<div dir="ltr">So, to only block failures does this regex look right? I basically just removed "failure|challenge" and replaced with "failure"<div><br></div><div><div>failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$</div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Sep 11, 2016 at 2:23 AM, Angel Elena <span dir="ltr"><<a href="mailto:craem@craem.net" target="_blank">craem@craem.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Great!!!<br>
<br>
Thanks for sharing.<br>
<span class=""><br>
------------------------------<wbr>--<br>
Ángel Elena Medina _o)<br>
<a href="mailto:craem@craem.net">craem@craem.net</a> / \\<br>
<a href="http://blog.craem.net" rel="noreferrer" target="_blank">http://blog.craem.net</a> _(___V<br>
@craem_<br>
------------------------------<wbr>--<br>
<br>
-----Mensaje original-----<br>
</span>De: Don Hawkins <<a href="mailto:hawkins@hawkinsegroup.com">hawkins@hawkinsegroup.com</a>><br>
Enviado: Dom 11-09-2016 03:22<br>
<span class="">Asunto: Re: [Freeswitch-users] Getting fail2ban working properly<br>
Para: FreeSWITCH Users Help <<a href="mailto:freeswitch-users@lists.freeswitch.org">freeswitch-users@lists.<wbr>freeswitch.org</a>>;<br>
</span><div><div class="h5">> No problem, I need to take notes anyway. Here they are...<br>
><br>
><br>
> A. /etc/fail2ban/filter.d/<wbr>freeswitch.conf needs the following text:<br>
><br>
> <a href="https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf" rel="noreferrer" target="_blank">https://github.com/fail2ban/<wbr>fail2ban/blob/master/config/<wbr>filter.d/freeswitch.conf</a><br>
><br>
> NOTE: Internal and Public sofia profiles need: <param name="log-auth-failures"<br>
> value="true"/><br>
><br>
><br>
> B. /etc/fail2ban/jail.conf and in /etc/fail2ban/jail.local (not sure which one<br>
> is working, I had to create jail.local)<br>
><br>
> [freeswitch]<br>
> enabled = true<br>
> port = 5060,5061,5080,5081,5076 5074 5071<br>
> filter = freeswitch<br>
> logpath = /var/log/freeswitch/<wbr>freeswitch.log<br>
> maxretry = 3<br>
><br>
><br>
> C. Drop these rules into iptables to block the scanners on ports 5060 and 5080<br>
><br>
> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string<br>
> "VaxSIPUserAgent" --algo bm<br>
> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string<br>
> "friendly-scanner" --algo bm<br>
> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli"<br>
> --algo bm<br>
> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string<br>
> "VaxSIPUserAgent" --algo bm<br>
> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string<br>
> "friendly-scanner" --algo bm<br>
> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "sipcli"<br>
> --algo bm<br>
><br>
><br>
> D. Change SSH port from 22 to a custom number<br>
><br>
> vi /etc/ssh/sshd_config<br>
><br>
><br>
> E. Update SSH jail in /etc/fail2ban/jail.conf to custom port number.<br>
><br>
> [ssh]<br>
><br>
> enabled = true<br>
> port = 9898,22<br>
> filter = sshd<br>
> logpath = /var/log/auth.log<br>
> maxretry = 6<br>
><br>
><br>
> F. I also have additional security using CDR records (curl). If a call comes<br>
> in that does not have an 'account number' set (a custom variable we set for all<br>
> incoming and outgoing calls from our customers) then we execute a shell command<br>
> to block that IP without delay because they obviously aren't one of our<br>
> customers. We are using mod_httapi and all calls start that way for us, so it's<br>
> easy to set the variable as all calls start with <continue>.<br>
><br>
><br>
> iptables -A INPUT -s 65.55.44.100 -j DROP<br>
><br>
><br>
> Where 65.55.44.100 is the ip to block.<br>
><br>
><br>
><br>
> Don<br>
><br>
><br>
><br>
><br>
> On Sat, Sep 10, 2016 at 7:58 PM, George Assaad <<a href="mailto:gassaad@emassembly.com">gassaad@emassembly.com</a><br>
</div></div><span class="">> <mailto:<a href="mailto:gassaad@emassembly.com">gassaad@emassembly.com</a><wbr>> > wrote:<br>
> Hi Don,<br>
> Could you please share your final settings since it works.<br>
><br>
> Thanks,<br>
><br>
> George<br>
><br>
> On Sep 10, 2016, at 5:49 PM, Don Hawkins <<a href="mailto:hawkins@hawkinsegroup.com">hawkins@hawkinsegroup.com</a><br>
</span><span class="">> <mailto:<a href="mailto:hawkins@hawkinsegroup.com">hawkins@hawkinsegroup.<wbr>com</a>> > wrote:<br>
><br>
> Just want to update everyone that the registration attempts have almost stopped<br>
> 100% since blocking the sniffers and setting a 4 hour block time after three<br>
> failed registrations.<br>
><br>
> Good day!<br>
><br>
> On Thu, Sep 8, 2016 at 4:21 PM, jungle Boogie <<a href="mailto:jungleboogie0@gmail.com">jungleboogie0@gmail.com</a><br>
</span><span class="">> <mailto:<a href="mailto:jungleboogie0@gmail.com">jungleboogie0@gmail.<wbr>com</a>> > wrote:<br>
> On 8 September 2016 at 12:54, Don Hawkins <<a href="mailto:hawkins@hawkinsegroup.com">hawkins@hawkinsegroup.com</a><br>
</span><span class="">> <mailto:<a href="mailto:hawkins@hawkinsegroup.com">hawkins@hawkinsegroup.<wbr>com</a>> > wrote:<br>
> > Can someone share with me how to block all ports except the important ones?<br>
><br>
> I had the same question about a month ago:<br>
> <a href="http://lists.freeswitch.org/pipermail/freeswitch-users/2016-August/121694.html" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>pipermail/freeswitch-users/<wbr>2016-August/121694.html</a><br>
> <<a href="http://lists.freeswitch.org/pipermail/freeswitch-users/2016-August/121694.html" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>pipermail/freeswitch-users/<wbr>2016-August/121694.html</a>><br>
><br>
><br>
> Colin gives good advice here:<br>
> <a href="http://lists.freeswitch.org/pipermail/freeswitch-users/2016-August/121730.html" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>pipermail/freeswitch-users/<wbr>2016-August/121730.html</a><br>
> <<a href="http://lists.freeswitch.org/pipermail/freeswitch-users/2016-August/121730.html" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>pipermail/freeswitch-users/<wbr>2016-August/121730.html</a>><br>
><br>
><br>
> I've also had success with contacting the originating network and<br>
> request their customer to stop the traffic to me.<br>
><br>
</span>> Here's the abuse form for <a href="http://online.net" rel="noreferrer" target="_blank">online.net</a> <<a href="http://online.net/" rel="noreferrer" target="_blank">http://online.net/</a>> :<br>
<span class="">> <a href="https://console.online.net/en/account/abuses/search" rel="noreferrer" target="_blank">https://console.online.net/en/<wbr>account/abuses/search</a><br>
><br>
> By the way, if the fail2ban page on confluence needs updating, please<br>
> update it or list what's wrong with it. I do see it indicates to<br>
> create the jail.local and that's what you were missing for yours to<br>
> work properly.<br>
><br>
><br>
</span>> --<br>
> -------<br>
> inum: 883510009027723<br>
> sip: <a href="mailto:jungleboogie@sip2sip.info">jungleboogie@sip2sip.info</a> <mailto:<a href="mailto:jungleboogie@sip2sip.info">jungleboogie@sip2sip.<wbr>info</a>><br>
<span class="">><br>
> ______________________________<wbr>______________________________<wbr>_____________<br>
> Professional FreeSWITCH Consulting Services:<br>
</span>> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a> <mailto:<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.<wbr>org</a>><br>
> <a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a> <<a href="http://www.freeswitchsolutions.com/" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com/</a>><br>
><br>
> Official FreeSWITCH Sites<br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a> <<a href="http://www.freeswitch.org/" rel="noreferrer" target="_blank">http://www.freeswitch.org/</a>><br>
> <a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a> <<a href="http://confluence.freeswitch.org/" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org/</a>><br>
> <a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a> <<a href="http://www.cluecon.com/" rel="noreferrer" target="_blank">http://www.cluecon.com/</a>><br>
<span class="">><br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
> <mailto:<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@<wbr>lists.freeswitch.org</a>><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
</span><span class="">> <<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a>><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
</span>> <<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/options/freeswitch-<wbr>users</a>><br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a> <<a href="http://www.freeswitch.org/" rel="noreferrer" target="_blank">http://www.freeswitch.org/</a>><br>
<span class="">><br>
><br>
><br>
> --<br>
> Sincerely,<br>
> Don Hawkins<br>
> CEO<br>
> Hawkins Enterprise Group LLC<br>
</span>> <a href="http://hawkinsegroup.com" rel="noreferrer" target="_blank">http://hawkinsegroup.com</a> <<a href="http://hawkinsegroup.com/" rel="noreferrer" target="_blank">http://hawkinsegroup.com/</a>><br>
> Zello PTT <<a href="http://zello.com/" rel="noreferrer" target="_blank">http://zello.com/</a>> : push2don<br>
> P: <a href="tel:469-214-5044" value="+14692145044">469-214-5044</a><br>
<span class="">> ______________________________<wbr>______________________________<wbr>_____________<br>
> Professional FreeSWITCH Consulting Services:<br>
</span>> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a> <mailto:<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.<wbr>org</a>><br>
> <a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a> <<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a>><br>
><br>
> Official FreeSWITCH Sites<br>
<span class="">> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a> <<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a>><br>
> <a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a> <<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a>><br>
</span>> <a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a> <<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a>><br>
><br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
> <mailto:<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@<wbr>lists.freeswitch.org</a>><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
<span class="">> <<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a>><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
</span><span class="">> <<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/options/freeswitch-<wbr>users</a>><br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a> <<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a>><br>
><br>
><br>
</span><span class="">> ______________________________<wbr>______________________________<wbr>_____________<br>
> Professional FreeSWITCH Consulting Services:<br>
</span>> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a> <mailto:<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.<wbr>org</a>><br>
> <a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a> <<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a>><br>
><br>
> Official FreeSWITCH Sites<br>
<span class="">> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a> <<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a>><br>
> <a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a> <<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a>><br>
</span>> <a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a> <<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a>><br>
><br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
> <mailto:<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@<wbr>lists.freeswitch.org</a>><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
<span class="">> <<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a>><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
</span>> <<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/options/freeswitch-<wbr>users</a>><br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a> <<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a>><br>
<span class="">><br>
><br>
><br>
> --<br>
> Sincerely,<br>
> Don Hawkins<br>
> CEO<br>
> Hawkins Enterprise Group LLC<br>
</span>> <a href="http://hawkinsegroup.com" rel="noreferrer" target="_blank">http://hawkinsegroup.com</a> <<a href="http://hawkinsegroup.com" rel="noreferrer" target="_blank">http://hawkinsegroup.com</a>><br>
> Zello PTT <<a href="http://zello.com" rel="noreferrer" target="_blank">http://zello.com</a>> : push2don<br>
> P: <a href="tel:469-214-5044" value="+14692145044">469-214-5044</a><br>
<div class="HOEnZb"><div class="h5">><br>
> ______________________________<wbr>______________________________<wbr>_____________<br>
><br>
> Professional FreeSWITCH Consulting Services:<br>
><br>
> <a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
><br>
> <a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
><br>
><br>
><br>
> Official FreeSWITCH Sites<br>
><br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
><br>
> <a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
><br>
> <a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
><br>
><br>
><br>
> FreeSWITCH-users mailing list<br>
><br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
><br>
> <a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
><br>
><br>
<br>
______________________________<wbr>______________________________<wbr>_____________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.<wbr>freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.<wbr>org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.<wbr>freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/<wbr>mailman/listinfo/freeswitch-<wbr>users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.<wbr>freeswitch.org/mailman/<wbr>options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(102,102,102)"><span>Sincerely,<br>Don Hawkins<br>CEO<br>Hawkins Enterprise Group LLC<br><a href="http://hawkinsegroup.com" target="_blank">http://hawkinsegroup.com</a><br><a href="http://zello.com" target="_blank">Zello PTT</a>: push2don<br></span></span></div><div><span style="color:rgb(102,102,102)"><span>P: 469-214-5044<br></span></span></div><div dir="ltr"><span style="color:rgb(102,102,102)"><span><a value="+12146991224"></a></span></span></div></div></div></div></div></div>
</div>