[Freeswitch-users] Getting fail2ban working properly

Don Hawkins hawkins at hawkinsegroup.com
Thu Sep 8 23:54:42 MSD 2016 

So, I got this working by creating a jail.local file. fail2ban was totally
ignoring everything in the jail.conf file.

But Jurijs is right, all the ports are open so some of the hackers are
coming through on ports 5071 and weird numbers that don't even need to be
available period.

Can someone share with me how to block all ports except the important ones?

Thanks!

On Thu, Sep 8, 2016 at 1:23 PM, Don Hawkins <hawkins at hawkinsegroup.com>
wrote:

> I cleared out the logs and reloaded fail2ban. Going back to look at the
> logs again now and I don't even see an attempt to load the FreeSwitch
> filter.
>
> fail2ban.log:
>
> 2016-09-08 18:21:16,855 fail2ban.server [3576]: INFO    Changed logging
> target to /var/log/fail2ban.log for Fail2ban v0.8.13
> 2016-09-08 18:21:16,856 fail2ban.jail   [3576]: INFO    Creating new jail
> 'ssh'
> 2016-09-08 18:21:16,856 fail2ban.jail   [3576]: INFO    Jail 'ssh' uses
> pyinotify
> 2016-09-08 18:21:16,862 fail2ban.jail   [3576]: INFO    Initiated
> 'pyinotify' backend
> 2016-09-08 18:21:16,864 fail2ban.filter [3576]: INFO    Added logfile =
> /var/log/auth.log
> 2016-09-08 18:21:16,866 fail2ban.filter [3576]: INFO    Set maxRetry = 6
> 2016-09-08 18:21:16,867 fail2ban.filter [3576]: INFO    Set findtime = 600
> 2016-09-08 18:21:16,868 fail2ban.actions[3576]: INFO    Set banTime = 1800
> 2016-09-08 18:21:16,889 fail2ban.jail   [3576]: INFO    Creating new jail
> 'ssh-ddos'
> 2016-09-08 18:21:16,890 fail2ban.jail   [3576]: INFO    Jail 'ssh-ddos'
> uses pyinotify
> 2016-09-08 18:21:16,896 fail2ban.jail   [3576]: INFO    Initiated
> 'pyinotify' backend
> 2016-09-08 18:21:16,898 fail2ban.filter [3576]: INFO    Added logfile =
> /var/log/auth.log
> 2016-09-08 18:21:16,900 fail2ban.filter [3576]: INFO    Set maxRetry = 6
> 2016-09-08 18:21:16,901 fail2ban.filter [3576]: INFO    Set findtime = 600
> 2016-09-08 18:21:16,902 fail2ban.actions[3576]: INFO    Set banTime = 1800
> 2016-09-08 18:21:16,910 fail2ban.jail   [3576]: INFO    Jail 'ssh' started
> 2016-09-08 18:21:16,914 fail2ban.jail   [3576]: INFO    Jail 'ssh-ddos'
> started
>
>
> On Thu, Sep 8, 2016 at 1:53 AM, Mirko Brankovic <mirkobrankovic at gmail.com>
> wrote:
>
>> On ubuntu it is called :
>> Chain fail2ban-freeswitch (1 references)
>>
>> iptables -L should give you the chain if F2B started correctly, otherwise
>> see the fail2ban log for errors.
>>
>>
>>
>> On Thu, Sep 8, 2016 at 7:42 AM, Jurijs Ivolga <jurijs.ivolga at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I configured fail2ban several times a while ago, but not with
>>> freeswitch...
>>>
>>> If you see that rules are missing, just add them and you can use SSH
>>> rules as template. I believe it should make a trick.
>>>
>>> And I see from you rules, that you are allowing all traffic and this is
>>> really bad idea...
>>>
>>> You should drop everything and allow only needed traffic.
>>>
>>> With kind regards,
>>>
>>> Jurijs
>>>
>>> On Thu, Sep 8, 2016 at 12:15 AM, Don Hawkins <hawkins at hawkinsegroup.com>
>>> wrote:
>>>
>>>> Thanks for the reply!
>>>>
>>>> *Fail2Ban is running:*
>>>> root at sip:/etc/fail2ban# fail2ban-client start
>>>> ERROR  Server already running
>>>>
>>>>
>>>> *I added everything in /etc/fail2ban/jail.conf*
>>>>
>>>> [ssh]
>>>> enabled  = true
>>>> port     = 22
>>>> filter   = sshd
>>>> logpath  = /var/log/auth.log
>>>> maxretry = 6
>>>>
>>>> [freeswitch]
>>>> enabled  = true
>>>> port     = 5060,5061,5080,5081
>>>> filter   = freeswitch
>>>> logpath  = /var/log/freeswitch/freeswitch.log
>>>> maxretry = 10
>>>>
>>>>
>>>> *I also created /etc/fail2ban/filter.d/freeswitch.conf* as shown on
>>>> https://github.com/fail2ban/fail2ban/blob/master/config/f
>>>> ilter.d/freeswitch.conf
>>>>
>>>>
>>>> *root at sip:/etc/fail2ban/filter.d# iptables -S*
>>>> -P INPUT ACCEPT
>>>> -P FORWARD ACCEPT
>>>> -P OUTPUT ACCEPT
>>>> -N fail2ban-ssh
>>>> -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
>>>>
>>>>
>>>> As you can see when running iptables -S it shoes the "fail2ban-ssh"
>>>> rule but nothing about FreeSwitch.
>>>>
>>>>
>>>> Any help is appreciated.
>>>>
>>>>
>>>>
>>>> On Wed, Sep 7, 2016 at 11:01 AM, jungle Boogie <jungleboogie0 at gmail.com
>>>> > wrote:
>>>>
>>>>> On 7 September 2016 at 08:33, Don Hawkins <hawkins at hawkinsegroup.com>
>>>>> wrote:
>>>>> > It keeps saying it's not there, but I did add it, is there something
>>>>> I'm
>>>>> > missing?
>>>>>
>>>>> How did you add it? Is fail2ban running? Have you restarted your
>>>>> computer after setting up fail2ban? If you do iptables -S, do you see
>>>>> the rules?
>>>>>
>>>>>
>>>>> --
>>>>> -------
>>>>> inum: 883510009027723
>>>>> sip: jungleboogie at sip2sip.info
>>>>>
>>>>> ____________________________________________________________
>>>>> _____________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>> switch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Sincerely,
>>>> Don Hawkins
>>>> CEO
>>>> Hawkins Enterprise Group LLC
>>>> http://hawkinsegroup.com
>>>> Zello PTT <http://zello.com>: push2don
>>>> P: 469-214-5044
>>>>
>>>> ____________________________________________________________
>>>> _____________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>> Regards,
>> Mirko
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> Sincerely,
> Don Hawkins
> CEO
> Hawkins Enterprise Group LLC
> http://hawkinsegroup.com
> Zello PTT <http://zello.com>: push2don
> P: 469-214-5044
>



-- 
Sincerely,
Don Hawkins
CEO
Hawkins Enterprise Group LLC
http://hawkinsegroup.com
Zello PTT <http://zello.com>: push2don
P: 469-214-5044
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160908/aff77dd0/attachment-0001.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list