATE
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:60 sofia/Internet/13100000000@1.1.1.1 Standard HANGUP, cause: WRONG_CALL_STATE
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:852 (sofia/Internet/13100000000@1.1.1.1) State HANGUP going to sleep
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:619 (sofia/Internet/13100000000@1.1.1.1) State Change CS_HANGUP -> CS_REPORTING
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:584 (sofia/Internet/13100000000@1.1.1.1) Running State Change CS_REPORTING (Cur 1 Tot 253)
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:938 (sofia/Internet/13100000000@1.1.1.1) State REPORTING
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:174 sofia/Internet/13100000000@1.1.1.1 Standard REPORTING, cause: WRONG_CALL_STATE
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:938 (sofia/Internet/13100000000@1.1.1.1) State REPORTING going to sleep
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:610 (sofia/Internet/13100000000@1.1.1.1) State Change CS_REPORTING -> CS_DESTROY
2017-12-04 08:15:26.332986 [DEBUG] switch_core_session.c:1665 Session 253 (sofia/Internet/13100000000@1.1.1.1) Locked, Waiting on external entities

--
=====================================================================
Documentation : https://astppdoc.atlassian.net/
Please contact at sa...@inextrix.com for commercial support.
---
You received this message because you are subscribed to the Google Groups "ASTPP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to astpp+unsubscribe@googlegroups.com.
To post to this group, send email to as...@googlegroups.com.
Visit this group at https://groups.google.com/group/astpp.
To view this discussion on the web visit https://groups.google.com/d/msgid/astpp/fe91a893-d6b1-4cb8-b750-898255be8c00%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

pavyolo

unread,

Dec 4, 2017, 9:03:06 AM12/4/17

to ASTPP

Thanks Samir, these attempts were 4 minutes apart, I'm worried if I set the fail2ban time to less that legitimate registrations will be caught by fail2ban. Is there a way to add a regex for the "wrong_call_state"?

On Monday, December 4, 2017 at 2:41:09 PM UTC+2, Samir Doshi wrote:

System didn't recognize the account code yet. This is the Freeswitch which is giving them error "WRONG_CALL_STATE" as its not able to authenticate IP.

If you have fail2ban installed then ip should get blocked after few attempts.

‌
Sent with Mailtrack

Best Regards
--
Samir Doshi
iNextrix Technologies Pvt. Ltd.
http://www.inextrix.com

Disclaimer:
The information contained in this communication is confidential and may be legally privileged. It is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it.

On Mon, Dec 4, 2017 at 11:56 AM, 'Pavyolo' via ASTPP <as...@googlegroups.com> wrote:

So this morning I have the below on my console, first off 13100000000 is not an account on my system, 185.107.83.134 is not one of my client IP's, this attempt kept getting "wrong call state"

I have fail2ban working, how did this account get recognized by my ASTPP in the first place if iot's bogus, what can I do to stop whatever exploit this is?

2017-12-04 08:15:16.331883 [NOTICE] switch_channel.c:1104 New Channel sofia/Internet/13100...@1.1.1.1 [7ef38a5e-d8ba-11e7-9ecb-b388ec33d968]
2017-12-04 08:15:16.331883 [DEBUG] switch_core_state_machine.c:584 (sofia/Internet/13100...@1.1.1.1) Running State Change CS_NEW (Cur 1 Tot 253)
2017-12-04 08:15:16.331883 [DEBUG] sofia.c:9873 sofia/Internet/13100...@1.1.1.1 receiving invite from 185.107.83.134:15431 version: 1.6.19 git 7a77e0b 2017-07-13 12:01:45Z 64bit

2017-12-04 08:15:16.331883 [DEBUG] sofia.c:10044 IP 185.107.83.134 Rejected by acl "default". Falling back to Digest auth.
2017-12-04 08:15:16.331883 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'Internet' for [99011487...@1.1.1.1] from ip 185.107.83.134

2017-12-04 08:15:16.331883 [DEBUG] switch_core_state_machine.c:603 (sofia/Internet/13100...@1.1.1.1) State NEW

2017-12-04 08:15:16.331883 [DEBUG] sofia.c:2334 detaching session 7ef38a5e-d8ba-11e7-9ecb-b388ec33d968

2017-12-04 08:15:26.332986 [WARNING] switch_core_state_machine.c:687 7ef38a5e-d8ba-11e7-9ecb-b388ec33d968 sofia/Internet/13100...@1.1.1.1 Abandoned
2017-12-04 08:15:26.332986 [NOTICE] switch_core_state_machine.c:690 Hangup sofia/Internet/13100...@1.1.1.1 [CS_NEW] [WRONG_CALL_STATE]
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:584 (sofia/Internet/13100...@1.1.1.1) Running State Change CS_HANGUP (Cur 1 Tot 253)
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:850 (sofia/Internet/13100...@1.1.1.1) Callstate Change DOWN -> HANGUP
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:852 (sofia/Internet/13100...@1.1.1.1) State HANGUP
2017-12-04 08:15:26.332986 [DEBUG] mod_sofia.c:438 Channel sofia/Internet/13100...@1.1.1.1 hanging up, cause: WRONG_CALL_STATE
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:60 sofia/Internet/13100...@1.1.1.1 Standard HANGUP, cause: WRONG_CALL_STATE
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:852 (sofia/Internet/13100...@1.1.1.1) State HANGUP going to sleep
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:619 (sofia/Internet/13100...@1.1.1.1) State Change CS_HANGUP -> CS_REPORTING
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:584 (sofia/Internet/13100...@1.1.1.1) Running State Change CS_REPORTING (Cur 1 Tot 253)
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:938 (sofia/Internet/13100...@1.1.1.1) State REPORTING
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:174 sofia/Internet/13100...@1.1.1.1 Standard REPORTING, cause: WRONG_CALL_STATE
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:938 (sofia/Internet/13100...@1.1.1.1) State REPORTING going to sleep
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:610 (sofia/Internet/13100...@1.1.1.1) State Change CS_REPORTING -> CS_DESTROY
2017-12-04 08:15:26.332986 [DEBUG] switch_core_session.c:1665 Session 253 (sofia/Internet/13100...@1.1.1.1) Locked, Waiting on external entities

--
=====================================================================
Documentation : https://astppdoc.atlassian.net/
Please contact at sa...@inextrix.com for commercial support.
---
You received this message because you are subscribed to the Google Groups "ASTPP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to astpp+un...@googlegroups.com.

Samir Doshi

unread,

Dec 4, 2017, 9:08:06 AM12/4/17

to as...@googlegroups.com

I think it's already there to handle such cases. You can still look at fail2ban filter folder to check regex.

Sent from my phone

To unsubscribe from this group and stop receiving emails from it, send an email to astpp+unsubscribe@googlegroups.com.

To post to this group, send email to as...@googlegroups.com.
Visit this group at https://groups.google.com/group/astpp.

To view this discussion on the web visit https://groups.google.com/d/msgid/astpp/ced1cd1d-deda-44c8-9bf5-c1e96ed41f1a%40googlegroups.com.

Devang Nathwani

unread,

Dec 5, 2017, 5:41:31 AM12/5/17

to as...@googlegroups.com

Hello,

First of all, Fail2ban is there to add unauthorized ip based on the configs.

Check the configs, are those configured accordingly, verify ports, filter regex and times properly.

Fail2ban wont directly ban any attempt directly so if any attempt is unauthorized and if its filtered correctly than only it will be banned from accessing that port again otherwise there wont be affect if any particular attempt is not filtered.

Based on the above fs log, the ip is not added in ACL so its not the ip based auth, so system will try to match username/password pair if not matched and Fail2ban is configured with correct filter than only system gonna ban further attempts. So, please check above mentioned configs for Fail2ban.

On Mon, Dec 4, 2017 at 11:56 AM, 'Pavyolo' via ASTPP <as...@googlegroups.com> wrote:

So this morning I have the below on my console, first off 13100000000 is not an account on my system, 185.107.83.134 is not one of my client IP's, this attempt kept getting "wrong call state"

I have fail2ban working, how did this account get recognized by my ASTPP in the first place if iot's bogus, what can I do to stop whatever exploit this is?

2017-12-04 08:15:16.331883 [NOTICE] switch_channel.c:1104 New Channel sofia/Internet/13100000000@1.1.1.1 [7ef38a5e-d8ba-11e7-9ecb-b388ec33d968]
2017-12-04 08:15:16.331883 [DEBUG] switch_core_state_machine.c:584 (sofia/Internet/13100000000@1.1.1.1) Running State Change CS_NEW (Cur 1 Tot 253)
2017-12-04 08:15:16.331883 [DEBUG] sofia.c:9873 sofia/Internet/13100000000@1.1.1.1 receiving invite from 185.107.83.134:15431 version: 1.6.19 git 7a77e0b 2017-07-13 12:01:45Z 64bit

2017-12-04 08:15:16.331883 [DEBUG] sofia.c:10044 IP 185.107.83.134 Rejected by acl "default". Falling back to Digest auth.
2017-12-04 08:15:16.331883 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'Internet' for [99011487...@1.1.1.1] from ip 185.107.83.134

2017-12-04 08:15:16.331883 [DEBUG] switch_core_state_machine.c:603 (sofia/Internet/13100000000@1.1.1.1) State NEW

2017-12-04 08:15:16.331883 [DEBUG] sofia.c:2334 detaching session 7ef38a5e-d8ba-11e7-9ecb-b388ec33d968

2017-12-04 08:15:26.332986 [WARNING] switch_core_state_machine.c:687 7ef38a5e-d8ba-11e7-9ecb-b388ec33d968 sofia/Internet/13100000000@1.1.1.1 Abandoned
2017-12-04 08:15:26.332986 [NOTICE] switch_core_state_machine.c:690 Hangup sofia/Internet/13100000000@1.1.1.1 [CS_NEW] [WRONG_CALL_STATE]
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:584 (sofia/Internet/13100000000@1.1.1.1) Running State Change CS_HANGUP (Cur 1 Tot 253)
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:850 (sofia/Internet/13100000000@1.1.1.1) Callstate Change DOWN -> HANGUP
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:852 (sofia/Internet/13100000000@1.1.1.1) State HANGUP
2017-12-04 08:15:26.332986 [DEBUG] mod_sofia.c:438 Channel sofia/Internet/13100000000@1.1.1.1 hanging up, cause: WRONG_CALL_STATE
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:60 sofia/Internet/13100000000@1.1.1.1 Standard HANGUP, cause: WRONG_CALL_STATE
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:852 (sofia/Internet/13100000000@1.1.1.1) State HANGUP going to sleep
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:619 (sofia/Internet/13100000000@1.1.1.1) State Change CS_HANGUP -> CS_REPORTING
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:584 (sofia/Internet/13100000000@1.1.1.1) Running State Change CS_REPORTING (Cur 1 Tot 253)
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:938 (sofia/Internet/13100000000@1.1.1.1) State REPORTING
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:174 sofia/Internet/13100000000@1.1.1.1 Standard REPORTING, cause: WRONG_CALL_STATE
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:938 (sofia/Internet/13100000000@1.1.1.1) State REPORTING going to sleep
2017-12-04 08:15:26.332986 [DEBUG] switch_core_state_machine.c:610 (sofia/Internet/13100000000@1.1.1.1) State Change CS_REPORTING -> CS_DESTROY
2017-12-04 08:15:26.332986 [DEBUG] switch_core_session.c:1665 Session 253 (sofia/Internet/13100000000@1.1.1.1) Locked, Waiting on external entities

--
=====================================================================
Documentation : https://astppdoc.atlassian.net/
Please contact at sa...@inextrix.com for commercial support.
---
You received this message because you are subscribed to the Google Groups "ASTPP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to astpp+unsubscribe@googlegroups.com.
To post to this group, send email to as...@googlegroups.com.
Visit this group at https://groups.google.com/group/astpp.
To view this discussion on the web visit https://groups.google.com/d/msgid/astpp/fe91a893-d6b1-4cb8-b750-898255be8c00%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Thanks,

Devang Nathwani

Lucky Santiago

unread,

Jan 9, 2018, 7:43:22 PM1/9/18

to ASTPP

I have a fresh install of version 3.5 on debian 8 with fail2ban included and running.

iptables confirm that fail2ban is running:

Chain INPUT (policy ACCEPT 2755 packets, 1083K bytes)

pkts bytes target prot opt in out source destination

1038K 494M fail2ban-freeswitch-dos all -- * * 0.0.0.0/0 0.0.0.0/0

1038K 494M fail2ban-freeswitch all -- * * 0.0.0.0/0 0.0.0.0/0

44970 4172K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 3363 packets, 1671K bytes)

pkts bytes target prot opt in out source destination

Chain fail2ban-freeswitch (1 references)

pkts bytes target prot opt in out source destination

1038K 494M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-freeswitch-dos (1 references)

pkts bytes target prot opt in out source destination

1038K 494M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-ssh (1 references)

pkts bytes target prot opt in out source destination

30789 3244K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

I can see a lot of these attempt below but none of the blocked IPs appeared on the fail2ban:

2018-01-10 08:33:47.445041 [WARNING] switch_core_state_machine.c:687 7bce383b-c5ca-4563-99fb-c8a79992206d sofia/default/te...@MY.ASTPP.IP.ADDR Abandoned

2018-01-10 08:33:47.445041 [NOTICE] switch_core_state_machine.c:690 Hangup sofia/default/te...@MY.ASTPP.IP.ADDR [CS_NEW] [WRONG_CALL_STATE]

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:584 (sofia/default/te...@MY.ASTPP.IP.ADDR) Running State Change CS_HANGUP (Cur 1 Tot 2527)

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:850 (sofia/default/te...@MY.ASTPP.IP.ADDR) Callstate Change DOWN -> HANGUP

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:852 (sofia/default/te...@MY.ASTPP.IP.ADDR) State HANGUP

2018-01-10 08:33:47.445041 [DEBUG] mod_sofia.c:438 Channel sofia/default/te...@MY.ASTPP.IP.ADDR hanging up, cause: WRONG_CALL_STATE

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:60 sofia/default/te...@MY.ASTPP.IP.ADDR Standard HANGUP, cause: WRONG_CALL_STATE

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:852 (sofia/default/te...@MY.ASTPP.IP.ADDR) State HANGUP going to sleep

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:619 (sofia/default/te...@MY.ASTPP.IP.ADDR) State Change CS_HANGUP -> CS_REPORTING

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:584 (sofia/default/te...@MY.ASTPP.IP.ADDR) Running State Change CS_REPORTING (Cur 1 Tot 2527)

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:938 (sofia/default/te...@MY.ASTPP.IP.ADDR) State REPORTING

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:174 sofia/default/te...@MY.ASTPP.IP.ADDR Standard REPORTING, cause: WRONG_CALL_STATE

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:938 (sofia/default/te...@MY.ASTPP.IP.ADDR) State REPORTING going to sleep

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:610 (sofia/default/te...@MY.ASTPP.IP.ADDR) State Change CS_REPORTING -> CS_DESTROY

2018-01-10 08:33:47.445041 [DEBUG] switch_core_session.c:1665 Session 2527 (sofia/default/te...@MY.ASTPP.IP.ADDR) Locked, Waiting on external entities

2018-01-10 08:33:47.445041 [NOTICE] switch_core_session.c:1683 Session 2527 (sofia/default/te...@MY.ASTPP.IP.ADDR) Ended

2018-01-10 08:33:47.445041 [NOTICE] switch_core_session.c:1687 Close Channel sofia/default/te...@MY.ASTPP.IP.ADDR [CS_DESTROY]

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:741 (sofia/default/te...@MY.ASTPP.IP.ADDR) Running State Change CS_DESTROY (Cur 0 Tot 2527)

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:751 (sofia/default/te...@MY.ASTPP.IP.ADDR) State DESTROY

2018-01-10 08:33:47.445041 [DEBUG] mod_sofia.c:343 sofia/default/te...@MY.ASTPP.IP.ADDR SOFIA DESTROY

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:181 sofia/default/te...@MY.ASTPP.IP.ADDR Standard DESTROY

2018-01-10 08:33:47.445041 [DEBUG] switch_core_state_machine.c:751 (sofia/default/te...@MY.ASTPP.IP.ADDR) State DESTROY going to sleep

2018-01-10 08:33:52.345037 [NOTICE] switch_channel.c:1104 New Channel sofia/default/2...@MY.ASTPP.IP.ADDR [3334e48f-3db9-44ad-98cf-a6b6edcb936d]

2018-01-10 08:33:52.345037 [DEBUG] switch_core_state_machine.c:584 (sofia/default/2...@MY.ASTPP.IP.ADDR) Running State Change CS_NEW (Cur 1 Tot 2528)

2018-01-10 08:33:52.345037 [DEBUG] sofia.c:9873 sofia/default/2...@MY.ASTPP.IP.ADDR receiving invite from 62.210.157.169:35429 version: 1.6.19 git 7a77e0b 2017-07-13 12:01:45Z 64bit

2018-01-10 08:33:52.345037 [DEBUG] sofia.c:10044 IP 62.210.157.169 Rejected by acl "default". Falling back to Digest auth.

2018-01-10 08:33:52.345037 [DEBUG] sofia.c:2334 detaching session 3334e48f-3db9-44ad-98cf-a6b6edcb936d

2018-01-10 08:33:52.345037 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'default' for [004122...@MY.ASTPP.IP.ADDR] from ip 62.210.157.169

Thanks in advance.

Lucky Santiago

unread,

Jan 11, 2018, 9:01:10 PM1/11/18

to ASTPP

fail2ban cannot seem to catch these: