<div dir="ltr">Make sure you have blocktype = DROP in your iptables-blocktype.conf.<div><br></div><div>It is always better to drop then to reject the packets, gives attacker timeout and makes one less packet for you to send :D </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Sep 11, 2016 at 3:18 AM, Don Hawkins <span dir="ltr">&lt;<a href="mailto:hawkins@hawkinsegroup.com" target="_blank">hawkins@hawkinsegroup.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>No problem, I need to take notes anyway. Here they are...</div><div><br></div><div><br></div><div><b>A.</b>  /etc/fail2ban/filter.d/<wbr>freeswitch.conf needs the following text:</div><div><br></div><div><a href="https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf" target="_blank">https://github.com/fail2ban/<wbr>fail2ban/blob/master/config/<wbr>filter.d/freeswitch.conf</a><br></div><div><br></div><div>NOTE: Internal and Public sofia profiles need:  &lt;param name=&quot;log-auth-failures&quot; value=&quot;true&quot;/&gt;</div><div><code style="border-radius:0px;border:0px;float:none;min-height:auto;margin:0px;outline:0px;overflow:visible;padding:0px;vertical-align:baseline;width:auto;min-height:auto;background-image:none;background-color:initial;background-position:initial;background-repeat:initial"><font face="arial, sans-serif"><br></font></code></div><div><code style="border-radius:0px;border:0px;float:none;min-height:auto;margin:0px;outline:0px;overflow:visible;padding:0px;vertical-align:baseline;width:auto;min-height:auto;background-image:none;background-color:initial;background-position:initial;background-repeat:initial"><font face="arial, sans-serif"><br></font></code><b>B.</b>  /etc/fail2ban/jail.conf and in /etc/fail2ban/jail.local (not sure which one is working, I had to create jail.local)</div><div><div><br></div><div>[freeswitch]</div><div>enabled  = true</div><div>port     = 5060,5061,5080,5081,5076 5074 5071</div><div>filter   = freeswitch</div><div>logpath  = /var/log/freeswitch/freeswitch<wbr>.log</div><div>maxretry = 3</div></div><div><br></div><div><br></div><div><b>C.</b> Drop these rules into iptables to block the scanners on ports 5060 and 5080</div><div><br></div><div><div>iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string &quot;VaxSIPUserAgent&quot; --algo bm</div><div>iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string &quot;friendly-scanner&quot; --algo bm</div><div>iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string &quot;sipcli&quot; --algo bm</div><div>iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string &quot;VaxSIPUserAgent&quot; --algo bm</div><div>iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string &quot;friendly-scanner&quot; --algo bm</div><div>iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string &quot;sipcli&quot; --algo bm</div></div><div><br></div><div><br></div><div><b>D.</b> Change SSH port from 22 to a custom number</div><div><br></div><div><span style="line-height:19.2px">vi /etc/ssh/sshd_config</span><br></div><div><span style="line-height:19.2px"><br></span></div><div><span style="line-height:19.2px"><br></span></div><div><span style="line-height:19.2px"><b>E.</b> Update SSH jail in </span>/etc/fail2ban/jail.conf to custom port number.</div><div><br></div><div><div>[ssh]</div><div><br></div><div>enabled  = true</div><div>port     = 9898,22</div><div>filter   = sshd</div><div>logpath  = /var/log/auth.log</div><div>maxretry = 6</div></div><div><br></div><div><br></div><div><b>F.</b> I also have additional security using CDR records (curl).  If a call comes in that does not have an &#39;account number&#39; set (a custom variable we set for all incoming and outgoing calls from our customers) then we execute a shell command to block that IP without delay because they obviously aren&#39;t one of our customers. We are using mod_httapi and all calls start that way for us, so it&#39;s easy to set the variable as all calls start with &lt;continue&gt;.<br><br></div><div><br></div><div><span style="color:rgb(102,102,102);font-family:consolas,monaco,menlo,courier,verdana,sans-serif;line-height:16px;background-color:rgb(250,251,252)">iptables -A INPUT -s 65.55.44.100 -j DROP</span><br></div><div><span style="color:rgb(102,102,102);font-family:consolas,monaco,menlo,courier,verdana,sans-serif;line-height:16px;background-color:rgb(250,251,252)"><br></span></div><div><span style="color:rgb(102,102,102);font-family:consolas,monaco,menlo,courier,verdana,sans-serif;line-height:16px;background-color:rgb(250,251,252)"><br></span></div><div><span style="color:rgb(102,102,102);font-family:consolas,monaco,menlo,courier,verdana,sans-serif;line-height:16px;background-color:rgb(250,251,252)">Where </span><span style="color:rgb(102,102,102);font-family:consolas,monaco,menlo,courier,verdana,sans-serif;line-height:16px;background-color:rgb(250,251,252)">65.55.44.100 is the ip to block.</span></div><span class="HOEnZb"><font color="#888888"><div><span style="color:rgb(102,102,102);font-family:consolas,monaco,menlo,courier,verdana,sans-serif;font-size:16px;line-height:16px;background-color:rgb(250,251,252)"><br></span></div><div><span style="color:rgb(102,102,102);font-family:consolas,monaco,menlo,courier,verdana,sans-serif;font-size:16px;line-height:16px;background-color:rgb(250,251,252)"><br></span></div><div><span style="color:rgb(102,102,102);font-family:consolas,monaco,menlo,courier,verdana,sans-serif;font-size:16px;line-height:16px;background-color:rgb(250,251,252)"><br></span></div><div>Don</div></font></span><div><div class="h5"><div><br></div><div><br></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Sep 10, 2016 at 7:58 PM, George Assaad <span dir="ltr">&lt;<a href="mailto:gassaad@emassembly.com" target="_blank">gassaad@emassembly.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word">Hi Don,<div>Could you please share your final settings since it works.</div><div><br></div><div>Thanks,</div><div><br></div><div>George<div><div><br><div><blockquote type="cite"><div>On Sep 10, 2016, at 5:49 PM, Don Hawkins &lt;<a href="mailto:hawkins@hawkinsegroup.com" target="_blank">hawkins@hawkinsegroup.com</a>&gt; wrote:</div><br><div><div dir="ltr">Just want to update everyone that the registration attempts have almost stopped 100% since blocking the sniffers and setting a 4 hour block time after three failed registrations.<div><br></div><div>Good day!</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 8, 2016 at 4:21 PM, jungle Boogie <span dir="ltr">&lt;<a href="mailto:jungleboogie0@gmail.com" target="_blank">jungleboogie0@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>On 8 September 2016 at 12:54, Don Hawkins &lt;<a href="mailto:hawkins@hawkinsegroup.com" target="_blank">hawkins@hawkinsegroup.com</a>&gt; wrote:<br>
&gt; Can someone share with me how to block all ports except the important ones?<br>
<br>
</span>I had the same question about a month ago:<br>
<a href="http://lists.freeswitch.org/pipermail/freeswitch-users/2016-August/121694.html" rel="noreferrer" target="_blank">http://lists.freeswitch.org/pi<wbr>permail/freeswitch-users/2016-<wbr>August/121694.html</a><br>
<br>
Colin gives good advice here:<br>
<a href="http://lists.freeswitch.org/pipermail/freeswitch-users/2016-August/121730.html" rel="noreferrer" target="_blank">http://lists.freeswitch.org/pi<wbr>permail/freeswitch-users/2016-<wbr>August/121730.html</a><br>
<br>
I&#39;ve also had success with contacting the originating network and<br>
request their customer to stop the traffic to me.<br>
<br>
Here&#39;s the abuse form for <a href="http://online.net/" rel="noreferrer" target="_blank">online.net</a>:<br>
<a href="https://console.online.net/en/account/abuses/search" rel="noreferrer" target="_blank">https://console.online.net/en/<wbr>account/abuses/search</a><br>
<br>
By the way, if the fail2ban page on confluence needs updating, please<br>
update it or list what&#39;s wrong with it. I do see it indicates to<br>
create the jail.local and that&#39;s what you were missing for yours to<br>
work properly.<br>
<div><div><br>
<br>
--<br>
-------<br>
inum: 883510009027723<br>
sip: <a href="mailto:jungleboogie@sip2sip.info" target="_blank">jungleboogie@sip2sip.info</a><br>
<br>
______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com/" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org/" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org/" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com/" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/free<wbr>switch-users</a><br>
<a href="http://www.freeswitch.org/" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(102,102,102)"><span>Sincerely,<br>Don Hawkins<br>CEO<br>Hawkins Enterprise Group LLC<br><a href="http://hawkinsegroup.com/" target="_blank">http://hawkinsegroup.com</a><br><a href="http://zello.com/" target="_blank">Zello PTT</a>: push2don<br></span></span></div><div><span style="color:rgb(102,102,102)"><span>P: <a href="tel:469-214-5044" value="+14692145044" target="_blank">469-214-5044</a><br></span></span></div><div dir="ltr"><span style="color:rgb(102,102,102)"><span><a value="+12146991224"></a></span></span></div></div></div></div></div></div>
</div>
______________________________<wbr>______________________________<wbr>_____________<br>Professional FreeSWITCH Consulting Services: <br><a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br><a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br><br>Official FreeSWITCH Sites<br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br><a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br><a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br><br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/free<wbr>switch-users</a><br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a></div></blockquote></div><br></div></div></div></div><br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions<wbr>.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.o<wbr>rg</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswi<wbr>tch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/ma<wbr>ilman/listinfo/freeswitch-user<wbr>s</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.frees<wbr>witch.org/mailman/options/free<wbr>switch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(102,102,102)"><span>Sincerely,<br>Don Hawkins<br>CEO<br>Hawkins Enterprise Group LLC<br><a href="http://hawkinsegroup.com" target="_blank">http://hawkinsegroup.com</a><br><a href="http://zello.com" target="_blank">Zello PTT</a>: push2don<br></span></span></div><div><span style="color:rgb(102,102,102)"><span>P: <a href="tel:469-214-5044" value="+14692145044" target="_blank">469-214-5044</a><br></span></span></div><div dir="ltr"><span style="color:rgb(102,102,102)"><span><a value="+12146991224"></a></span></span></div></div></div></div></div></div>
</div></div></div></div>
<br>______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">Regards,<div>Mirko</div></div></div></div></div>
</div>