[Freeswitch-users] Getting fail2ban working properly

Don Hawkins hawkins at hawkinsegroup.com
Thu Sep 15 09:14:09 MSD 2016


So, to only block failures does this regex look right? I basically just
removed "failure|challenge" and replaced with "failure"

failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure)
\((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$


On Sun, Sep 11, 2016 at 2:23 AM, Angel Elena <craem at craem.net> wrote:

> Great!!!
>
> Thanks for sharing.
>
> --------------------------------
> Ángel Elena Medina       _o)
> craem at craem.net          / \\
> http://blog.craem.net  _(___V
> @craem_
> --------------------------------
>
> -----Mensaje original-----
> De:     Don Hawkins <hawkins at hawkinsegroup.com>
> Enviado:        Dom 11-09-2016 03:22
> Asunto: Re: [Freeswitch-users] Getting fail2ban working properly
> Para:   FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>;
> > No problem, I need to take notes anyway. Here they are...
> >
> >
> > A.  /etc/fail2ban/filter.d/freeswitch.conf needs the following text:
> >
> > https://github.com/fail2ban/fail2ban/blob/master/config/
> filter.d/freeswitch.conf
> >
> > NOTE: Internal and Public sofia profiles need:  <param
> name="log-auth-failures"
> > value="true"/>
> >
> >
> > B.  /etc/fail2ban/jail.conf and in /etc/fail2ban/jail.local (not sure
> which one
> > is working, I had to create jail.local)
> >
> > [freeswitch]
> > enabled  = true
> > port     = 5060,5061,5080,5081,5076 5074 5071
> > filter   = freeswitch
> > logpath  = /var/log/freeswitch/freeswitch.log
> > maxretry = 3
> >
> >
> > C. Drop these rules into iptables to block the scanners on ports 5060
> and 5080
> >
> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
> > "VaxSIPUserAgent" --algo bm
> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
> > "friendly-scanner" --algo bm
> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli"
> > --algo bm
> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
> > "VaxSIPUserAgent" --algo bm
> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
> > "friendly-scanner" --algo bm
> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "sipcli"
> > --algo bm
> >
> >
> > D. Change SSH port from 22 to a custom number
> >
> > vi /etc/ssh/sshd_config
> >
> >
> > E. Update SSH jail in /etc/fail2ban/jail.conf to custom port number.
> >
> > [ssh]
> >
> > enabled  = true
> > port     = 9898,22
> > filter   = sshd
> > logpath  = /var/log/auth.log
> > maxretry = 6
> >
> >
> > F. I also have additional security using CDR records (curl).  If a call
> comes
> > in that does not have an 'account number' set (a custom variable we set
> for all
> > incoming and outgoing calls from our customers) then we execute a shell
> command
> > to block that IP without delay because they obviously aren't one of our
> > customers. We are using mod_httapi and all calls start that way for us,
> so it's
> > easy to set the variable as all calls start with <continue>.
> >
> >
> > iptables -A INPUT -s 65.55.44.100 -j DROP
> >
> >
> > Where 65.55.44.100 is the ip to block.
> >
> >
> >
> > Don
> >
> >
> >
> >
> > On Sat, Sep 10, 2016 at 7:58 PM, George Assaad <gassaad at emassembly.com
> > <mailto:gassaad at emassembly.com> > wrote:
> > Hi Don,
> > Could you please share your final settings since it works.
> >
> > Thanks,
> >
> > George
> >
> > On Sep 10, 2016, at 5:49 PM, Don Hawkins <hawkins at hawkinsegroup.com
> > <mailto:hawkins at hawkinsegroup.com> > wrote:
> >
> > Just want to update everyone that the registration attempts have almost
> stopped
> > 100% since blocking the sniffers and setting a 4 hour block time after
> three
> > failed registrations.
> >
> > Good day!
> >
> > On Thu, Sep 8, 2016 at 4:21 PM, jungle Boogie <jungleboogie0 at gmail.com
> > <mailto:jungleboogie0 at gmail.com> > wrote:
> > On 8 September 2016 at 12:54, Don Hawkins <hawkins at hawkinsegroup.com
> > <mailto:hawkins at hawkinsegroup.com> > wrote:
> > > Can someone share with me how to block all ports except the important
> ones?
> >
> > I had the same question about a month ago:
> > http://lists.freeswitch.org/pipermail/freeswitch-users/
> 2016-August/121694.html
> > <http://lists.freeswitch.org/pipermail/freeswitch-users/
> 2016-August/121694.html>
> >
> >
> > Colin gives good advice here:
> > http://lists.freeswitch.org/pipermail/freeswitch-users/
> 2016-August/121730.html
> > <http://lists.freeswitch.org/pipermail/freeswitch-users/
> 2016-August/121730.html>
> >
> >
> > I've also had success with contacting the originating network and
> > request their customer to stop the traffic to me.
> >
> > Here's the abuse form for online.net <http://online.net/> :
> > https://console.online.net/en/account/abuses/search
> >
> > By the way, if the fail2ban page on confluence needs updating, please
> > update it or list what's wrong with it. I do see it indicates to
> > create the jail.local and that's what you were missing for yours to
> > work properly.
> >
> >
> > --
> > -------
> > inum: 883510009027723
> > sip: jungleboogie at sip2sip.info <mailto:jungleboogie at sip2sip.info>
> >
> > ____________________________________________________________
> _____________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org <http://www.freeswitch.org/>
> > http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> > http://www.cluecon.com <http://www.cluecon.com/>
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> > http://www.freeswitch.org <http://www.freeswitch.org/>
> >
> >
> >
> > --
> > Sincerely,
> > Don Hawkins
> > CEO
> > Hawkins Enterprise Group LLC
> > http://hawkinsegroup.com <http://hawkinsegroup.com/>
> > Zello PTT <http://zello.com/> : push2don
> > P: 469-214-5044
> > ____________________________________________________________
> _____________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com>
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org <http://www.freeswitch.org>
> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
> > http://www.cluecon.com <http://www.cluecon.com>
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> > http://www.freeswitch.org <http://www.freeswitch.org>
> >
> >
> > ____________________________________________________________
> _____________
> > Professional FreeSWITCH Consulting Services:
> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> > http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com>
> >
> > Official FreeSWITCH Sites
> > http://www.freeswitch.org <http://www.freeswitch.org>
> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
> > http://www.cluecon.com <http://www.cluecon.com>
> >
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> > http://www.freeswitch.org <http://www.freeswitch.org>
> >
> >
> >
> > --
> > Sincerely,
> > Don Hawkins
> > CEO
> > Hawkins Enterprise Group LLC
> > http://hawkinsegroup.com <http://hawkinsegroup.com>
> > Zello PTT <http://zello.com> : push2don
> > P: 469-214-5044
> >
> > ____________________________________________________________
> _____________
> >
> > Professional FreeSWITCH Consulting Services:
> >
> > consulting at freeswitch.org
> >
> > http://www.freeswitchsolutions.com
> >
> >
> >
> > Official FreeSWITCH Sites
> >
> > http://www.freeswitch.org
> >
> > http://confluence.freeswitch.org
> >
> > http://www.cluecon.com
> >
> >
> >
> > FreeSWITCH-users mailing list
> >
> > FreeSWITCH-users at lists.freeswitch.org
> >
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> >
> > http://www.freeswitch.org
> >
> >
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 
Sincerely,
Don Hawkins
CEO
Hawkins Enterprise Group LLC
http://hawkinsegroup.com
Zello PTT <http://zello.com>: push2don
P: 469-214-5044
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160915/b4116939/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list