[Freeswitch-users] Getting fail2ban working properly

Guillermo Ruiz Camauer grcamauer at gmail.com
Sat Sep 24 01:35:31 MSD 2016


Has anyone tried this but with mod_fail2ban?  I cant get it to work.  I am
logging to /usr/local/freeswitch/log/fail2ban.log.  I see entries there
like:


A registration was atempted User:111 IP:217.172.189.5.
A registration failed User:900972595225502 IP:217.172.189.5.
A registration was atempted User:110 IP:217.172.189.5.
A registration failed User:00972595225502 IP:217.172.189.5.
A registration was atempted User:701 IP:23.239.69.200.
A registration failed User:00972592167049 IP:23.239.69.200.
A registration was atempted User:110 IP:217.172.189.5.
A registration failed User:000972595225502 IP:217.172.189.5.
A registration was atempted User:110 IP:217.172.189.5.

I have the following in /etc/fail2ban/filter.d:

[Definition]

failregex = A registration failed User:.* IP:<HOST>

ignoreregex =


I never get any matches...  I have tested the regexp at http://regex101.com
and it works there for PCRE and Python.

I have tried this with both fail2ban version 0.8.1.3 and 0.9.4.

Any ideas?

Thanks,

Guillermo


On Sun, Sep 18, 2016 at 8:53 PM, David Witham <david.witham at netsip.com.au>
wrote:

> Hi Don,
>
> Yes that should do what you want.
>
> regards,
> David
>
> On 15 September 2016 at 15:14, Don Hawkins <hawkins at hawkinsegroup.com>
> wrote:
>
>> So, to only block failures does this regex look right? I basically just
>> removed "failure|challenge" and replaced with "failure"
>>
>> failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure)
>> \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
>>
>>
>> On Sun, Sep 11, 2016 at 2:23 AM, Angel Elena <craem at craem.net> wrote:
>>
>>> Great!!!
>>>
>>> Thanks for sharing.
>>>
>>> --------------------------------
>>> Ángel Elena Medina       _o)
>>> craem at craem.net          / \\
>>> http://blog.craem.net  _(___V
>>> @craem_
>>> --------------------------------
>>>
>>> -----Mensaje original-----
>>> De:     Don Hawkins <hawkins at hawkinsegroup.com>
>>> Enviado:        Dom 11-09-2016 03:22
>>> Asunto: Re: [Freeswitch-users] Getting fail2ban working properly
>>> Para:   FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>;
>>> > No problem, I need to take notes anyway. Here they are...
>>> >
>>> >
>>> > A.  /etc/fail2ban/filter.d/freeswitch.conf needs the following text:
>>> >
>>> > https://github.com/fail2ban/fail2ban/blob/master/config/filt
>>> er.d/freeswitch.conf
>>> >
>>> > NOTE: Internal and Public sofia profiles need:  <param
>>> name="log-auth-failures"
>>> > value="true"/>
>>> >
>>> >
>>> > B.  /etc/fail2ban/jail.conf and in /etc/fail2ban/jail.local (not sure
>>> which one
>>> > is working, I had to create jail.local)
>>> >
>>> > [freeswitch]
>>> > enabled  = true
>>> > port     = 5060,5061,5080,5081,5076 5074 5071
>>> > filter   = freeswitch
>>> > logpath  = /var/log/freeswitch/freeswitch.log
>>> > maxretry = 3
>>> >
>>> >
>>> > C. Drop these rules into iptables to block the scanners on ports 5060
>>> and 5080
>>> >
>>> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>>> > "VaxSIPUserAgent" --algo bm
>>> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>>> > "friendly-scanner" --algo bm
>>> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>>> "sipcli"
>>> > --algo bm
>>> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>>> > "VaxSIPUserAgent" --algo bm
>>> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>>> > "friendly-scanner" --algo bm
>>> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>>> "sipcli"
>>> > --algo bm
>>> >
>>> >
>>> > D. Change SSH port from 22 to a custom number
>>> >
>>> > vi /etc/ssh/sshd_config
>>> >
>>> >
>>> > E. Update SSH jail in /etc/fail2ban/jail.conf to custom port number.
>>> >
>>> > [ssh]
>>> >
>>> > enabled  = true
>>> > port     = 9898,22
>>> > filter   = sshd
>>> > logpath  = /var/log/auth.log
>>> > maxretry = 6
>>> >
>>> >
>>> > F. I also have additional security using CDR records (curl).  If a
>>> call comes
>>> > in that does not have an 'account number' set (a custom variable we
>>> set for all
>>> > incoming and outgoing calls from our customers) then we execute a
>>> shell command
>>> > to block that IP without delay because they obviously aren't one of our
>>> > customers. We are using mod_httapi and all calls start that way for
>>> us, so it's
>>> > easy to set the variable as all calls start with <continue>.
>>> >
>>> >
>>> > iptables -A INPUT -s 65.55.44.100 -j DROP
>>> >
>>> >
>>> > Where 65.55.44.100 is the ip to block.
>>> >
>>> >
>>> >
>>> > Don
>>> >
>>> >
>>> >
>>> >
>>> > On Sat, Sep 10, 2016 at 7:58 PM, George Assaad <gassaad at emassembly.com
>>> > <mailto:gassaad at emassembly.com> > wrote:
>>> > Hi Don,
>>> > Could you please share your final settings since it works.
>>> >
>>> > Thanks,
>>> >
>>> > George
>>> >
>>> > On Sep 10, 2016, at 5:49 PM, Don Hawkins <hawkins at hawkinsegroup.com
>>> > <mailto:hawkins at hawkinsegroup.com> > wrote:
>>> >
>>> > Just want to update everyone that the registration attempts have
>>> almost stopped
>>> > 100% since blocking the sniffers and setting a 4 hour block time after
>>> three
>>> > failed registrations.
>>> >
>>> > Good day!
>>> >
>>> > On Thu, Sep 8, 2016 at 4:21 PM, jungle Boogie <jungleboogie0 at gmail.com
>>> > <mailto:jungleboogie0 at gmail.com> > wrote:
>>> > On 8 September 2016 at 12:54, Don Hawkins <hawkins at hawkinsegroup.com
>>> > <mailto:hawkins at hawkinsegroup.com> > wrote:
>>> > > Can someone share with me how to block all ports except the
>>> important ones?
>>> >
>>> > I had the same question about a month ago:
>>> > http://lists.freeswitch.org/pipermail/freeswitch-users/2016-
>>> August/121694.html
>>> > <http://lists.freeswitch.org/pipermail/freeswitch-users/2016
>>> -August/121694.html>
>>> >
>>> >
>>> > Colin gives good advice here:
>>> > http://lists.freeswitch.org/pipermail/freeswitch-users/2016-
>>> August/121730.html
>>> > <http://lists.freeswitch.org/pipermail/freeswitch-users/2016
>>> -August/121730.html>
>>> >
>>> >
>>> > I've also had success with contacting the originating network and
>>> > request their customer to stop the traffic to me.
>>> >
>>> > Here's the abuse form for online.net <http://online.net/> :
>>> > https://console.online.net/en/account/abuses/search
>>> >
>>> > By the way, if the fail2ban page on confluence needs updating, please
>>> > update it or list what's wrong with it. I do see it indicates to
>>> > create the jail.local and that's what you were missing for yours to
>>> > work properly.
>>> >
>>> >
>>> > --
>>> > -------
>>> > inum: 883510009027723
>>> > sip: jungleboogie at sip2sip.info <mailto:jungleboogie at sip2sip.info>
>>> >
>>> > ____________________________________________________________
>>> _____________
>>> > Professional FreeSWITCH Consulting Services:
>>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolution
>>> s.com/>
>>> >
>>> > Official FreeSWITCH Sites
>>> > http://www.freeswitch.org <http://www.freeswitch.org/>
>>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>> > http://www.cluecon.com <http://www.cluecon.com/>
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>> switch-users
>>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>> > http://www.freeswitch.org <http://www.freeswitch.org/>
>>> >
>>> >
>>> >
>>> > --
>>> > Sincerely,
>>> > Don Hawkins
>>> > CEO
>>> > Hawkins Enterprise Group LLC
>>> > http://hawkinsegroup.com <http://hawkinsegroup.com/>
>>> > Zello PTT <http://zello.com/> : push2don
>>> > P: 469-214-5044
>>> > ____________________________________________________________
>>> _____________
>>> > Professional FreeSWITCH Consulting Services:
>>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com
>>> >
>>> >
>>> > Official FreeSWITCH Sites
>>> > http://www.freeswitch.org <http://www.freeswitch.org>
>>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
>>> > http://www.cluecon.com <http://www.cluecon.com>
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>> switch-users
>>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>> > http://www.freeswitch.org <http://www.freeswitch.org>
>>> >
>>> >
>>> > ____________________________________________________________
>>> _____________
>>> > Professional FreeSWITCH Consulting Services:
>>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com
>>> >
>>> >
>>> > Official FreeSWITCH Sites
>>> > http://www.freeswitch.org <http://www.freeswitch.org>
>>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
>>> > http://www.cluecon.com <http://www.cluecon.com>
>>> >
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>> switch-users
>>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>> > http://www.freeswitch.org <http://www.freeswitch.org>
>>> >
>>> >
>>> >
>>> > --
>>> > Sincerely,
>>> > Don Hawkins
>>> > CEO
>>> > Hawkins Enterprise Group LLC
>>> > http://hawkinsegroup.com <http://hawkinsegroup.com>
>>> > Zello PTT <http://zello.com> : push2don
>>> > P: 469-214-5044
>>> >
>>> > ____________________________________________________________
>>> _____________
>>> >
>>> > Professional FreeSWITCH Consulting Services:
>>> >
>>> > consulting at freeswitch.org
>>> >
>>> > http://www.freeswitchsolutions.com
>>> >
>>> >
>>> >
>>> > Official FreeSWITCH Sites
>>> >
>>> > http://www.freeswitch.org
>>> >
>>> > http://confluence.freeswitch.org
>>> >
>>> > http://www.cluecon.com
>>> >
>>> >
>>> >
>>> > FreeSWITCH-users mailing list
>>> >
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> >
>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >
>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>> switch-users
>>> >
>>> > http://www.freeswitch.org
>>> >
>>> >
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>> Sincerely,
>> Don Hawkins
>> CEO
>> Hawkins Enterprise Group LLC
>> http://hawkinsegroup.com
>> Zello PTT <http://zello.com>: push2don
>> P: 469-214-5044
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> David Witham
> Senior Voice/Systems Engineer
>
> Netsip pty ltd – An Over the Wire Company
> Level 1, 24 Little Edward St, Spring Hill QLD 4000
>
> t    +61 1300 638 747
> e   david.witham at netsip.com.au    www.netsip.com.au
> <https://macowa.netsip.com.au/owa/redir.aspx?C=95eec4d12cf0400796940d56513ed0f7&URL=http%3a%2f%2fwww.netsip.com.au>
>
> <https://macowa.netsip.com.au/owa/redir.aspx?C=95eec4d12cf0400796940d56513ed0f7&URL=http%3a%2f%2fwww.netsip.com.au>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 
Guillermo Ruiz Camauer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160923/aca904bb/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list