[Freeswitch-users] Getting fail2ban working properly

Angel Elena craem at craem.net
Sun Sep 11 11:23:27 MSD 2016 

Great!!!

Thanks for sharing.

--------------------------------
Ángel Elena Medina       _o)
craem at craem.net          / \\
http://blog.craem.net  _(___V
@craem_
--------------------------------

-----Mensaje original-----
De:	Don Hawkins <hawkins at hawkinsegroup.com>
Enviado:	Dom 11-09-2016 03:22
Asunto:	Re: [Freeswitch-users] Getting fail2ban working properly
Para:	FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>; 
> No problem, I need to take notes anyway. Here they are...
> 
> 
> A.  /etc/fail2ban/filter.d/freeswitch.conf needs the following text:
> 
> https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf
> 
> NOTE: Internal and Public sofia profiles need:  <param name="log-auth-failures" 
> value="true"/>
> 
> 
> B.  /etc/fail2ban/jail.conf and in /etc/fail2ban/jail.local (not sure which one 
> is working, I had to create jail.local)
> 
> [freeswitch]
> enabled  = true
> port     = 5060,5061,5080,5081,5076 5074 5071
> filter   = freeswitch
> logpath  = /var/log/freeswitch/freeswitch.log
> maxretry = 3
> 
> 
> C. Drop these rules into iptables to block the scanners on ports 5060 and 5080
> 
> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string 
> "VaxSIPUserAgent" --algo bm
> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string 
> "friendly-scanner" --algo bm
> iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" 
> --algo bm
> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string 
> "VaxSIPUserAgent" --algo bm
> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string 
> "friendly-scanner" --algo bm
> iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "sipcli" 
> --algo bm
> 
> 
> D. Change SSH port from 22 to a custom number
> 
> vi /etc/ssh/sshd_config
> 
> 
> E. Update SSH jail in /etc/fail2ban/jail.conf to custom port number.
> 
> [ssh]
> 
> enabled  = true
> port     = 9898,22
> filter   = sshd
> logpath  = /var/log/auth.log
> maxretry = 6
> 
> 
> F. I also have additional security using CDR records (curl).  If a call comes 
> in that does not have an 'account number' set (a custom variable we set for all 
> incoming and outgoing calls from our customers) then we execute a shell command 
> to block that IP without delay because they obviously aren't one of our 
> customers. We are using mod_httapi and all calls start that way for us, so it's 
> easy to set the variable as all calls start with <continue>.
> 
> 
> iptables -A INPUT -s 65.55.44.100 -j DROP
> 
> 
> Where 65.55.44.100 is the ip to block.
> 
> 
> 
> Don
> 
> 
> 
> 
> On Sat, Sep 10, 2016 at 7:58 PM, George Assaad <gassaad at emassembly.com 
> <mailto:gassaad at emassembly.com> > wrote:
> Hi Don,
> Could you please share your final settings since it works.
> 
> Thanks,
> 
> George
> 
> On Sep 10, 2016, at 5:49 PM, Don Hawkins <hawkins at hawkinsegroup.com 
> <mailto:hawkins at hawkinsegroup.com> > wrote:
> 
> Just want to update everyone that the registration attempts have almost stopped 
> 100% since blocking the sniffers and setting a 4 hour block time after three 
> failed registrations.
> 
> Good day!
> 
> On Thu, Sep 8, 2016 at 4:21 PM, jungle Boogie <jungleboogie0 at gmail.com 
> <mailto:jungleboogie0 at gmail.com> > wrote:
> On 8 September 2016 at 12:54, Don Hawkins <hawkins at hawkinsegroup.com 
> <mailto:hawkins at hawkinsegroup.com> > wrote:
> > Can someone share with me how to block all ports except the important ones?
> 
> I had the same question about a month ago:
> http://lists.freeswitch.org/pipermail/freeswitch-users/2016-August/121694.html 
> <http://lists.freeswitch.org/pipermail/freeswitch-users/2016-August/121694.html>
>  
> 
> Colin gives good advice here:
> http://lists.freeswitch.org/pipermail/freeswitch-users/2016-August/121730.html 
> <http://lists.freeswitch.org/pipermail/freeswitch-users/2016-August/121730.html>
>  
> 
> I've also had success with contacting the originating network and
> request their customer to stop the traffic to me.
> 
> Here's the abuse form for online.net <http://online.net/> :
> https://console.online.net/en/account/abuses/search
> 
> By the way, if the fail2ban page on confluence needs updating, please
> update it or list what's wrong with it. I do see it indicates to
> create the jail.local and that's what you were missing for yours to
> work properly.
> 
> 
> --
> -------
> inum: 883510009027723
> sip: jungleboogie at sip2sip.info <mailto:jungleboogie at sip2sip.info> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org> 
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/> 
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/> 
> http://www.cluecon.com <http://www.cluecon.com/> 
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org 
> <mailto:FreeSWITCH-users at lists.freeswitch.org> 
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users 
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users> 
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users 
> <http://lists.freeswitch.org/mailman/options/freeswitch-users> 
> http://www.freeswitch.org <http://www.freeswitch.org/> 
> 
> 
> 
> -- 
> Sincerely,
> Don Hawkins
> CEO
> Hawkins Enterprise Group LLC
> http://hawkinsegroup.com <http://hawkinsegroup.com/> 
> Zello PTT <http://zello.com/> : push2don
> P: 469-214-5044
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services: 
> consulting at freeswitch.org <mailto:consulting at freeswitch.org> 
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org> 
> http://confluence.freeswitch.org <http://confluence.freeswitch.org> 
> http://www.cluecon.com <http://www.cluecon.com> 
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org 
> <mailto:FreeSWITCH-users at lists.freeswitch.org> 
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users 
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users> 
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users 
> <http://lists.freeswitch.org/mailman/options/freeswitch-users> 
> http://www.freeswitch.org <http://www.freeswitch.org> 
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org> 
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org> 
> http://confluence.freeswitch.org <http://confluence.freeswitch.org> 
> http://www.cluecon.com <http://www.cluecon.com> 
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org 
> <mailto:FreeSWITCH-users at lists.freeswitch.org> 
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users 
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users> 
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users 
> <http://lists.freeswitch.org/mailman/options/freeswitch-users> 
> http://www.freeswitch.org <http://www.freeswitch.org> 
> 
> 
> 
> -- 
> Sincerely,
> Don Hawkins
> CEO
> Hawkins Enterprise Group LLC
> http://hawkinsegroup.com <http://hawkinsegroup.com> 
> Zello PTT <http://zello.com> : push2don
> P: 469-214-5044
> 
> _________________________________________________________________________
> 
> Professional FreeSWITCH Consulting Services: 
> 
> consulting at freeswitch.org
> 
> http://www.freeswitchsolutions.com
> 
> 
> 
> Official FreeSWITCH Sites
> 
> http://www.freeswitch.org
> 
> http://confluence.freeswitch.org
> 
> http://www.cluecon.com
> 
> 
> 
> FreeSWITCH-users mailing list
> 
> FreeSWITCH-users at lists.freeswitch.org
> 
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> 
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> 
> http://www.freeswitch.org
> 
>

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list