[Freeswitch-users] Getting fail2ban working properly

Mirko Brankovic mirkobrankovic at gmail.com
Mon Sep 12 17:27:32 MSD 2016


Make sure you have blocktype = DROP in your iptables-blocktype.conf.

It is always better to drop then to reject the packets, gives attacker
timeout and makes one less packet for you to send :D

On Sun, Sep 11, 2016 at 3:18 AM, Don Hawkins <hawkins at hawkinsegroup.com>
wrote:

> No problem, I need to take notes anyway. Here they are...
>
>
> *A.*  /etc/fail2ban/filter.d/freeswitch.conf needs the following text:
>
> https://github.com/fail2ban/fail2ban/blob/master/config/
> filter.d/freeswitch.conf
>
> NOTE: Internal and Public sofia profiles need:  <param
> name="log-auth-failures" value="true"/>
>
>
> *B.*  /etc/fail2ban/jail.conf and in /etc/fail2ban/jail.local (not sure
> which one is working, I had to create jail.local)
>
> [freeswitch]
> enabled  = true
> port     = 5060,5061,5080,5081,5076 5074 5071
> filter   = freeswitch
> logpath  = /var/log/freeswitch/freeswitch.log
> maxretry = 3
>
>
> *C.* Drop these rules into iptables to block the scanners on ports 5060
> and 5080
>
> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
> "VaxSIPUserAgent" --algo bm
> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
> "friendly-scanner" --algo bm
> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli"
> --algo bm
> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
> "VaxSIPUserAgent" --algo bm
> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
> "friendly-scanner" --algo bm
> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "sipcli"
> --algo bm
>
>
> *D.* Change SSH port from 22 to a custom number
>
> vi /etc/ssh/sshd_config
>
>
> *E.* Update SSH jail in /etc/fail2ban/jail.conf to custom port number.
>
> [ssh]
>
> enabled  = true
> port     = 9898,22
> filter   = sshd
> logpath  = /var/log/auth.log
> maxretry = 6
>
>
> *F.* I also have additional security using CDR records (curl).  If a call
> comes in that does not have an 'account number' set (a custom variable we
> set for all incoming and outgoing calls from our customers) then we execute
> a shell command to block that IP without delay because they obviously
> aren't one of our customers. We are using mod_httapi and all calls start
> that way for us, so it's easy to set the variable as all calls start with
> <continue>.
>
>
> iptables -A INPUT -s 65.55.44.100 -j DROP
>
>
> Where 65.55.44.100 is the ip to block.
>
>
>
> Don
>
>
>
>
> On Sat, Sep 10, 2016 at 7:58 PM, George Assaad <gassaad at emassembly.com>
> wrote:
>
>> Hi Don,
>> Could you please share your final settings since it works.
>>
>> Thanks,
>>
>> George
>>
>> On Sep 10, 2016, at 5:49 PM, Don Hawkins <hawkins at hawkinsegroup.com>
>> wrote:
>>
>> Just want to update everyone that the registration attempts have almost
>> stopped 100% since blocking the sniffers and setting a 4 hour block time
>> after three failed registrations.
>>
>> Good day!
>>
>> On Thu, Sep 8, 2016 at 4:21 PM, jungle Boogie <jungleboogie0 at gmail.com>
>> wrote:
>>
>>> On 8 September 2016 at 12:54, Don Hawkins <hawkins at hawkinsegroup.com>
>>> wrote:
>>> > Can someone share with me how to block all ports except the important
>>> ones?
>>>
>>> I had the same question about a month ago:
>>> http://lists.freeswitch.org/pipermail/freeswitch-users/2016-
>>> August/121694.html
>>>
>>> Colin gives good advice here:
>>> http://lists.freeswitch.org/pipermail/freeswitch-users/2016-
>>> August/121730.html
>>>
>>> I've also had success with contacting the originating network and
>>> request their customer to stop the traffic to me.
>>>
>>> Here's the abuse form for online.net:
>>> https://console.online.net/en/account/abuses/search
>>>
>>> By the way, if the fail2ban page on confluence needs updating, please
>>> update it or list what's wrong with it. I do see it indicates to
>>> create the jail.local and that's what you were missing for yours to
>>> work properly.
>>>
>>>
>>> --
>>> -------
>>> inum: 883510009027723
>>> sip: jungleboogie at sip2sip.info
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>> Sincerely,
>> Don Hawkins
>> CEO
>> Hawkins Enterprise Group LLC
>> http://hawkinsegroup.com
>> Zello PTT <http://zello.com/>: push2don
>> P: 469-214-5044
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> Sincerely,
> Don Hawkins
> CEO
> Hawkins Enterprise Group LLC
> http://hawkinsegroup.com
> Zello PTT <http://zello.com>: push2don
> P: 469-214-5044
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 
Regards,
Mirko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160912/52f3ad93/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list