[Freeswitch-users] Getting fail2ban working properly

Guillermo Ruiz Camauer grcamauer at gmail.com
Sat Sep 24 02:42:41 MSD 2016


Figured out what was wrong...

Reading in the fail2ban web page I found this:


   - In order for a log line to match your failregex, it actually has to
   match in two parts: the beginning of the line has to match a timestamp
   pattern or regex, and the remainder of the line has to match your
   failregex. If the failregex is anchored with a leading ^, then the
   anchor refers to the start of the remainder of the line, *after* the
   timestamp and intervening whitespace.


   - The pattern or regex to match the time stamp is currently not
   documented, and not available for users to read or set. See Debian bug
   #491253 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491253%7C>.
   This is a problem if your log has a timestamp format that fail2ban doesn't
   expect, since it will then fail to match any lines. Because of this, you
   should test any new failregex against a sample log line, as in the examples
   below, to be sure that it will match. If fail2ban doesn't recognize your
   log timestamp, then you have two options: either reconfigure your daemon to
   log with a timestamp in a more common format, such as in the example log
   line above; or file a bug report asking to have your timestamp format
   included.


mod_fail2ban does NOT include any timestamps in the logs it generates (see
my previous mail).  So I modified it to include one.  Recompiled, etc. and
now it is working like a charm.

I only added on line to the original source, here highlighted in bold:



static void fail2ban_event_handler(switch_event_t *event)
{
if (event->event_id == SWITCH_EVENT_CUSTOM && strncmp(event->subclass_name,
"sofia::register_attempt",23) == 0) {
<------><------>switch_file_printf(logfile, "A registration was atempted ");
<------><------>switch_file_printf(logfile, "%s:%s ", "User",
switch_event_get_header(event, "to-user"));
<------><------>switch_file_printf(logfile, "%s:%s ", "IP",
switch_event_get_header(event, "network-ip"));
<------><------>switch_file_printf(logfile, "\n");
<------>} else if (event->event_id == SWITCH_EVENT_CUSTOM &&
strncmp(event->subclass_name, "sofia::register_failure",23) == 0) {
<------><------>switch_file_printf(logfile, "%s ",
 switch_event_get_header(event, "Event-Date-Local"));
<------><------>switch_file_printf(logfile, "A registration failed ");
<------><------>switch_file_printf(logfile, "%s:%s ", "User",
switch_event_get_header(event, "to-user"));
<------><------>switch_file_printf(logfile, "%s:%s ", "IP",
switch_event_get_header(event, "network-ip"));
<------><------>switch_file_printf(logfile, "\n");
<------>}

}










On Fri, Sep 23, 2016 at 6:35 PM, Guillermo Ruiz Camauer <grcamauer at gmail.com
> wrote:

> Has anyone tried this but with mod_fail2ban?  I cant get it to work.  I am
> logging to /usr/local/freeswitch/log/fail2ban.log.  I see entries there
> like:
>
>
> A registration was atempted User:111 IP:217.172.189.5.
> A registration failed User:900972595225502 IP:217.172.189.5.
> A registration was atempted User:110 IP:217.172.189.5.
> A registration failed User:00972595225502 IP:217.172.189.5.
> A registration was atempted User:701 IP:23.239.69.200.
> A registration failed User:00972592167049 IP:23.239.69.200.
> A registration was atempted User:110 IP:217.172.189.5.
> A registration failed User:000972595225502 IP:217.172.189.5.
> A registration was atempted User:110 IP:217.172.189.5.
>
> I have the following in /etc/fail2ban/filter.d:
>
> [Definition]
>
> failregex = A registration failed User:.* IP:<HOST>
>
> ignoreregex =
>
>
> I never get any matches...  I have tested the regexp at
> http://regex101.com and it works there for PCRE and Python.
>
> I have tried this with both fail2ban version 0.8.1.3 and 0.9.4.
>
> Any ideas?
>
> Thanks,
>
> Guillermo
>
>
> On Sun, Sep 18, 2016 at 8:53 PM, David Witham <david.witham at netsip.com.au>
> wrote:
>
>> Hi Don,
>>
>> Yes that should do what you want.
>>
>> regards,
>> David
>>
>> On 15 September 2016 at 15:14, Don Hawkins <hawkins at hawkinsegroup.com>
>> wrote:
>>
>>> So, to only block failures does this regex look right? I basically just
>>> removed "failure|challenge" and replaced with "failure"
>>>
>>> failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure)
>>> \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
>>>
>>>
>>> On Sun, Sep 11, 2016 at 2:23 AM, Angel Elena <craem at craem.net> wrote:
>>>
>>>> Great!!!
>>>>
>>>> Thanks for sharing.
>>>>
>>>> --------------------------------
>>>> Ángel Elena Medina       _o)
>>>> craem at craem.net          / \\
>>>> http://blog.craem.net  _(___V
>>>> @craem_
>>>> --------------------------------
>>>>
>>>> -----Mensaje original-----
>>>> De:     Don Hawkins <hawkins at hawkinsegroup.com>
>>>> Enviado:        Dom 11-09-2016 03:22
>>>> Asunto: Re: [Freeswitch-users] Getting fail2ban working properly
>>>> Para:   FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>;
>>>> > No problem, I need to take notes anyway. Here they are...
>>>> >
>>>> >
>>>> > A.  /etc/fail2ban/filter.d/freeswitch.conf needs the following text:
>>>> >
>>>> > https://github.com/fail2ban/fail2ban/blob/master/config/filt
>>>> er.d/freeswitch.conf
>>>> >
>>>> > NOTE: Internal and Public sofia profiles need:  <param
>>>> name="log-auth-failures"
>>>> > value="true"/>
>>>> >
>>>> >
>>>> > B.  /etc/fail2ban/jail.conf and in /etc/fail2ban/jail.local (not sure
>>>> which one
>>>> > is working, I had to create jail.local)
>>>> >
>>>> > [freeswitch]
>>>> > enabled  = true
>>>> > port     = 5060,5061,5080,5081,5076 5074 5071
>>>> > filter   = freeswitch
>>>> > logpath  = /var/log/freeswitch/freeswitch.log
>>>> > maxretry = 3
>>>> >
>>>> >
>>>> > C. Drop these rules into iptables to block the scanners on ports 5060
>>>> and 5080
>>>> >
>>>> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>>>> > "VaxSIPUserAgent" --algo bm
>>>> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>>>> > "friendly-scanner" --algo bm
>>>> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>>>> "sipcli"
>>>> > --algo bm
>>>> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>>>> > "VaxSIPUserAgent" --algo bm
>>>> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>>>> > "friendly-scanner" --algo bm
>>>> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>>>> "sipcli"
>>>> > --algo bm
>>>> >
>>>> >
>>>> > D. Change SSH port from 22 to a custom number
>>>> >
>>>> > vi /etc/ssh/sshd_config
>>>> >
>>>> >
>>>> > E. Update SSH jail in /etc/fail2ban/jail.conf to custom port number.
>>>> >
>>>> > [ssh]
>>>> >
>>>> > enabled  = true
>>>> > port     = 9898,22
>>>> > filter   = sshd
>>>> > logpath  = /var/log/auth.log
>>>> > maxretry = 6
>>>> >
>>>> >
>>>> > F. I also have additional security using CDR records (curl).  If a
>>>> call comes
>>>> > in that does not have an 'account number' set (a custom variable we
>>>> set for all
>>>> > incoming and outgoing calls from our customers) then we execute a
>>>> shell command
>>>> > to block that IP without delay because they obviously aren't one of
>>>> our
>>>> > customers. We are using mod_httapi and all calls start that way for
>>>> us, so it's
>>>> > easy to set the variable as all calls start with <continue>.
>>>> >
>>>> >
>>>> > iptables -A INPUT -s 65.55.44.100 -j DROP
>>>> >
>>>> >
>>>> > Where 65.55.44.100 is the ip to block.
>>>> >
>>>> >
>>>> >
>>>> > Don
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Sat, Sep 10, 2016 at 7:58 PM, George Assaad <
>>>> gassaad at emassembly.com
>>>> > <mailto:gassaad at emassembly.com> > wrote:
>>>> > Hi Don,
>>>> > Could you please share your final settings since it works.
>>>> >
>>>> > Thanks,
>>>> >
>>>> > George
>>>> >
>>>> > On Sep 10, 2016, at 5:49 PM, Don Hawkins <hawkins at hawkinsegroup.com
>>>> > <mailto:hawkins at hawkinsegroup.com> > wrote:
>>>> >
>>>> > Just want to update everyone that the registration attempts have
>>>> almost stopped
>>>> > 100% since blocking the sniffers and setting a 4 hour block time
>>>> after three
>>>> > failed registrations.
>>>> >
>>>> > Good day!
>>>> >
>>>> > On Thu, Sep 8, 2016 at 4:21 PM, jungle Boogie <
>>>> jungleboogie0 at gmail.com
>>>> > <mailto:jungleboogie0 at gmail.com> > wrote:
>>>> > On 8 September 2016 at 12:54, Don Hawkins <hawkins at hawkinsegroup.com
>>>> > <mailto:hawkins at hawkinsegroup.com> > wrote:
>>>> > > Can someone share with me how to block all ports except the
>>>> important ones?
>>>> >
>>>> > I had the same question about a month ago:
>>>> > http://lists.freeswitch.org/pipermail/freeswitch-users/2016-
>>>> August/121694.html
>>>> > <http://lists.freeswitch.org/pipermail/freeswitch-users/2016
>>>> -August/121694.html>
>>>> >
>>>> >
>>>> > Colin gives good advice here:
>>>> > http://lists.freeswitch.org/pipermail/freeswitch-users/2016-
>>>> August/121730.html
>>>> > <http://lists.freeswitch.org/pipermail/freeswitch-users/2016
>>>> -August/121730.html>
>>>> >
>>>> >
>>>> > I've also had success with contacting the originating network and
>>>> > request their customer to stop the traffic to me.
>>>> >
>>>> > Here's the abuse form for online.net <http://online.net/> :
>>>> > https://console.online.net/en/account/abuses/search
>>>> >
>>>> > By the way, if the fail2ban page on confluence needs updating, please
>>>> > update it or list what's wrong with it. I do see it indicates to
>>>> > create the jail.local and that's what you were missing for yours to
>>>> > work properly.
>>>> >
>>>> >
>>>> > --
>>>> > -------
>>>> > inum: 883510009027723
>>>> > sip: jungleboogie at sip2sip.info <mailto:jungleboogie at sip2sip.info>
>>>> >
>>>> > ____________________________________________________________
>>>> _____________
>>>> > Professional FreeSWITCH Consulting Services:
>>>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolution
>>>> s.com/>
>>>> >
>>>> > Official FreeSWITCH Sites
>>>> > http://www.freeswitch.org <http://www.freeswitch.org/>
>>>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>>> > http://www.cluecon.com <http://www.cluecon.com/>
>>>> >
>>>> > FreeSWITCH-users mailing list
>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>> > http://www.freeswitch.org <http://www.freeswitch.org/>
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Sincerely,
>>>> > Don Hawkins
>>>> > CEO
>>>> > Hawkins Enterprise Group LLC
>>>> > http://hawkinsegroup.com <http://hawkinsegroup.com/>
>>>> > Zello PTT <http://zello.com/> : push2don
>>>> > P: 469-214-5044
>>>> > ____________________________________________________________
>>>> _____________
>>>> > Professional FreeSWITCH Consulting Services:
>>>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolution
>>>> s.com>
>>>> >
>>>> > Official FreeSWITCH Sites
>>>> > http://www.freeswitch.org <http://www.freeswitch.org>
>>>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
>>>> > http://www.cluecon.com <http://www.cluecon.com>
>>>> >
>>>> > FreeSWITCH-users mailing list
>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>> > http://www.freeswitch.org <http://www.freeswitch.org>
>>>> >
>>>> >
>>>> > ____________________________________________________________
>>>> _____________
>>>> > Professional FreeSWITCH Consulting Services:
>>>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolution
>>>> s.com>
>>>> >
>>>> > Official FreeSWITCH Sites
>>>> > http://www.freeswitch.org <http://www.freeswitch.org>
>>>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
>>>> > http://www.cluecon.com <http://www.cluecon.com>
>>>> >
>>>> > FreeSWITCH-users mailing list
>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>> > http://www.freeswitch.org <http://www.freeswitch.org>
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Sincerely,
>>>> > Don Hawkins
>>>> > CEO
>>>> > Hawkins Enterprise Group LLC
>>>> > http://hawkinsegroup.com <http://hawkinsegroup.com>
>>>> > Zello PTT <http://zello.com> : push2don
>>>> > P: 469-214-5044
>>>> >
>>>> > ____________________________________________________________
>>>> _____________
>>>> >
>>>> > Professional FreeSWITCH Consulting Services:
>>>> >
>>>> > consulting at freeswitch.org
>>>> >
>>>> > http://www.freeswitchsolutions.com
>>>> >
>>>> >
>>>> >
>>>> > Official FreeSWITCH Sites
>>>> >
>>>> > http://www.freeswitch.org
>>>> >
>>>> > http://confluence.freeswitch.org
>>>> >
>>>> > http://www.cluecon.com
>>>> >
>>>> >
>>>> >
>>>> > FreeSWITCH-users mailing list
>>>> >
>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>> >
>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> >
>>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> >
>>>> > http://www.freeswitch.org
>>>> >
>>>> >
>>>>
>>>> ____________________________________________________________
>>>> _____________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>> Sincerely,
>>> Don Hawkins
>>> CEO
>>> Hawkins Enterprise Group LLC
>>> http://hawkinsegroup.com
>>> Zello PTT <http://zello.com>: push2don
>>> P: 469-214-5044
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>> David Witham
>> Senior Voice/Systems Engineer
>>
>> Netsip pty ltd – An Over the Wire Company
>> Level 1, 24 Little Edward St, Spring Hill QLD 4000
>>
>> t    +61 1300 638 747
>> e   david.witham at netsip.com.au    www.netsip.com.au
>> <https://macowa.netsip.com.au/owa/redir.aspx?C=95eec4d12cf0400796940d56513ed0f7&URL=http%3a%2f%2fwww.netsip.com.au>
>>
>> <https://macowa.netsip.com.au/owa/redir.aspx?C=95eec4d12cf0400796940d56513ed0f7&URL=http%3a%2f%2fwww.netsip.com.au>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> Guillermo Ruiz Camauer
>



-- 
Guillermo Ruiz Camauer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160923/2657b0f9/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list