[Freeswitch-users] Getting fail2ban working properly

Angel Elena craem at craem.net
Thu Sep 8 22:51:09 MSD 2016 

Yes... sipvicious and Ozeeki (for sample) are programs used by bots; I have many daily attacks (more Gb)  with those strings.

You can view the user-Agents:

ngrep -d any -P ' ' -W byline -T port 5060 | grep User-Agent and review all bots / bad connections

--------------------------------
Ángel Elena Medina       _o)
craem at craem.net          / \\
http://blog.craem.net  _(___V
@craem_
--------------------------------

-----Mensaje original-----
De:	Mirko Brankovic <mirkobrankovic at gmail.com>
Enviado:	Jue 08-09-2016 16:40
Asunto:	Re: [Freeswitch-users] Getting fail2ban working properly
Para:	FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>; 
> Yes I agree, it is better to drop the unwanted packets, but are you sure that 
> those strings in the example will appear in the packets, I mean will someone 
> advertise the software used to send DoS attack ?
> 
> --mirko
> 
> On Thu, Sep 8, 2016 at 9:50 AM, Angel Elena <craem at craem.net 
> <mailto:craem at craem.net> > wrote:
> fail2ban (only) is a bad idea to protect a freeswitch / sip server.
> 
> If you have the server with 5060 NATed or published directly to internet, is 
> better or add a layer 7 security.
> 
> The SIP-boot networks are managed by SipVicious / SipVAx / Ozeeki softs...... 
> fail2ban + iptables layer 7 security is best option.... who ?
> 
> 
> # Generated by iptables-save
> *filter
> :INPUT ACCEPT [541:131352]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [528:125051]
> :SIPDOS - [0:0]
> -A INPUT -p udp -m udp --dport 5060 -m string --string "VoIP v11.2.4" --algo bm 
> --to 65535 -m comment --comment "deny sundayddr" -j SIPDOS
> -A INPUT -p udp -m udp --dport 5060 -m string --string "sundayddr" --algo bm 
> --to 65535 -m comment --comment "deny sundayddr" -j SIPDOS
> -A INPUT -p udp -m udp --dport 5060 -m string --string "sipsak" --algo bm --to 
> 65535 -m comment --comment "deny sipsak" -j SIPDOS
> -A INPUT -p udp -m udp --dport 5060 -m string --string "sipvicious" --algo bm 
> --to 65535 -m comment --comment "deny sipvicious" -j SIPDOS
> -A INPUT -p udp -m udp --dport 5060 -m string --string "friendly-scanner" 
> --algo bm --to 65535 -m comment --comment "deny friendly-scanner" -j SIPDOS
> -A INPUT -p udp -m udp --dport 5060 -m string --string "iWar" --algo bm --to 
> 65535 -m comment --comment "deny iWar" -j SIPDOS
> -A INPUT -p udp -m udp --dport 5060 -m string --string "sip-scan" --algo bm 
> --to 65535 -m comment --comment "deny sip-scan" -j SIPDOS
> -A INPUT -p tcp -m tcp --dport 5060 -m string --string "sundayddr" --algo bm 
> --to 65535 -m comment --comment "deny sundayddr" -j SIPDOS
> -A INPUT -p tcp -m tcp --dport 5060 -m string --string "sipsak" --algo bm --to 
> 65535 -m comment --comment "deny sipsak" -j SIPDOS
> -A INPUT -p tcp -m tcp --dport 5060 -m string --string "sipvicious" --algo bm 
> --to 65535 -m comment --comment "deny sipvicious" -j SIPDOS
> -A INPUT -p tcp -m tcp --dport 5060 -m string --string "friendly-scanner" 
> --algo bm --to 65535 -m comment --comment "deny friendly-scanner" -j SIPDOS
> -A INPUT -p tcp -m tcp --dport 5060 -m string --string "iWar" --algo bm --to 
> 65535 -m comment --comment "deny iWar" -j SIPDOS
> -A INPUT -p tcp -m tcp --dport 5060 -m string --string "sipcli" --algo bm --to 
> 65535 -m comment --comment "deny sipcli" -j SIPDOS
> -A INPUT -p udp -m udp --dport 5060 -m string --string "VaxSIPUserAgent/3.1" 
> --algo bm --to 65535 -m comment --comment "deny VaxSip" -j SIPDOS
> -A SIPDOS -j LOG --log-prefix "firewall-sipdos: " --log-level 6
> -A SIPDOS -j DROP
> 
> COMMIT
> # Completed
> 
> --------------------------------
> Ángel Elena Medina       _o)
> craem at craem.net <mailto:craem at craem.net>           / \\
> http://blog.craem.net <http://blog.craem.net>   _(___V
> @craem_
> --------------------------------
> 
> -----Mensaje original-----
> De:     Mirko Brankovic <mirkobrankovic at gmail.com 
> <mailto:mirkobrankovic at gmail.com> >
> Enviado:        Jue 08-09-2016 08:56
> Asunto: Re: [Freeswitch-users] Getting fail2ban working properly
> Para:   FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org 
> <mailto:freeswitch-users at lists.freeswitch.org> >;
> > On ubuntu it is called :
> > Chain fail2ban-freeswitch (1 references)
> >
> > iptables -L should give you the chain if F2B started correctly, otherwise see
> > the fail2ban log for errors.
> >
> >
> >
> > On Thu, Sep 8, 2016 at 7:42 AM, Jurijs Ivolga <jurijs.ivolga at gmail.com 
> <mailto:jurijs.ivolga at gmail.com> 
> > <mailto:jurijs.ivolga at gmail.com <mailto:jurijs.ivolga at gmail.com> > > wrote:
> > Hi,
> >
> > I configured fail2ban several times a while ago, but not with freeswitch...
> >
> > If you see that rules are missing, just add them and you can use SSH rules as
> > template. I believe it should make a trick.
> >
> > And I see from you rules, that you are allowing all traffic and this is really
> > bad idea...
> >
> > You should drop everything and allow only needed traffic.
> >
> > With kind regards,
> >
> > Jurijs
> >
> > On Thu, Sep 8, 2016 at 12:15 AM, Don Hawkins <hawkins at hawkinsegroup.com 
> <mailto:hawkins at hawkinsegroup.com> 
> > <mailto:hawkins at hawkinsegroup.com <mailto:hawkins at hawkinsegroup.com> > > 
> wrote:
> > Thanks for the reply!
> >
> > Fail2Ban is running:
> > root at sip:/etc/fail2ban# fail2ban-client start
> > ERROR  Server already running
> >
> >
> > I added everything in /etc/fail2ban/jail.conf
> >
> > [ssh]
> > enabled  = true
> > port     = 22
> > filter   = sshd
> > logpath  = /var/log/auth.log
> > maxretry = 6
> >
> > [freeswitch]
> > enabled  = true
> > port     = 5060,5061,5080,5081
> > filter   = freeswitch
> > logpath  = /var/log/freeswitch/freeswitch.log
> > maxretry = 10
> >
> >
> > I also created /etc/fail2ban/filter.d/freeswitch.conf as shown on 
> > 
> https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf
> >
> >
> > root at sip:/etc/fail2ban/filter.d# iptables -S
> > -P INPUT ACCEPT
> > -P FORWARD ACCEPT
> > -P OUTPUT ACCEPT
> > -N fail2ban-ssh
> > -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
> >
> >
> > As you can see when running iptables -S it shoes the "fail2ban-ssh" rule but
> > nothing about FreeSwitch.
> >
> >
> > Any help is appreciated.
> >
> >
> >
> > On Wed, Sep 7, 2016 at 11:01 AM, jungle Boogie <jungleboogie0 at gmail.com 
> <mailto:jungleboogie0 at gmail.com> 
> > <mailto:jungleboogie0 at gmail.com <mailto:jungleboogie0 at gmail.com> > > wrote:
> > On 7 September 2016 at 08:33, Don Hawkins <hawkins at hawkinsegroup.com 
> <mailto:hawkins at hawkinsegroup.com> 
> > <mailto:hawkins at hawkinsegroup.com <mailto:hawkins at hawkinsegroup.com> > > 
> wrote:
> > > It keeps saying it's not there, but I did add it, is there something I'm
> > > missing?
> >
> > How did you add it? Is fail2ban running? Have you restarted your
> > computer after setting up fail2ban? If you do iptables -S, do you see
> > the rules?
> >
> >
> > --
> > -------
> > inum: 883510009027723
> > sip: jungleboogie at sip2sip.info <mailto:jungleboogie at sip2sip.info> 
> <mailto:jungleboogie at sip2sip.info <mailto:jungleboogie at sip2sip.info> >
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org <mailto:consulting at freeswitch.org> 
> <mailto:consulting at freeswitch.org <mailto:consulting at freeswitch.org> >
> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com> 
> <http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com> >
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org <http://www.freeswitch.org> 
> <http://www.freeswitch.org <http://www.freeswitch.org> >
> > http://confluence.freeswitch.org <http://confluence.freeswitch.org> 
> <http://confluence.freeswitch.org <http://confluence.freeswitch.org> >
> > http://www.cluecon.com <http://www.cluecon.com> <http://www.cluecon.com 
> <http://www.cluecon.com> >
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org 
> <mailto:FreeSWITCH-users at lists.freeswitch.org> 
> > <mailto:FreeSWITCH-users at lists.freeswitch.org 
> <mailto:FreeSWITCH-users at lists.freeswitch.org> >
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users 
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users> 
> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users 
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users> >
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users 
> <http://lists.freeswitch.org/mailman/options/freeswitch-users> 
> > <http://lists.freeswitch.org/mailman/options/freeswitch-users 
> <http://lists.freeswitch.org/mailman/options/freeswitch-users> >
> > http://www.freeswitch.org <http://www.freeswitch.org> 
> <http://www.freeswitch.org <http://www.freeswitch.org> >
> >
> >
> >
> > --
> > Sincerely,
> > Don Hawkins
> > CEO
> > Hawkins Enterprise Group LLC
> > http://hawkinsegroup.com <http://hawkinsegroup.com> <http://hawkinsegroup.com 
> <http://hawkinsegroup.com> >
> > Zello PTT <http://zello.com <http://zello.com> > : push2don
> > P: 469-214-5044
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org <mailto:consulting at freeswitch.org> 
> <mailto:consulting at freeswitch.org <mailto:consulting at freeswitch.org> >
> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com> 
> <http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com> >
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org <http://www.freeswitch.org> 
> <http://www.freeswitch.org <http://www.freeswitch.org> >
> > http://confluence.freeswitch.org <http://confluence.freeswitch.org> 
> <http://confluence.freeswitch.org <http://confluence.freeswitch.org> >
> > http://www.cluecon.com <http://www.cluecon.com> <http://www.cluecon.com 
> <http://www.cluecon.com> >
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org 
> <mailto:FreeSWITCH-users at lists.freeswitch.org> 
> > <mailto:FreeSWITCH-users at lists.freeswitch.org 
> <mailto:FreeSWITCH-users at lists.freeswitch.org> >
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users 
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users> 
> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users 
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users> >
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users 
> <http://lists.freeswitch.org/mailman/options/freeswitch-users> 
> > <http://lists.freeswitch.org/mailman/options/freeswitch-users 
> <http://lists.freeswitch.org/mailman/options/freeswitch-users> >
> > http://www.freeswitch.org <http://www.freeswitch.org> 
> <http://www.freeswitch.org <http://www.freeswitch.org> >
> >
> >
> > _________________________________________________________________________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org <mailto:consulting at freeswitch.org> 
> <mailto:consulting at freeswitch.org <mailto:consulting at freeswitch.org> >
> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com> 
> <http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com> >
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org <http://www.freeswitch.org> 
> <http://www.freeswitch.org <http://www.freeswitch.org> >
> > http://confluence.freeswitch.org <http://confluence.freeswitch.org> 
> <http://confluence.freeswitch.org <http://confluence.freeswitch.org> >
> > http://www.cluecon.com <http://www.cluecon.com> <http://www.cluecon.com 
> <http://www.cluecon.com> >
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org 
> <mailto:FreeSWITCH-users at lists.freeswitch.org> 
> > <mailto:FreeSWITCH-users at lists.freeswitch.org 
> <mailto:FreeSWITCH-users at lists.freeswitch.org> >
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users 
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users> 
> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users 
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users> >
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users 
> <http://lists.freeswitch.org/mailman/options/freeswitch-users> 
> > <http://lists.freeswitch.org/mailman/options/freeswitch-users 
> <http://lists.freeswitch.org/mailman/options/freeswitch-users> >
> > http://www.freeswitch.org <http://www.freeswitch.org> 
> <http://www.freeswitch.org <http://www.freeswitch.org> >
> >
> >
> >
> > --
> > Regards,
> > Mirko
> >
> > _________________________________________________________________________
> >
> > Professional FreeSWITCH Consulting Services:
> >
> > consulting at freeswitch.org <mailto:consulting at freeswitch.org> 
> >
> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com> 
> >
> >
> >
> > Official FreeSWITCH Sites
> >
> > http://www.freeswitch.org <http://www.freeswitch.org> 
> >
> > http://confluence.freeswitch.org <http://confluence.freeswitch.org> 
> >
> > http://www.cluecon.com <http://www.cluecon.com> 
> >
> >
> >
> > FreeSWITCH-users mailing list
> >
> > FreeSWITCH-users at lists.freeswitch.org 
> <mailto:FreeSWITCH-users at lists.freeswitch.org> 
> >
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users 
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users> 
> >
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users 
> <http://lists.freeswitch.org/mailman/options/freeswitch-users> 
> >
> > http://www.freeswitch.org <http://www.freeswitch.org> 
> >
> >
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org> 
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org> 
> http://confluence.freeswitch.org <http://confluence.freeswitch.org> 
> http://www.cluecon.com <http://www.cluecon.com> 
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org 
> <mailto:FreeSWITCH-users at lists.freeswitch.org> 
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users 
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users> 
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users 
> <http://lists.freeswitch.org/mailman/options/freeswitch-users> 
> http://www.freeswitch.org <http://www.freeswitch.org> 
> 
> 
> 
> -- 
> Regards,
> Mirko
> 
> _________________________________________________________________________
> 
> Professional FreeSWITCH Consulting Services: 
> 
> consulting at freeswitch.org
> 
> http://www.freeswitchsolutions.com
> 
> 
> 
> Official FreeSWITCH Sites
> 
> http://www.freeswitch.org
> 
> http://confluence.freeswitch.org
> 
> http://www.cluecon.com
> 
> 
> 
> FreeSWITCH-users mailing list
> 
> FreeSWITCH-users at lists.freeswitch.org
> 
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> 
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> 
> http://www.freeswitch.org
> 
>

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list