<div dir="ltr">So, I got this working by creating a jail.local file. fail2ban was totally ignoring everything in the jail.conf file.<div><br></div><div>But Jurijs is right, all the ports are open so some of the hackers are coming through on ports 5071 and weird numbers that don&#39;t even need to be available period.</div><div><br></div><div>Can someone share with me how to block all ports except the important ones?</div><div><br></div><div>Thanks!</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 8, 2016 at 1:23 PM, Don Hawkins <span dir="ltr">&lt;<a href="mailto:hawkins@hawkinsegroup.com" target="_blank">hawkins@hawkinsegroup.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I cleared out the logs and reloaded fail2ban. Going back to look at the logs again now and I don&#39;t even see an attempt to load the FreeSwitch filter. <div><br></div><div>fail2ban.log:</div><div><br></div><div><div>2016-09-08 18:21:16,855 fail2ban.server [3576]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13</div><div>2016-09-08 18:21:16,856 fail2ban.jail   [3576]: INFO    Creating new jail &#39;ssh&#39;</div><div>2016-09-08 18:21:16,856 fail2ban.jail   [3576]: INFO    Jail &#39;ssh&#39; uses pyinotify</div><div>2016-09-08 18:21:16,862 fail2ban.jail   [3576]: INFO    Initiated &#39;pyinotify&#39; backend</div><div>2016-09-08 18:21:16,864 fail2ban.filter [3576]: INFO    Added logfile = /var/log/auth.log</div><div>2016-09-08 18:21:16,866 fail2ban.filter [3576]: INFO    Set maxRetry = 6</div><div>2016-09-08 18:21:16,867 fail2ban.filter [3576]: INFO    Set findtime = 600</div><div>2016-09-08 18:21:16,868 fail2ban.actions[3576]: INFO    Set banTime = 1800</div><div>2016-09-08 18:21:16,889 fail2ban.jail   [3576]: INFO    Creating new jail &#39;ssh-ddos&#39;</div><div>2016-09-08 18:21:16,890 fail2ban.jail   [3576]: INFO    Jail &#39;ssh-ddos&#39; uses pyinotify</div><div>2016-09-08 18:21:16,896 fail2ban.jail   [3576]: INFO    Initiated &#39;pyinotify&#39; backend</div><div>2016-09-08 18:21:16,898 fail2ban.filter [3576]: INFO    Added logfile = /var/log/auth.log</div><div>2016-09-08 18:21:16,900 fail2ban.filter [3576]: INFO    Set maxRetry = 6</div><div>2016-09-08 18:21:16,901 fail2ban.filter [3576]: INFO    Set findtime = 600</div><div>2016-09-08 18:21:16,902 fail2ban.actions[3576]: INFO    Set banTime = 1800</div><div>2016-09-08 18:21:16,910 fail2ban.jail   [3576]: INFO    Jail &#39;ssh&#39; started</div><div>2016-09-08 18:21:16,914 fail2ban.jail   [3576]: INFO    Jail &#39;ssh-ddos&#39; started</div></div><div><div class="h5"><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 8, 2016 at 1:53 AM, Mirko Brankovic <span dir="ltr">&lt;<a href="mailto:mirkobrankovic@gmail.com" target="_blank">mirkobrankovic@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>On ubuntu it is called :</div><div><div>Chain fail2ban-freeswitch (1 references)</div></div><div><br></div><div>iptables -L should give you the chain if F2B started correctly, otherwise see the fail2ban log for errors.</div><div><br></div><div><br></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Thu, Sep 8, 2016 at 7:42 AM, Jurijs Ivolga <span dir="ltr">&lt;<a href="mailto:jurijs.ivolga@gmail.com" target="_blank">jurijs.ivolga@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div>Hi,<br><br></div>I configured fail2ban several times a while ago, but not with freeswitch...<br><br></div>If you see that rules are missing, just add them and you can use SSH rules as template. I believe it should make a trick.<br><br></div><div>And I see from you rules, that you are allowing all traffic and this is really bad idea...<br><br></div><div>You should drop everything and allow only needed traffic.<br></div><div><br></div>With kind regards,<br></div><div class="gmail_extra"><br clear="all"><div><div><div dir="ltr">Jurijs<br></div></div></div><div><div>
<br><div class="gmail_quote">On Thu, Sep 8, 2016 at 12:15 AM, Don Hawkins <span dir="ltr">&lt;<a href="mailto:hawkins@hawkinsegroup.com" target="_blank">hawkins@hawkinsegroup.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks for the reply!<div><br></div><div><b>Fail2Ban is running:</b></div><div><div>root@sip:/etc/fail2ban# fail2ban-client start</div><div>ERROR  Server already running</div></div><div><br></div><div><br></div><div><b>I added everything in /etc/fail2ban/jail.conf</b></div><div><div><br></div><div>[ssh]</div><div>enabled  = true<br></div><div>port     = 22</div><div>filter   = sshd</div><div>logpath  = /var/log/auth.log</div><div>maxretry = 6</div><div><br></div><div>[freeswitch]</div><div>enabled  = true</div><div>port     = 5060,5061,5080,5081</div><div>filter   = freeswitch</div><div>logpath  = /var/log/freeswitch/freeswitch<wbr>.log</div><div>maxretry = 10</div></div><div><br></div><div><br></div><div><b>I also created /etc/fail2ban/filter.d<wbr>/freeswitch.conf</b> as shown on <a href="https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf" target="_blank">https://github.com/fail2ban<wbr>/fail2ban/blob/master/config/f<wbr>ilter.d/freeswitch.conf</a></div><div><br></div><div><br></div><div><div><b>root@sip:/etc/fail2ban/filter.<wbr>d# iptables -S</b></div><div>-P INPUT ACCEPT</div><div>-P FORWARD ACCEPT</div><div>-P OUTPUT ACCEPT</div><div>-N fail2ban-ssh</div><div>-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh</div></div><div><br></div><div><br></div><div>As you can see when running iptables -S it shoes the &quot;fail2ban-ssh&quot; rule but nothing about FreeSwitch.</div><div><br></div><div><br></div><div>Any help is appreciated.</div><div><br></div><div><br></div></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Wed, Sep 7, 2016 at 11:01 AM, jungle Boogie <span dir="ltr">&lt;<a href="mailto:jungleboogie0@gmail.com" target="_blank">jungleboogie0@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>On 7 September 2016 at 08:33, Don Hawkins &lt;<a href="mailto:hawkins@hawkinsegroup.com" target="_blank">hawkins@hawkinsegroup.com</a>&gt; wrote:<br>
&gt; It keeps saying it&#39;s not there, but I did add it, is there something I&#39;m<br>
&gt; missing?<br>
<br>
</span>How did you add it? Is fail2ban running? Have you restarted your<br>
computer after setting up fail2ban? If you do iptables -S, do you see<br>
the rules?<br>
<br>
<br>
--<br>
-------<br>
inum: 883510009027723<br>
sip: <a href="mailto:jungleboogie@sip2sip.info" target="_blank">jungleboogie@sip2sip.info</a><br>
<br>
______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/free<wbr>switch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(102,102,102)"><span>Sincerely,<br>Don Hawkins<br>CEO<br>Hawkins Enterprise Group LLC<br><a href="http://hawkinsegroup.com" target="_blank">http://hawkinsegroup.com</a><br><a href="http://zello.com" target="_blank">Zello PTT</a>: push2don<br></span></span></div><div><span style="color:rgb(102,102,102)"><span>P: <a href="tel:469-214-5044" value="+14692145044" target="_blank">469-214-5044</a><br></span></span></div><div dir="ltr"><span style="color:rgb(102,102,102)"><span><a value="+12146991224"></a></span></span></div></div></div></div></div></div>
</font></span></div>
<br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/free<wbr>switch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div></div></div>
<br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/free<wbr>switch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br></div></div><div><div dir="ltr"><div><div dir="ltr">Regards,<div>Mirko</div></div></div></div></div>
</div></div>
<br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/<wbr>freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(102,102,102)"><span>Sincerely,<br>Don Hawkins<br>CEO<br>Hawkins Enterprise Group LLC<br><a href="http://hawkinsegroup.com" target="_blank">http://hawkinsegroup.com</a><br><a href="http://zello.com" target="_blank">Zello PTT</a>: push2don<br></span></span></div><div><span style="color:rgb(102,102,102)"><span>P: <a href="tel:469-214-5044" value="+14692145044" target="_blank">469-214-5044</a><br></span></span></div><div dir="ltr"><span style="color:rgb(102,102,102)"><span><a value="+12146991224"></a></span></span></div></div></div></div></div></div>
</div></div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(102,102,102)"><span>Sincerely,<br>Don Hawkins<br>CEO<br>Hawkins Enterprise Group LLC<br><a href="http://hawkinsegroup.com" target="_blank">http://hawkinsegroup.com</a><br><a href="http://zello.com" target="_blank">Zello PTT</a>: push2don<br></span></span></div><div><span style="color:rgb(102,102,102)"><span>P: 469-214-5044<br></span></span></div><div dir="ltr"><span style="color:rgb(102,102,102)"><span><a value="+12146991224"></a></span></span></div></div></div></div></div></div>
</div>