<div dir="ltr">Yes I agree, it is better to drop the unwanted packets, but are you sure that those strings in the example will appear in the packets, I mean will someone advertise the software used to send DoS attack ?<div><br></div><div>--mirko</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 8, 2016 at 9:50 AM, Angel Elena <span dir="ltr"><<a href="mailto:craem@craem.net" target="_blank">craem@craem.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">fail2ban (only) is a bad idea to protect a freeswitch / sip server.<br>
<br>
If you have the server with 5060 NATed or published directly to internet, is better or add a layer 7 security.<br>
<br>
The SIP-boot networks are managed by SipVicious / SipVAx / Ozeeki softs...... fail2ban + iptables layer 7 security is best option.... who ?<br>
<br>
<br>
# Generated by iptables-save<br>
*filter<br>
:INPUT ACCEPT [541:131352]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [528:125051]<br>
:SIPDOS - [0:0]<br>
-A INPUT -p udp -m udp --dport 5060 -m string --string "VoIP v11.2.4" --algo bm --to 65535 -m comment --comment "deny sundayddr" -j SIPDOS<br>
-A INPUT -p udp -m udp --dport 5060 -m string --string "sundayddr" --algo bm --to 65535 -m comment --comment "deny sundayddr" -j SIPDOS<br>
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipsak" --algo bm --to 65535 -m comment --comment "deny sipsak" -j SIPDOS<br>
-A INPUT -p udp -m udp --dport 5060 -m string --string "sipvicious" --algo bm --to 65535 -m comment --comment "deny sipvicious" -j SIPDOS<br>
-A INPUT -p udp -m udp --dport 5060 -m string --string "friendly-scanner" --algo bm --to 65535 -m comment --comment "deny friendly-scanner" -j SIPDOS<br>
-A INPUT -p udp -m udp --dport 5060 -m string --string "iWar" --algo bm --to 65535 -m comment --comment "deny iWar" -j SIPDOS<br>
-A INPUT -p udp -m udp --dport 5060 -m string --string "sip-scan" --algo bm --to 65535 -m comment --comment "deny sip-scan" -j SIPDOS<br>
-A INPUT -p tcp -m tcp --dport 5060 -m string --string "sundayddr" --algo bm --to 65535 -m comment --comment "deny sundayddr" -j SIPDOS<br>
-A INPUT -p tcp -m tcp --dport 5060 -m string --string "sipsak" --algo bm --to 65535 -m comment --comment "deny sipsak" -j SIPDOS<br>
-A INPUT -p tcp -m tcp --dport 5060 -m string --string "sipvicious" --algo bm --to 65535 -m comment --comment "deny sipvicious" -j SIPDOS<br>
-A INPUT -p tcp -m tcp --dport 5060 -m string --string "friendly-scanner" --algo bm --to 65535 -m comment --comment "deny friendly-scanner" -j SIPDOS<br>
-A INPUT -p tcp -m tcp --dport 5060 -m string --string "iWar" --algo bm --to 65535 -m comment --comment "deny iWar" -j SIPDOS<br>
-A INPUT -p tcp -m tcp --dport 5060 -m string --string "sipcli" --algo bm --to 65535 -m comment --comment "deny sipcli" -j SIPDOS<br>
-A INPUT -p udp -m udp --dport 5060 -m string --string "VaxSIPUserAgent/3.1" --algo bm --to 65535 -m comment --comment "deny VaxSip" -j SIPDOS<br>
-A SIPDOS -j LOG --log-prefix "firewall-sipdos: " --log-level 6<br>
-A SIPDOS -j DROP<br>
<br>
COMMIT<br>
# Completed<br>
<br>
------------------------------<wbr>--<br>
Ángel Elena Medina _o)<br>
<a href="mailto:craem@craem.net">craem@craem.net</a> / \\<br>
<a href="http://blog.craem.net" rel="noreferrer" target="_blank">http://blog.craem.net</a> _(___V<br>
@craem_<br>
------------------------------<wbr>--<br>
<br>
-----Mensaje original-----<br>
De: Mirko Brankovic <<a href="mailto:mirkobrankovic@gmail.com">mirkobrankovic@gmail.com</a>><br>
Enviado: Jue 08-09-2016 08:56<br>
Asunto: Re: [Freeswitch-users] Getting fail2ban working properly<br>
Para: FreeSWITCH Users Help <<a href="mailto:freeswitch-users@lists.freeswitch.org">freeswitch-users@lists.<wbr>freeswitch.org</a>>;<br>
> On ubuntu it is called :<br>
> Chain fail2ban-freeswitch (1 references)<br>
><br>
> iptables -L should give you the chain if F2B started correctly, otherwise see<br>
> the fail2ban log for errors.<br>
><br>
><br>
><br>
> On Thu, Sep 8, 2016 at 7:42 AM, Jurijs Ivolga <<a href="mailto:jurijs.ivolga@gmail.com">jurijs.ivolga@gmail.com</a><br>
> <mailto:<a href="mailto:jurijs.ivolga@gmail.com">jurijs.ivolga@gmail.<wbr>com</a>> > wrote:<br>
> Hi,<br>
><br>
> I configured fail2ban several times a while ago, but not with freeswitch...<br>
><br>
> If you see that rules are missing, just add them and you can use SSH rules as<br>
> template. I believe it should make a trick.<br>
><br>
> And I see from you rules, that you are allowing all traffic and this is really<br>
> bad idea...<br>
><br>
> You should drop everything and allow only needed traffic.<br>
><br>
> With kind regards,<br>
><br>
> Jurijs<br>
><br>
> On Thu, Sep 8, 2016 at 12:15 AM, Don Hawkins <<a href="mailto:hawkins@hawkinsegroup.com">hawkins@hawkinsegroup.com</a><br>
> <mailto:<a href="mailto:hawkins@hawkinsegroup.com">hawkins@hawkinsegroup.<wbr>com</a>> > wrote:<br>
> Thanks for the reply!<br>
><br>
> Fail2Ban is running:<br>
> root@sip:/etc/fail2ban# fail2ban-client start<br>
> ERROR Server already running<br>
><br>
><br>
> I added everything in /etc/fail2ban/jail.conf<br>
><br>
> [ssh]<br>
> enabled = true<br>
> port = 22<br>
> filter = sshd<br>
> logpath = /var/log/auth.log<br>
> maxretry = 6<br>
><br>
> [freeswitch]<br>
> enabled = true<br>
> port = 5060,5061,5080,5081<br>
> filter = freeswitch<br>
> logpath = /var/log/freeswitch/<wbr>freeswitch.log<br>
> maxretry = 10<br>
><br>
><br>
> I also created /etc/fail2ban/filter.<wbr>d/freeswitch.conf as shown on <br>
> <a href="https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf" rel="noreferrer" target="_blank">https://github.com/fail2ban/<wbr>fail2ban/blob/master/config/<wbr>filter.d/freeswitch.conf</a><br>
><br>
><br>
> root@sip:/etc/fail2ban/filter.<wbr>d# iptables -S<br>
> -P INPUT ACCEPT<br>
> -P FORWARD ACCEPT<br>
> -P OUTPUT ACCEPT<br>
> -N fail2ban-ssh<br>
> -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh<br>
><br>
><br>
> As you can see when running iptables -S it shoes the "fail2ban-ssh" rule but<br>
> nothing about FreeSwitch.<br>
><br>
><br>
> Any help is appreciated.<br>
><br>
><br>
><br>
> On Wed, Sep 7, 2016 at 11:01 AM, jungle Boogie <<a href="mailto:jungleboogie0@gmail.com">jungleboogie0@gmail.com</a><br>
> <mailto:<a href="mailto:jungleboogie0@gmail.com">jungleboogie0@gmail.<wbr>com</a>> > wrote:<br>
> On 7 September 2016 at 08:33, Don Hawkins <<a href="mailto:hawkins@hawkinsegroup.com">hawkins@hawkinsegroup.com</a><br>
> <mailto:<a href="mailto:hawkins@hawkinsegroup.com">hawkins@hawkinsegroup.<wbr>com</a>> > wrote:<br>
> > It keeps saying it's not there, but I did add it, is there something I'm<br>
> > missing?<br>
><br>
> How did you add it? Is fail2ban running? Have you restarted your<br>
> computer after setting up fail2ban? If you do iptables -S, do you see<br>
> the rules?<br>
><br>
><br>
> --<br>
> -------<br>
> inum: 883510009027723<br>
> sip: <a href="mailto:jungleboogie@sip2sip.info">jungleboogie@sip2sip.info</a> <mailto:<a href="mailto:jungleboogie@sip2sip.info">jungleboogie@sip2sip.<wbr>info</a>><br>
><br>
> ______________________________<wbr>______________________________<wbr>_____________<br>
> Professional FreeSWITCH Consulting Services:<br>
> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a> <mailto:<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.<wbr>org</a>><br>
> <a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a> <<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a>><br>
><br>
> Official FreeSWITCH Sites<br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a> <<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a>><br>
> <a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a> <<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a>><br>
> <a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a> <<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a>><br>
><br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
> <mailto:<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@<wbr>lists.freeswitch.org</a>><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
> <<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a>><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
> <<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/options/freeswitch-<wbr>users</a>><br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a> <<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a>><br>
><br>
><br>
><br>
> --<br>
> Sincerely,<br>
> Don Hawkins<br>
> CEO<br>
> Hawkins Enterprise Group LLC<br>
> <a href="http://hawkinsegroup.com" rel="noreferrer" target="_blank">http://hawkinsegroup.com</a> <<a href="http://hawkinsegroup.com" rel="noreferrer" target="_blank">http://hawkinsegroup.com</a>><br>
> Zello PTT <<a href="http://zello.com" rel="noreferrer" target="_blank">http://zello.com</a>> : push2don<br>
> P: 469-214-5044<br>
><br>
> ______________________________<wbr>______________________________<wbr>_____________<br>
> Professional FreeSWITCH Consulting Services:<br>
> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a> <mailto:<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.<wbr>org</a>><br>
> <a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a> <<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a>><br>
><br>
> Official FreeSWITCH Sites<br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a> <<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a>><br>
> <a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a> <<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a>><br>
> <a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a> <<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a>><br>
><br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
> <mailto:<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@<wbr>lists.freeswitch.org</a>><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
> <<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a>><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
> <<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/options/freeswitch-<wbr>users</a>><br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a> <<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a>><br>
><br>
><br>
> ______________________________<wbr>______________________________<wbr>_____________<br>
> Professional FreeSWITCH Consulting Services:<br>
> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a> <mailto:<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.<wbr>org</a>><br>
> <a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a> <<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a>><br>
><br>
> Official FreeSWITCH Sites<br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a> <<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a>><br>
> <a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a> <<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a>><br>
> <a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a> <<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a>><br>
><br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
> <mailto:<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@<wbr>lists.freeswitch.org</a>><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
> <<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a>><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
> <<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/options/freeswitch-<wbr>users</a>><br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a> <<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a>><br>
><br>
><br>
><br>
> --<br>
> Regards,<br>
> Mirko<br>
><br>
> ______________________________<wbr>______________________________<wbr>_____________<br>
><br>
> Professional FreeSWITCH Consulting Services:<br>
><br>
> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
><br>
> <a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
><br>
><br>
><br>
> Official FreeSWITCH Sites<br>
><br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
><br>
> <a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
><br>
> <a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
><br>
><br>
><br>
> FreeSWITCH-users mailing list<br>
><br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
><br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
><br>
><br>
<br>
______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">Regards,<div>Mirko</div></div></div></div></div>
</div>