[Freeswitch-users] Will fail2ban work for this?
Martin Paterson
martin.paterson at technologywithin.com
Wed Mar 17 15:42:06 UTC 2021
APIBAN is also good for this (https://www.apiban.org/doc.html). It basically sends you a list of known bad IP addresses and modifies your firewall to block them, it’s really easy to install and get running. I found out about it at a ClueCon talk (this one: https://youtu.be/JvUGU3YtgzE?t=3132). The rest of Fred’s talk is also interesting and touches on security.
Martin.
Martin Paterson
Development Team
Phone: 0207 953 8840
Email: martin.paterson at technologywithin.com
Chevron Business Park, Limekiln Lane, Southampton, Hampshire, SO45 2QL
Registered Office: CP House, Otterspool Way, Watford, WD25 8JJ, U.K
Registered in England No: 5964349 | VAT Number: GB 902 5369 37
From: FreeSWITCH-users <freeswitch-users-bounces at lists.freeswitch.org> On Behalf Of Raúl Alexis Betancor Santana
Sent: 17 March 2021 06:59
To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
Subject: Re: [Freeswitch-users] Will fail2ban work for this?
Switching SIP port, is not the solution, sooner than later, they will find you.
The best approach is to use a combination of solutions, like a blacklist of know hackers IPs as voipbl.org<http://voipbl.org>, correctly setup fail2ban, put your FS behind a Kamailio with the pike module and other security measures, etc.
On Wed, Mar 17, 2021 at 2:19 AM Steven Schoch <schoch+freeswitch.org at xwin32.com<mailto:schoch%2Bfreeswitch.org at xwin32.com>> wrote:
I like your 2nd option. I always assumed 5080 was safe because it isn't the SIP port. It is listed as the "OnScreen Data Collection Service" in the official port number database (https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=89), but I guess the hackers know the SIP people like to use it. I'll try switching to another port.
--
Steve
On Tue, Mar 16, 2021 at 6:30 PM David Villasmil <david.villasmil.work at gmail.com<mailto:david.villasmil.work at gmail.com>> wrote:
It works, sure. But needs to be configured.
https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban should help you, especially the configuration part.
For fail2ban to work, it needs to see a line in the logfile with the originating IP address, for that to work on failed call attempts you need to add a specific failure log. Something like adding a catch-all extension at the very end of the dialplan and log the originating IP. Then grab that with fail2ban.
something like:
<extension name="catch-all">
<condition field="destination_number" expression="^.*$">
<condition field="${sip_authorized}" expression="^false$">
<action application="log" data="CRIT caught ${variable_sip_received_ip} trying to call."/>
<action application="hangup" data=""/>
</condition>
</condition>
</extension>
Then a regexp on filter.d/freeswitch.local
[Definition]
failregex = ^.* caught <HOST> trying to call$
NOTE: I didn't test any of this, you'll need to test yourself, but it should be a starting point.
Another option, which i like on top of the already mentioned, is to _not_ use a default port 5080, use something like 9909 (security by obscurity)
Regards,
David Villasmil
email: david.villasmil.work at gmail.com<mailto:david.villasmil.work at gmail.com>
phone: +34669448337
On Tue, Mar 16, 2021 at 11:40 PM Steven Schoch <schoch+freeswitch.org at xwin32.com<mailto:schoch%2Bfreeswitch.org at xwin32.com>> wrote:
I just set up a new FreeSWITCH system on my home network, and set a forward for port 5080 to connect to Flowroute. While I'm debugging some call routing stuff, my logs are getting overrun with stuff like this:
2021-03-16 15:52:02.267501 [NOTICE] switch_channel.c:1118 New Channel sofia/external/7750@<my IP> [2de89b87-cd07-4c0f-b9fb-3da8e5a68d37]
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:585 (sofia/external/7750@<my IP>) Running State Change CS_NEW (Cur 1 Tot 7822)
2021-03-16 15:52:02.267501 [DEBUG] sofia.c:10280 sofia/external/7750@<my IP> receiving invite from 80.94.93.12:62635<http://80.94.93.12:62635> version: 1.10.5 -release-17-25569c1631 64bit
2021-03-16 15:52:02.267501 [DEBUG] sofia.c:7326 Channel sofia/external/7750@<my IP> entering state [received][100]
2021-03-16 15:52:02.267501 [DEBUG] sofia.c:7336 Remote SDP:
v=0
o=- 81921704 81921704 IN IP4 0.0.0.0
s=pplsip
c=IN IP4 0.0.0.0
t=0 0
m=audio 7628 RTP/AVP 100 6 0 8 3 18 5 101
a=rtpmap:100 speex/16000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-11
a=alt:1 1 : DF50DC48 0000001F 0.0.0.0 7628
2021-03-16 15:52:02.267501 [DEBUG] sofia.c:7739 (sofia/external/7750@<my IP>) State Change CS_NEW -> CS_INIT
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:604 (sofia/external/7750@<my IP>) State NEW
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:585 (sofia/external/7750@<my IP>) Running State Change CS_INIT (Cur 1 Tot 7822)
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:628 (sofia/external/7750@<my IP>) State INIT
2021-03-16 15:52:02.267501 [DEBUG] mod_sofia.c:93 sofia/external/7750@<my IP> SOFIA INIT
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:40 sofia/external/7750@<my IP> Standard INIT
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:48 (sofia/external/7750@<my IP>) State Change CS_INIT -> CS_ROUTING
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:628 (sofia/external/7750@<my IP>) State INIT going to sleep
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:585 (sofia/external/7750@<my IP>) Running State Change CS_ROUTING (Cur 1 Tot 7822)
2021-03-16 15:52:02.267501 [DEBUG] switch_channel.c:2332 (sofia/external/7750@<my IP>) Callstate Change DOWN -> RINGING
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:644 (sofia/external/7750@<my IP>) State ROUTING
2021-03-16 15:52:02.267501 [DEBUG] mod_sofia.c:154 sofia/external/7750@<my IP> SOFIA ROUTING
2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:236 sofia/external/7750@<my IP> Standard ROUTING
2021-03-16 15:52:02.267501 [INFO] mod_dialplan_xml.c:637 Processing 7750 <7750>->900442037697855 in context public
I thought fail2ban was designed for stuff like this, but I don't see any auth attempts here (I set "log-auth-failures" to "true"). These are coming in a bit faster than 1 per second. It appears they are dialing random extensions. How can I make them stop?
--
Steve
_________________________________________________________________________
The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.
Build your next product on our scalable cloud platform.
Join our online community to chat in real time https://signalwire.community
Professional FreeSWITCH Services
sales at freeswitch.com<mailto:sales at freeswitch.com>
https://freeswitch.com
Official FreeSWITCH Sites
https://freeswitch.com/oss
https://freeswitch.org/confluence
https://cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
https://freeswitch.com
_________________________________________________________________________
The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.
Build your next product on our scalable cloud platform.
Join our online community to chat in real time https://signalwire.community
Professional FreeSWITCH Services
sales at freeswitch.com<mailto:sales at freeswitch.com>
https://freeswitch.com
Official FreeSWITCH Sites
https://freeswitch.com/oss
https://freeswitch.org/confluence
https://cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
https://freeswitch.com
_________________________________________________________________________
The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
Enhance your FreeSWITCH install with disruptive priced SMS and PSTN services.
Build your next product on our scalable cloud platform.
Join our online community to chat in real time https://signalwire.community
Professional FreeSWITCH Services
sales at freeswitch.com<mailto:sales at freeswitch.com>
https://freeswitch.com
Official FreeSWITCH Sites
https://freeswitch.com/oss
https://freeswitch.org/confluence
https://cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
https://freeswitch.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210317/18750a19/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image148797.png
Type: image/png
Size: 2305 bytes
Desc: image148797.png
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210317/18750a19/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image487155.png
Type: image/png
Size: 32472 bytes
Desc: image487155.png
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210317/18750a19/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image901869.png
Type: image/png
Size: 402 bytes
Desc: image901869.png
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210317/18750a19/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image348145.png
Type: image/png
Size: 589 bytes
Desc: image348145.png
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210317/18750a19/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image949138.png
Type: image/png
Size: 725 bytes
Desc: image949138.png
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210317/18750a19/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image605295.png
Type: image/png
Size: 932 bytes
Desc: image605295.png
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210317/18750a19/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image159651.png
Type: image/png
Size: 135803 bytes
Desc: image159651.png
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210317/18750a19/attachment-0013.png>
More information about the FreeSWITCH-users
mailing list