<div dir="ltr">So, I got this working by creating a jail.local file. fail2ban was totally ignoring everything in the jail.conf file.<div><br></div><div>But Jurijs is right, all the ports are open so some of the hackers are coming through on ports 5071 and weird numbers that don't even need to be available period.</div><div><br></div><div>Can someone share with me how to block all ports except the important ones?</div><div><br></div><div>Thanks!</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 8, 2016 at 1:23 PM, Don Hawkins <span dir="ltr"><<a href="mailto:hawkins@hawkinsegroup.com" target="_blank">hawkins@hawkinsegroup.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I cleared out the logs and reloaded fail2ban. Going back to look at the logs again now and I don't even see an attempt to load the FreeSwitch filter. <div><br></div><div>fail2ban.log:</div><div><br></div><div><div>2016-09-08 18:21:16,855 fail2ban.server [3576]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13</div><div>2016-09-08 18:21:16,856 fail2ban.jail [3576]: INFO Creating new jail 'ssh'</div><div>2016-09-08 18:21:16,856 fail2ban.jail [3576]: INFO Jail 'ssh' uses pyinotify</div><div>2016-09-08 18:21:16,862 fail2ban.jail [3576]: INFO Initiated 'pyinotify' backend</div><div>2016-09-08 18:21:16,864 fail2ban.filter [3576]: INFO Added logfile = /var/log/auth.log</div><div>2016-09-08 18:21:16,866 fail2ban.filter [3576]: INFO Set maxRetry = 6</div><div>2016-09-08 18:21:16,867 fail2ban.filter [3576]: INFO Set findtime = 600</div><div>2016-09-08 18:21:16,868 fail2ban.actions[3576]: INFO Set banTime = 1800</div><div>2016-09-08 18:21:16,889 fail2ban.jail [3576]: INFO Creating new jail 'ssh-ddos'</div><div>2016-09-08 18:21:16,890 fail2ban.jail [3576]: INFO Jail 'ssh-ddos' uses pyinotify</div><div>2016-09-08 18:21:16,896 fail2ban.jail [3576]: INFO Initiated 'pyinotify' backend</div><div>2016-09-08 18:21:16,898 fail2ban.filter [3576]: INFO Added logfile = /var/log/auth.log</div><div>2016-09-08 18:21:16,900 fail2ban.filter [3576]: INFO Set maxRetry = 6</div><div>2016-09-08 18:21:16,901 fail2ban.filter [3576]: INFO Set findtime = 600</div><div>2016-09-08 18:21:16,902 fail2ban.actions[3576]: INFO Set banTime = 1800</div><div>2016-09-08 18:21:16,910 fail2ban.jail [3576]: INFO Jail 'ssh' started</div><div>2016-09-08 18:21:16,914 fail2ban.jail [3576]: INFO Jail 'ssh-ddos' started</div></div><div><div class="h5"><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 8, 2016 at 1:53 AM, Mirko Brankovic <span dir="ltr"><<a href="mailto:mirkobrankovic@gmail.com" target="_blank">mirkobrankovic@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>On ubuntu it is called :</div><div><div>Chain fail2ban-freeswitch (1 references)</div></div><div><br></div><div>iptables -L should give you the chain if F2B started correctly, otherwise see the fail2ban log for errors.</div><div><br></div><div><br></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Thu, Sep 8, 2016 at 7:42 AM, Jurijs Ivolga <span dir="ltr"><<a href="mailto:jurijs.ivolga@gmail.com" target="_blank">jurijs.ivolga@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div>Hi,<br><br></div>I configured fail2ban several times a while ago, but not with freeswitch...<br><br></div>If you see that rules are missing, just add them and you can use SSH rules as template. I believe it should make a trick.<br><br></div><div>And I see from you rules, that you are allowing all traffic and this is really bad idea...<br><br></div><div>You should drop everything and allow only needed traffic.<br></div><div><br></div>With kind regards,<br></div><div class="gmail_extra"><br clear="all"><div><div><div dir="ltr">Jurijs<br></div></div></div><div><div>
<br><div class="gmail_quote">On Thu, Sep 8, 2016 at 12:15 AM, Don Hawkins <span dir="ltr"><<a href="mailto:hawkins@hawkinsegroup.com" target="_blank">hawkins@hawkinsegroup.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks for the reply!<div><br></div><div><b>Fail2Ban is running:</b></div><div><div>root@sip:/etc/fail2ban# fail2ban-client start</div><div>ERROR Server already running</div></div><div><br></div><div><br></div><div><b>I added everything in /etc/fail2ban/jail.conf</b></div><div><div><br></div><div>[ssh]</div><div>enabled = true<br></div><div>port = 22</div><div>filter = sshd</div><div>logpath = /var/log/auth.log</div><div>maxretry = 6</div><div><br></div><div>[freeswitch]</div><div>enabled = true</div><div>port = 5060,5061,5080,5081</div><div>filter = freeswitch</div><div>logpath = /var/log/freeswitch/freeswitch<wbr>.log</div><div>maxretry = 10</div></div><div><br></div><div><br></div><div><b>I also created /etc/fail2ban/filter.d<wbr>/freeswitch.conf</b> as shown on <a href="https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf" target="_blank">https://github.com/fail2ban<wbr>/fail2ban/blob/master/config/f<wbr>ilter.d/freeswitch.conf</a></div><div><br></div><div><br></div><div><div><b>root@sip:/etc/fail2ban/filter.<wbr>d# iptables -S</b></div><div>-P INPUT ACCEPT</div><div>-P FORWARD ACCEPT</div><div>-P OUTPUT ACCEPT</div><div>-N fail2ban-ssh</div><div>-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh</div></div><div><br></div><div><br></div><div>As you can see when running iptables -S it shoes the "fail2ban-ssh" rule but nothing about FreeSwitch.</div><div><br></div><div><br></div><div>Any help is appreciated.</div><div><br></div><div><br></div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Wed, Sep 7, 2016 at 11:01 AM, jungle Boogie <span dir="ltr"><<a href="mailto:jungleboogie0@gmail.com" target="_blank">jungleboogie0@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>On 7 September 2016 at 08:33, Don Hawkins <<a href="mailto:hawkins@hawkinsegroup.com" target="_blank">hawkins@hawkinsegroup.com</a>> wrote:<br>
> It keeps saying it's not there, but I did add it, is there something I'm<br>
> missing?<br>
<br>
</span>How did you add it? Is fail2ban running? Have you restarted your<br>
computer after setting up fail2ban? If you do iptables -S, do you see<br>
the rules?<br>
<br>
<br>
--<br>
-------<br>
inum: 883510009027723<br>
sip: <a href="mailto:jungleboogie@sip2sip.info" target="_blank">jungleboogie@sip2sip.info</a><br>
<br>
______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/free<wbr>switch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(102,102,102)"><span>Sincerely,<br>Don Hawkins<br>CEO<br>Hawkins Enterprise Group LLC<br><a href="http://hawkinsegroup.com" target="_blank">http://hawkinsegroup.com</a><br><a href="http://zello.com" target="_blank">Zello PTT</a>: push2don<br></span></span></div><div><span style="color:rgb(102,102,102)"><span>P: <a href="tel:469-214-5044" value="+14692145044" target="_blank">469-214-5044</a><br></span></span></div><div dir="ltr"><span style="color:rgb(102,102,102)"><span><a value="+12146991224"></a></span></span></div></div></div></div></div></div>
</font></span></div>
<br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/free<wbr>switch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div></div></div>
<br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/free<wbr>switch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br></div></div><div><div dir="ltr"><div><div dir="ltr">Regards,<div>Mirko</div></div></div></div></div>
</div></div>
<br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/<wbr>freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(102,102,102)"><span>Sincerely,<br>Don Hawkins<br>CEO<br>Hawkins Enterprise Group LLC<br><a href="http://hawkinsegroup.com" target="_blank">http://hawkinsegroup.com</a><br><a href="http://zello.com" target="_blank">Zello PTT</a>: push2don<br></span></span></div><div><span style="color:rgb(102,102,102)"><span>P: <a href="tel:469-214-5044" value="+14692145044" target="_blank">469-214-5044</a><br></span></span></div><div dir="ltr"><span style="color:rgb(102,102,102)"><span><a value="+12146991224"></a></span></span></div></div></div></div></div></div>
</div></div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(102,102,102)"><span>Sincerely,<br>Don Hawkins<br>CEO<br>Hawkins Enterprise Group LLC<br><a href="http://hawkinsegroup.com" target="_blank">http://hawkinsegroup.com</a><br><a href="http://zello.com" target="_blank">Zello PTT</a>: push2don<br></span></span></div><div><span style="color:rgb(102,102,102)"><span>P: 469-214-5044<br></span></span></div><div dir="ltr"><span style="color:rgb(102,102,102)"><span><a value="+12146991224"></a></span></span></div></div></div></div></div></div>
</div>