[Freeswitch-users] fail2ban does not apply ban, fail2ban-regex works

Mimiko vbvbrj at gmail.com
Wed May 11 11:29:04 MSD 2016 

Hello.

I have this config for freeswitch:

jail.local:

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 5
[freeswitch]
enabled  = true
port     = 5060,5061,5080,5081
ignoreip = 127.0.0.1/8 10.10.0.0/16
filter   = freeswitch
logpath  = /var/log/freeswitch/freeswitch.log
maxretry = 1
findtime = 600
bantime  = 60
action   = iptables-ban


freeswitch.conf:

[Definition]

failregex = ^[-: \.\d]+ \[WARNING\] sofia_reg\.c:\d+ Can't find user 
\[\d+@[^\]]+\] from <HOST>$

ignoreregex =



When running

fail2ban-regex /var/log/freeswitch/freeswitch.log 
/etc/fail2ban/filter.d/freeswitch.conf

There are matches with failed users:

/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 
module is deprecated; use hashlib instead
   import md5

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/freeswitch.conf
Use log file   : /var/log/freeswitch/freeswitch.log


Results
=======

Failregex
|- Regular expressions:
|  [1] ^[-: \.\d]+ \[WARNING\] sofia_reg\.c:\d+ Can't find user 
\[\d+@[^\]]+\] from <HOST>$
|
`- Number of matches:
    [1] 18 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
     163.172.194.73 (Wed May 11 10:16:54 2016)
     163.172.194.73 (Wed May 11 10:18:02 2016)
     163.172.194.73 (Wed May 11 10:18:30 2016)
     163.172.194.73 (Wed May 11 10:18:40 2016)
     163.172.194.73 (Wed May 11 10:19:10 2016)
     163.172.194.73 (Wed May 11 10:19:29 2016)
     163.172.194.73 (Wed May 11 10:20:10 2016)
     163.172.194.73 (Wed May 11 10:20:30 2016)
     163.172.194.73 (Wed May 11 10:20:37 2016)
     163.172.194.73 (Wed May 11 10:21:42 2016)
     163.172.194.73 (Wed May 11 10:21:53 2016)
     163.172.194.73 (Wed May 11 10:22:00 2016)
     163.172.194.73 (Wed May 11 10:22:50 2016)
     163.172.194.73 (Wed May 11 10:23:13 2016)
     163.172.194.73 (Wed May 11 10:23:28 2016)
     163.172.194.73 (Wed May 11 10:23:30 2016)
     163.172.194.73 (Wed May 11 10:25:07 2016)
     163.172.194.73 (Wed May 11 10:25:29 2016)

Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
5196 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year at Hour:Minute:Second>

Success, the total number of match is 18

However, look at the above section 'Running tests' which could contain 
important
information.


However, fail2ban does not ban that ip. Although when ssh login attempt 
is detected, fail2ban does ban the ip.

I've checked the time and time zone and all ok. On server Local time is 
+3 from UTC. sshd log, freeswitch log and fail2ban log are in same time 
zone.

What could be the culprit?

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list