[Freeswitch-users] Getting fail2ban working properly

Don Hawkins hawkins at hawkinsegroup.com
Mon Sep 12 20:09:06 MSD 2016


I'm actually starting to notice a problem with fail2ban, maybe someone can
help me.

I have a SIP account registered on my wireless phone, when I switch between
WiFi and cellular DATA the IP changes and the SIP app authenticates again
with FS to re-register. On FreeSwitch it looks like this:

>From the cell network:
2016-09-12 16:01:32.716663 [WARNING] sofia_reg.c:1787 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [donscellphone at sipaddress.com]
from ip 66.87.96.898
2016-09-12 16:01:33.116669 [WARNING] sofia_reg.c:1787 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [donscellphone at sipaddress.com]
from ip 66.87.96.898

Then once I get back on Wifi:
2016-09-12 16:01:56.716679 [WARNING] sofia_reg.c:1787 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [donscellphone at sipaddress.com]
from ip 173.58.58.333
2016-09-12 16:01:56.976677 [WARNING] sofia_reg.c:1787 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [donscellphone at sipaddress.com]
from ip 173.58.58.333


This is fine and all except the regex in the file
/etc/fail2ban/filter.d/freeswitch.conf it specifically blocks these SIP
auth challenges so my IP address ends up being blocked after X attempts.

Obviously I could add my IP to the allow list BUT what about other users
(our customers) ??

Thanks for the input!


On Mon, Sep 12, 2016 at 8:27 AM, Mirko Brankovic <mirkobrankovic at gmail.com>
wrote:

> Make sure you have blocktype = DROP in your iptables-blocktype.conf.
>
> It is always better to drop then to reject the packets, gives attacker
> timeout and makes one less packet for you to send :D
>
> On Sun, Sep 11, 2016 at 3:18 AM, Don Hawkins <hawkins at hawkinsegroup.com>
> wrote:
>
>> No problem, I need to take notes anyway. Here they are...
>>
>>
>> *A.*  /etc/fail2ban/filter.d/freeswitch.conf needs the following text:
>>
>> https://github.com/fail2ban/fail2ban/blob/master/config/filt
>> er.d/freeswitch.conf
>>
>> NOTE: Internal and Public sofia profiles need:  <param
>> name="log-auth-failures" value="true"/>
>>
>>
>> *B.*  /etc/fail2ban/jail.conf and in /etc/fail2ban/jail.local (not sure
>> which one is working, I had to create jail.local)
>>
>> [freeswitch]
>> enabled  = true
>> port     = 5060,5061,5080,5081,5076 5074 5071
>> filter   = freeswitch
>> logpath  = /var/log/freeswitch/freeswitch.log
>> maxretry = 3
>>
>>
>> *C.* Drop these rules into iptables to block the scanners on ports 5060
>> and 5080
>>
>> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>> "VaxSIPUserAgent" --algo bm
>> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>> "friendly-scanner" --algo bm
>> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli"
>> --algo bm
>> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>> "VaxSIPUserAgent" --algo bm
>> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>> "friendly-scanner" --algo bm
>> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "sipcli"
>> --algo bm
>>
>>
>> *D.* Change SSH port from 22 to a custom number
>>
>> vi /etc/ssh/sshd_config
>>
>>
>> *E.* Update SSH jail in /etc/fail2ban/jail.conf to custom port number.
>>
>> [ssh]
>>
>> enabled  = true
>> port     = 9898,22
>> filter   = sshd
>> logpath  = /var/log/auth.log
>> maxretry = 6
>>
>>
>> *F.* I also have additional security using CDR records (curl).  If a
>> call comes in that does not have an 'account number' set (a custom variable
>> we set for all incoming and outgoing calls from our customers) then we
>> execute a shell command to block that IP without delay because they
>> obviously aren't one of our customers. We are using mod_httapi and all
>> calls start that way for us, so it's easy to set the variable as all calls
>> start with <continue>.
>>
>>
>> iptables -A INPUT -s 65.55.44.100 -j DROP
>>
>>
>> Where 65.55.44.100 is the ip to block.
>>
>>
>>
>> Don
>>
>>
>>
>>
>> On Sat, Sep 10, 2016 at 7:58 PM, George Assaad <gassaad at emassembly.com>
>> wrote:
>>
>>> Hi Don,
>>> Could you please share your final settings since it works.
>>>
>>> Thanks,
>>>
>>> George
>>>
>>> On Sep 10, 2016, at 5:49 PM, Don Hawkins <hawkins at hawkinsegroup.com>
>>> wrote:
>>>
>>> Just want to update everyone that the registration attempts have almost
>>> stopped 100% since blocking the sniffers and setting a 4 hour block time
>>> after three failed registrations.
>>>
>>> Good day!
>>>
>>> On Thu, Sep 8, 2016 at 4:21 PM, jungle Boogie <jungleboogie0 at gmail.com>
>>> wrote:
>>>
>>>> On 8 September 2016 at 12:54, Don Hawkins <hawkins at hawkinsegroup.com>
>>>> wrote:
>>>> > Can someone share with me how to block all ports except the important
>>>> ones?
>>>>
>>>> I had the same question about a month ago:
>>>> http://lists.freeswitch.org/pipermail/freeswitch-users/2016-
>>>> August/121694.html
>>>>
>>>> Colin gives good advice here:
>>>> http://lists.freeswitch.org/pipermail/freeswitch-users/2016-
>>>> August/121730.html
>>>>
>>>> I've also had success with contacting the originating network and
>>>> request their customer to stop the traffic to me.
>>>>
>>>> Here's the abuse form for online.net:
>>>> https://console.online.net/en/account/abuses/search
>>>>
>>>> By the way, if the fail2ban page on confluence needs updating, please
>>>> update it or list what's wrong with it. I do see it indicates to
>>>> create the jail.local and that's what you were missing for yours to
>>>> work properly.
>>>>
>>>>
>>>> --
>>>> -------
>>>> inum: 883510009027723
>>>> sip: jungleboogie at sip2sip.info
>>>>
>>>> ____________________________________________________________
>>>> _____________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>> Sincerely,
>>> Don Hawkins
>>> CEO
>>> Hawkins Enterprise Group LLC
>>> http://hawkinsegroup.com
>>> Zello PTT <http://zello.com/>: push2don
>>> P: 469-214-5044
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>> Sincerely,
>> Don Hawkins
>> CEO
>> Hawkins Enterprise Group LLC
>> http://hawkinsegroup.com
>> Zello PTT <http://zello.com>: push2don
>> P: 469-214-5044
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> Regards,
> Mirko
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 
Sincerely,
Don Hawkins
CEO
Hawkins Enterprise Group LLC
http://hawkinsegroup.com
Zello PTT <http://zello.com>: push2don
P: 469-214-5044
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160912/f225d5f0/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list