[Freeswitch-users] Getting fail2ban working properly

David Witham david.witham at netsip.com.au
Mon Sep 19 03:53:14 MSD 2016


Hi Don,

Yes that should do what you want.

regards,
David

On 15 September 2016 at 15:14, Don Hawkins <hawkins at hawkinsegroup.com>
wrote:

> So, to only block failures does this regex look right? I basically just
> removed "failure|challenge" and replaced with "failure"
>
> failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure)
> \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
>
>
> On Sun, Sep 11, 2016 at 2:23 AM, Angel Elena <craem at craem.net> wrote:
>
>> Great!!!
>>
>> Thanks for sharing.
>>
>> --------------------------------
>> Ángel Elena Medina       _o)
>> craem at craem.net          / \\
>> http://blog.craem.net  _(___V
>> @craem_
>> --------------------------------
>>
>> -----Mensaje original-----
>> De:     Don Hawkins <hawkins at hawkinsegroup.com>
>> Enviado:        Dom 11-09-2016 03:22
>> Asunto: Re: [Freeswitch-users] Getting fail2ban working properly
>> Para:   FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>;
>> > No problem, I need to take notes anyway. Here they are...
>> >
>> >
>> > A.  /etc/fail2ban/filter.d/freeswitch.conf needs the following text:
>> >
>> > https://github.com/fail2ban/fail2ban/blob/master/config/filt
>> er.d/freeswitch.conf
>> >
>> > NOTE: Internal and Public sofia profiles need:  <param
>> name="log-auth-failures"
>> > value="true"/>
>> >
>> >
>> > B.  /etc/fail2ban/jail.conf and in /etc/fail2ban/jail.local (not sure
>> which one
>> > is working, I had to create jail.local)
>> >
>> > [freeswitch]
>> > enabled  = true
>> > port     = 5060,5061,5080,5081,5076 5074 5071
>> > filter   = freeswitch
>> > logpath  = /var/log/freeswitch/freeswitch.log
>> > maxretry = 3
>> >
>> >
>> > C. Drop these rules into iptables to block the scanners on ports 5060
>> and 5080
>> >
>> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>> > "VaxSIPUserAgent" --algo bm
>> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>> > "friendly-scanner" --algo bm
>> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>> "sipcli"
>> > --algo bm
>> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>> > "VaxSIPUserAgent" --algo bm
>> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>> > "friendly-scanner" --algo bm
>> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>> "sipcli"
>> > --algo bm
>> >
>> >
>> > D. Change SSH port from 22 to a custom number
>> >
>> > vi /etc/ssh/sshd_config
>> >
>> >
>> > E. Update SSH jail in /etc/fail2ban/jail.conf to custom port number.
>> >
>> > [ssh]
>> >
>> > enabled  = true
>> > port     = 9898,22
>> > filter   = sshd
>> > logpath  = /var/log/auth.log
>> > maxretry = 6
>> >
>> >
>> > F. I also have additional security using CDR records (curl).  If a call
>> comes
>> > in that does not have an 'account number' set (a custom variable we set
>> for all
>> > incoming and outgoing calls from our customers) then we execute a shell
>> command
>> > to block that IP without delay because they obviously aren't one of our
>> > customers. We are using mod_httapi and all calls start that way for us,
>> so it's
>> > easy to set the variable as all calls start with <continue>.
>> >
>> >
>> > iptables -A INPUT -s 65.55.44.100 -j DROP
>> >
>> >
>> > Where 65.55.44.100 is the ip to block.
>> >
>> >
>> >
>> > Don
>> >
>> >
>> >
>> >
>> > On Sat, Sep 10, 2016 at 7:58 PM, George Assaad <gassaad at emassembly.com
>> > <mailto:gassaad at emassembly.com> > wrote:
>> > Hi Don,
>> > Could you please share your final settings since it works.
>> >
>> > Thanks,
>> >
>> > George
>> >
>> > On Sep 10, 2016, at 5:49 PM, Don Hawkins <hawkins at hawkinsegroup.com
>> > <mailto:hawkins at hawkinsegroup.com> > wrote:
>> >
>> > Just want to update everyone that the registration attempts have almost
>> stopped
>> > 100% since blocking the sniffers and setting a 4 hour block time after
>> three
>> > failed registrations.
>> >
>> > Good day!
>> >
>> > On Thu, Sep 8, 2016 at 4:21 PM, jungle Boogie <jungleboogie0 at gmail.com
>> > <mailto:jungleboogie0 at gmail.com> > wrote:
>> > On 8 September 2016 at 12:54, Don Hawkins <hawkins at hawkinsegroup.com
>> > <mailto:hawkins at hawkinsegroup.com> > wrote:
>> > > Can someone share with me how to block all ports except the important
>> ones?
>> >
>> > I had the same question about a month ago:
>> > http://lists.freeswitch.org/pipermail/freeswitch-users/2016-
>> August/121694.html
>> > <http://lists.freeswitch.org/pipermail/freeswitch-users/2016
>> -August/121694.html>
>> >
>> >
>> > Colin gives good advice here:
>> > http://lists.freeswitch.org/pipermail/freeswitch-users/2016-
>> August/121730.html
>> > <http://lists.freeswitch.org/pipermail/freeswitch-users/2016
>> -August/121730.html>
>> >
>> >
>> > I've also had success with contacting the originating network and
>> > request their customer to stop the traffic to me.
>> >
>> > Here's the abuse form for online.net <http://online.net/> :
>> > https://console.online.net/en/account/abuses/search
>> >
>> > By the way, if the fail2ban page on confluence needs updating, please
>> > update it or list what's wrong with it. I do see it indicates to
>> > create the jail.local and that's what you were missing for yours to
>> > work properly.
>> >
>> >
>> > --
>> > -------
>> > inum: 883510009027723
>> > sip: jungleboogie at sip2sip.info <mailto:jungleboogie at sip2sip.info>
>> >
>> > ____________________________________________________________
>> _____________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/
>> >
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org <http://www.freeswitch.org/>
>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>> > http://www.cluecon.com <http://www.cluecon.com/>
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/
>> freeswitch-users
>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>> > http://www.freeswitch.org <http://www.freeswitch.org/>
>> >
>> >
>> >
>> > --
>> > Sincerely,
>> > Don Hawkins
>> > CEO
>> > Hawkins Enterprise Group LLC
>> > http://hawkinsegroup.com <http://hawkinsegroup.com/>
>> > Zello PTT <http://zello.com/> : push2don
>> > P: 469-214-5044
>> > ____________________________________________________________
>> _____________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com>
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org <http://www.freeswitch.org>
>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
>> > http://www.cluecon.com <http://www.cluecon.com>
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/
>> freeswitch-users
>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>> > http://www.freeswitch.org <http://www.freeswitch.org>
>> >
>> >
>> > ____________________________________________________________
>> _____________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com>
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org <http://www.freeswitch.org>
>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
>> > http://www.cluecon.com <http://www.cluecon.com>
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/
>> freeswitch-users
>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>> > http://www.freeswitch.org <http://www.freeswitch.org>
>> >
>> >
>> >
>> > --
>> > Sincerely,
>> > Don Hawkins
>> > CEO
>> > Hawkins Enterprise Group LLC
>> > http://hawkinsegroup.com <http://hawkinsegroup.com>
>> > Zello PTT <http://zello.com> : push2don
>> > P: 469-214-5044
>> >
>> > ____________________________________________________________
>> _____________
>> >
>> > Professional FreeSWITCH Consulting Services:
>> >
>> > consulting at freeswitch.org
>> >
>> > http://www.freeswitchsolutions.com
>> >
>> >
>> >
>> > Official FreeSWITCH Sites
>> >
>> > http://www.freeswitch.org
>> >
>> > http://confluence.freeswitch.org
>> >
>> > http://www.cluecon.com
>> >
>> >
>> >
>> > FreeSWITCH-users mailing list
>> >
>> > FreeSWITCH-users at lists.freeswitch.org
>> >
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/
>> freeswitch-users
>> >
>> > http://www.freeswitch.org
>> >
>> >
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> Sincerely,
> Don Hawkins
> CEO
> Hawkins Enterprise Group LLC
> http://hawkinsegroup.com
> Zello PTT <http://zello.com>: push2don
> P: 469-214-5044
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 
David Witham
Senior Voice/Systems Engineer

Netsip pty ltd – An Over the Wire Company
Level 1, 24 Little Edward St, Spring Hill QLD 4000

t    +61 1300 638 747
e   david.witham at netsip.com.au    www.netsip.com.au
<https://macowa.netsip.com.au/owa/redir.aspx?C=95eec4d12cf0400796940d56513ed0f7&URL=http%3a%2f%2fwww.netsip.com.au>

<https://macowa.netsip.com.au/owa/redir.aspx?C=95eec4d12cf0400796940d56513ed0f7&URL=http%3a%2f%2fwww.netsip.com.au>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160919/3b619cdf/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list