[Freeswitch-users] Getting fail2ban working properly
Andrew Cassidy
andrew at cassidywebservices.co.uk
Thu Sep 8 18:53:21 MSD 2016
Usually they do, yes. Sometimes they change the UA to a valid one. Most
people running these attacks are skiddies so don't bother.
I use these sorts of rules in conjunction with fail2ban because an IP match
is much faster than a substring match. That is to say I log and drop, then
have fail2ban checking the logs and adding the IP addresses.
On 8 September 2016 at 15:36, Mirko Brankovic <mirkobrankovic at gmail.com>
wrote:
> Yes I agree, it is better to drop the unwanted packets, but are you sure
> that those strings in the example will appear in the packets, I mean will
> someone advertise the software used to send DoS attack ?
>
> --mirko
>
> On Thu, Sep 8, 2016 at 9:50 AM, Angel Elena <craem at craem.net> wrote:
>
>> fail2ban (only) is a bad idea to protect a freeswitch / sip server.
>>
>> If you have the server with 5060 NATed or published directly to internet,
>> is better or add a layer 7 security.
>>
>> The SIP-boot networks are managed by SipVicious / SipVAx / Ozeeki
>> softs...... fail2ban + iptables layer 7 security is best option.... who ?
>>
>>
>> # Generated by iptables-save
>> *filter
>> :INPUT ACCEPT [541:131352]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [528:125051]
>> :SIPDOS - [0:0]
>> -A INPUT -p udp -m udp --dport 5060 -m string --string "VoIP v11.2.4"
>> --algo bm --to 65535 -m comment --comment "deny sundayddr" -j SIPDOS
>> -A INPUT -p udp -m udp --dport 5060 -m string --string "sundayddr" --algo
>> bm --to 65535 -m comment --comment "deny sundayddr" -j SIPDOS
>> -A INPUT -p udp -m udp --dport 5060 -m string --string "sipsak" --algo bm
>> --to 65535 -m comment --comment "deny sipsak" -j SIPDOS
>> -A INPUT -p udp -m udp --dport 5060 -m string --string "sipvicious"
>> --algo bm --to 65535 -m comment --comment "deny sipvicious" -j SIPDOS
>> -A INPUT -p udp -m udp --dport 5060 -m string --string "friendly-scanner"
>> --algo bm --to 65535 -m comment --comment "deny friendly-scanner" -j SIPDOS
>> -A INPUT -p udp -m udp --dport 5060 -m string --string "iWar" --algo bm
>> --to 65535 -m comment --comment "deny iWar" -j SIPDOS
>> -A INPUT -p udp -m udp --dport 5060 -m string --string "sip-scan" --algo
>> bm --to 65535 -m comment --comment "deny sip-scan" -j SIPDOS
>> -A INPUT -p tcp -m tcp --dport 5060 -m string --string "sundayddr" --algo
>> bm --to 65535 -m comment --comment "deny sundayddr" -j SIPDOS
>> -A INPUT -p tcp -m tcp --dport 5060 -m string --string "sipsak" --algo bm
>> --to 65535 -m comment --comment "deny sipsak" -j SIPDOS
>> -A INPUT -p tcp -m tcp --dport 5060 -m string --string "sipvicious"
>> --algo bm --to 65535 -m comment --comment "deny sipvicious" -j SIPDOS
>> -A INPUT -p tcp -m tcp --dport 5060 -m string --string "friendly-scanner"
>> --algo bm --to 65535 -m comment --comment "deny friendly-scanner" -j SIPDOS
>> -A INPUT -p tcp -m tcp --dport 5060 -m string --string "iWar" --algo bm
>> --to 65535 -m comment --comment "deny iWar" -j SIPDOS
>> -A INPUT -p tcp -m tcp --dport 5060 -m string --string "sipcli" --algo bm
>> --to 65535 -m comment --comment "deny sipcli" -j SIPDOS
>> -A INPUT -p udp -m udp --dport 5060 -m string --string
>> "VaxSIPUserAgent/3.1" --algo bm --to 65535 -m comment --comment "deny
>> VaxSip" -j SIPDOS
>> -A SIPDOS -j LOG --log-prefix "firewall-sipdos: " --log-level 6
>> -A SIPDOS -j DROP
>>
>> COMMIT
>> # Completed
>>
>> --------------------------------
>> Ángel Elena Medina _o)
>> craem at craem.net / \\
>> http://blog.craem.net _(___V
>> @craem_
>> --------------------------------
>>
>> -----Mensaje original-----
>> De: Mirko Brankovic <mirkobrankovic at gmail.com>
>> Enviado: Jue 08-09-2016 08:56
>> Asunto: Re: [Freeswitch-users] Getting fail2ban working properly
>> Para: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>;
>> > On ubuntu it is called :
>> > Chain fail2ban-freeswitch (1 references)
>> >
>> > iptables -L should give you the chain if F2B started correctly,
>> otherwise see
>> > the fail2ban log for errors.
>> >
>> >
>> >
>> > On Thu, Sep 8, 2016 at 7:42 AM, Jurijs Ivolga <jurijs.ivolga at gmail.com
>> > <mailto:jurijs.ivolga at gmail.com> > wrote:
>> > Hi,
>> >
>> > I configured fail2ban several times a while ago, but not with
>> freeswitch...
>> >
>> > If you see that rules are missing, just add them and you can use SSH
>> rules as
>> > template. I believe it should make a trick.
>> >
>> > And I see from you rules, that you are allowing all traffic and this is
>> really
>> > bad idea...
>> >
>> > You should drop everything and allow only needed traffic.
>> >
>> > With kind regards,
>> >
>> > Jurijs
>> >
>> > On Thu, Sep 8, 2016 at 12:15 AM, Don Hawkins <hawkins at hawkinsegroup.com
>> > <mailto:hawkins at hawkinsegroup.com> > wrote:
>> > Thanks for the reply!
>> >
>> > Fail2Ban is running:
>> > root at sip:/etc/fail2ban# fail2ban-client start
>> > ERROR Server already running
>> >
>> >
>> > I added everything in /etc/fail2ban/jail.conf
>> >
>> > [ssh]
>> > enabled = true
>> > port = 22
>> > filter = sshd
>> > logpath = /var/log/auth.log
>> > maxretry = 6
>> >
>> > [freeswitch]
>> > enabled = true
>> > port = 5060,5061,5080,5081
>> > filter = freeswitch
>> > logpath = /var/log/freeswitch/freeswitch.log
>> > maxretry = 10
>> >
>> >
>> > I also created /etc/fail2ban/filter.d/freeswitch.conf as shown on
>> > https://github.com/fail2ban/fail2ban/blob/master/config/filt
>> er.d/freeswitch.conf
>> >
>> >
>> > root at sip:/etc/fail2ban/filter.d# iptables -S
>> > -P INPUT ACCEPT
>> > -P FORWARD ACCEPT
>> > -P OUTPUT ACCEPT
>> > -N fail2ban-ssh
>> > -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
>> >
>> >
>> > As you can see when running iptables -S it shoes the "fail2ban-ssh"
>> rule but
>> > nothing about FreeSwitch.
>> >
>> >
>> > Any help is appreciated.
>> >
>> >
>> >
>> > On Wed, Sep 7, 2016 at 11:01 AM, jungle Boogie <jungleboogie0 at gmail.com
>> > <mailto:jungleboogie0 at gmail.com> > wrote:
>> > On 7 September 2016 at 08:33, Don Hawkins <hawkins at hawkinsegroup.com
>> > <mailto:hawkins at hawkinsegroup.com> > wrote:
>> > > It keeps saying it's not there, but I did add it, is there something
>> I'm
>> > > missing?
>> >
>> > How did you add it? Is fail2ban running? Have you restarted your
>> > computer after setting up fail2ban? If you do iptables -S, do you see
>> > the rules?
>> >
>> >
>> > --
>> > -------
>> > inum: 883510009027723
>> > sip: jungleboogie at sip2sip.info <mailto:jungleboogie at sip2sip.info>
>> >
>> > ____________________________________________________________
>> _____________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com>
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org <http://www.freeswitch.org>
>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
>> > http://www.cluecon.com <http://www.cluecon.com>
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/
>> freeswitch-users
>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>> > http://www.freeswitch.org <http://www.freeswitch.org>
>> >
>> >
>> >
>> > --
>> > Sincerely,
>> > Don Hawkins
>> > CEO
>> > Hawkins Enterprise Group LLC
>> > http://hawkinsegroup.com <http://hawkinsegroup.com>
>> > Zello PTT <http://zello.com> : push2don
>> > P: 469-214-5044
>> >
>> > ____________________________________________________________
>> _____________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com>
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org <http://www.freeswitch.org>
>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
>> > http://www.cluecon.com <http://www.cluecon.com>
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/
>> freeswitch-users
>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>> > http://www.freeswitch.org <http://www.freeswitch.org>
>> >
>> >
>> > ____________________________________________________________
>> _____________
>> > Professional FreeSWITCH Consulting Services:
>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com>
>> >
>> > Official FreeSWITCH Sites
>> > http://www.freeswitch.org <http://www.freeswitch.org>
>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
>> > http://www.cluecon.com <http://www.cluecon.com>
>> >
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/
>> freeswitch-users
>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>> > http://www.freeswitch.org <http://www.freeswitch.org>
>> >
>> >
>> >
>> > --
>> > Regards,
>> > Mirko
>> >
>> > ____________________________________________________________
>> _____________
>> >
>> > Professional FreeSWITCH Consulting Services:
>> >
>> > consulting at freeswitch.org
>> >
>> > http://www.freeswitchsolutions.com
>> >
>> >
>> >
>> > Official FreeSWITCH Sites
>> >
>> > http://www.freeswitch.org
>> >
>> > http://confluence.freeswitch.org
>> >
>> > http://www.cluecon.com
>> >
>> >
>> >
>> > FreeSWITCH-users mailing list
>> >
>> > FreeSWITCH-users at lists.freeswitch.org
>> >
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> >
>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/
>> freeswitch-users
>> >
>> > http://www.freeswitch.org
>> >
>> >
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
>
>
> --
> Regards,
> Mirko
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
--
*Andrew Cassidy BSc (Hons) MBCS SSCA*
Managing Director
03303 880 960 andrew at cassidyweb.co.uk <andrew at cassidywebservices.co.uk>
www.cassidyweb.co.uk <http://www.cassidywebservices.co.uk>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160908/4a6172db/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list