[Freeswitch-users] Getting fail2ban working properly

Guillermo Ruiz Camauer grcamauer at gmail.com
Sat Sep 24 02:45:00 MSD 2016


Sorry, accidentally sent mail without highlighting the line:

static void fail2ban_event_handler(switch_event_t *event)
{
<------>if (event->event_id == SWITCH_EVENT_CUSTOM &&
strncmp(event->subclass_name, "sofia::register_attempt",23) == 0) {
<------><------>switch_file_printf(logfile, "A registration was atempted ");
<------><------>switch_file_printf(logfile, "%s:%s ", "User",
switch_event_get_header(event, "to-user"));
<------><------>switch_file_printf(logfile, "%s:%s ", "IP",
switch_event_get_header(event, "network-ip"));
<------><------>switch_file_printf(logfile, "\n");
<------>} else if (event->event_id == SWITCH_EVENT_CUSTOM &&
strncmp(event->subclass_name, "sofia::register_failure",23) == 0) {
<------><------>*switch_file_printf(logfile, "%s ",
 switch_event_get_header(event, "Event-Date-Local"));*
<------><------>switch_file_printf(logfile, "A registration failed ");
<------><------>switch_file_printf(logfile, "%s:%s ", "User",
switch_event_get_header(event, "to-user"));
<------><------>switch_file_printf(logfile, "%s:%s ", "IP",
switch_event_get_header(event, "network-ip"));
<------><------>switch_file_printf(logfile, "\n");
<------>}

}


Now I can run fail2ban with my logs set to a lower verbosity which is a
pretty big deal since I have high traffic patterns.


Regards,

Guillermo

On Fri, Sep 23, 2016 at 7:42 PM, Guillermo Ruiz Camauer <grcamauer at gmail.com
> wrote:

> Figured out what was wrong...
>
> Reading in the fail2ban web page I found this:
>
>
>    - In order for a log line to match your failregex, it actually has to
>    match in two parts: the beginning of the line has to match a timestamp
>    pattern or regex, and the remainder of the line has to match your
>    failregex. If the failregex is anchored with a leading ^, then the
>    anchor refers to the start of the remainder of the line, *after* the
>    timestamp and intervening whitespace.
>
>
>    - The pattern or regex to match the time stamp is currently not
>    documented, and not available for users to read or set. See Debian bug
>    #491253 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491253%7C>.
>    This is a problem if your log has a timestamp format that fail2ban doesn't
>    expect, since it will then fail to match any lines. Because of this, you
>    should test any new failregex against a sample log line, as in the examples
>    below, to be sure that it will match. If fail2ban doesn't recognize your
>    log timestamp, then you have two options: either reconfigure your daemon to
>    log with a timestamp in a more common format, such as in the example log
>    line above; or file a bug report asking to have your timestamp format
>    included.
>
>
> mod_fail2ban does NOT include any timestamps in the logs it generates (see
> my previous mail).  So I modified it to include one.  Recompiled, etc. and
> now it is working like a charm.
>
> I only added on line to the original source, here highlighted in bold:
>
>
>
> static void fail2ban_event_handler(switch_event_t *event)
> {
> if (event->event_id == SWITCH_EVENT_CUSTOM &&
> strncmp(event->subclass_name, "sofia::register_attempt",23) == 0) {
> <------><------>switch_file_printf(logfile, "A registration was atempted
> ");
> <------><------>switch_file_printf(logfile, "%s:%s ", "User",
> switch_event_get_header(event, "to-user"));
> <------><------>switch_file_printf(logfile, "%s:%s ", "IP",
> switch_event_get_header(event, "network-ip"));
> <------><------>switch_file_printf(logfile, "\n");
> <------>} else if (event->event_id == SWITCH_EVENT_CUSTOM &&
> strncmp(event->subclass_name, "sofia::register_failure",23) == 0) {
> <------><------>switch_file_printf(logfile, "%s ",
>  switch_event_get_header(event, "Event-Date-Local"));
> <------><------>switch_file_printf(logfile, "A registration failed ");
> <------><------>switch_file_printf(logfile, "%s:%s ", "User",
> switch_event_get_header(event, "to-user"));
> <------><------>switch_file_printf(logfile, "%s:%s ", "IP",
> switch_event_get_header(event, "network-ip"));
> <------><------>switch_file_printf(logfile, "\n");
> <------>}
>
> }
>
>
>
>
>
>
>
>
>
>
> On Fri, Sep 23, 2016 at 6:35 PM, Guillermo Ruiz Camauer <
> grcamauer at gmail.com> wrote:
>
>> Has anyone tried this but with mod_fail2ban?  I cant get it to work.  I
>> am logging to /usr/local/freeswitch/log/fail2ban.log.  I see entries
>> there like:
>>
>>
>> A registration was atempted User:111 IP:217.172.189.5.
>> A registration failed User:900972595225502 IP:217.172.189.5.
>> A registration was atempted User:110 IP:217.172.189.5.
>> A registration failed User:00972595225502 IP:217.172.189.5.
>> A registration was atempted User:701 IP:23.239.69.200.
>> A registration failed User:00972592167049 IP:23.239.69.200.
>> A registration was atempted User:110 IP:217.172.189.5.
>> A registration failed User:000972595225502 IP:217.172.189.5.
>> A registration was atempted User:110 IP:217.172.189.5.
>>
>> I have the following in /etc/fail2ban/filter.d:
>>
>> [Definition]
>>
>> failregex = A registration failed User:.* IP:<HOST>
>>
>> ignoreregex =
>>
>>
>> I never get any matches...  I have tested the regexp at
>> http://regex101.com and it works there for PCRE and Python.
>>
>> I have tried this with both fail2ban version 0.8.1.3 and 0.9.4.
>>
>> Any ideas?
>>
>> Thanks,
>>
>> Guillermo
>>
>>
>> On Sun, Sep 18, 2016 at 8:53 PM, David Witham <david.witham at netsip.com.au
>> > wrote:
>>
>>> Hi Don,
>>>
>>> Yes that should do what you want.
>>>
>>> regards,
>>> David
>>>
>>> On 15 September 2016 at 15:14, Don Hawkins <hawkins at hawkinsegroup.com>
>>> wrote:
>>>
>>>> So, to only block failures does this regex look right? I basically just
>>>> removed "failure|challenge" and replaced with "failure"
>>>>
>>>> failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure)
>>>> \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
>>>>
>>>>
>>>> On Sun, Sep 11, 2016 at 2:23 AM, Angel Elena <craem at craem.net> wrote:
>>>>
>>>>> Great!!!
>>>>>
>>>>> Thanks for sharing.
>>>>>
>>>>> --------------------------------
>>>>> Ángel Elena Medina       _o)
>>>>> craem at craem.net          / \\
>>>>> http://blog.craem.net  _(___V
>>>>> @craem_
>>>>> --------------------------------
>>>>>
>>>>> -----Mensaje original-----
>>>>> De:     Don Hawkins <hawkins at hawkinsegroup.com>
>>>>> Enviado:        Dom 11-09-2016 03:22
>>>>> Asunto: Re: [Freeswitch-users] Getting fail2ban working properly
>>>>> Para:   FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>;
>>>>> > No problem, I need to take notes anyway. Here they are...
>>>>> >
>>>>> >
>>>>> > A.  /etc/fail2ban/filter.d/freeswitch.conf needs the following text:
>>>>> >
>>>>> > https://github.com/fail2ban/fail2ban/blob/master/config/filt
>>>>> er.d/freeswitch.conf
>>>>> >
>>>>> > NOTE: Internal and Public sofia profiles need:  <param
>>>>> name="log-auth-failures"
>>>>> > value="true"/>
>>>>> >
>>>>> >
>>>>> > B.  /etc/fail2ban/jail.conf and in /etc/fail2ban/jail.local (not
>>>>> sure which one
>>>>> > is working, I had to create jail.local)
>>>>> >
>>>>> > [freeswitch]
>>>>> > enabled  = true
>>>>> > port     = 5060,5061,5080,5081,5076 5074 5071
>>>>> > filter   = freeswitch
>>>>> > logpath  = /var/log/freeswitch/freeswitch.log
>>>>> > maxretry = 3
>>>>> >
>>>>> >
>>>>> > C. Drop these rules into iptables to block the scanners on ports
>>>>> 5060 and 5080
>>>>> >
>>>>> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>>>>> > "VaxSIPUserAgent" --algo bm
>>>>> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>>>>> > "friendly-scanner" --algo bm
>>>>> > iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
>>>>> "sipcli"
>>>>> > --algo bm
>>>>> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>>>>> > "VaxSIPUserAgent" --algo bm
>>>>> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>>>>> > "friendly-scanner" --algo bm
>>>>> > iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string
>>>>> "sipcli"
>>>>> > --algo bm
>>>>> >
>>>>> >
>>>>> > D. Change SSH port from 22 to a custom number
>>>>> >
>>>>> > vi /etc/ssh/sshd_config
>>>>> >
>>>>> >
>>>>> > E. Update SSH jail in /etc/fail2ban/jail.conf to custom port number.
>>>>> >
>>>>> > [ssh]
>>>>> >
>>>>> > enabled  = true
>>>>> > port     = 9898,22
>>>>> > filter   = sshd
>>>>> > logpath  = /var/log/auth.log
>>>>> > maxretry = 6
>>>>> >
>>>>> >
>>>>> > F. I also have additional security using CDR records (curl).  If a
>>>>> call comes
>>>>> > in that does not have an 'account number' set (a custom variable we
>>>>> set for all
>>>>> > incoming and outgoing calls from our customers) then we execute a
>>>>> shell command
>>>>> > to block that IP without delay because they obviously aren't one of
>>>>> our
>>>>> > customers. We are using mod_httapi and all calls start that way for
>>>>> us, so it's
>>>>> > easy to set the variable as all calls start with <continue>.
>>>>> >
>>>>> >
>>>>> > iptables -A INPUT -s 65.55.44.100 -j DROP
>>>>> >
>>>>> >
>>>>> > Where 65.55.44.100 is the ip to block.
>>>>> >
>>>>> >
>>>>> >
>>>>> > Don
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > On Sat, Sep 10, 2016 at 7:58 PM, George Assaad <
>>>>> gassaad at emassembly.com
>>>>> > <mailto:gassaad at emassembly.com> > wrote:
>>>>> > Hi Don,
>>>>> > Could you please share your final settings since it works.
>>>>> >
>>>>> > Thanks,
>>>>> >
>>>>> > George
>>>>> >
>>>>> > On Sep 10, 2016, at 5:49 PM, Don Hawkins <hawkins at hawkinsegroup.com
>>>>> > <mailto:hawkins at hawkinsegroup.com> > wrote:
>>>>> >
>>>>> > Just want to update everyone that the registration attempts have
>>>>> almost stopped
>>>>> > 100% since blocking the sniffers and setting a 4 hour block time
>>>>> after three
>>>>> > failed registrations.
>>>>> >
>>>>> > Good day!
>>>>> >
>>>>> > On Thu, Sep 8, 2016 at 4:21 PM, jungle Boogie <
>>>>> jungleboogie0 at gmail.com
>>>>> > <mailto:jungleboogie0 at gmail.com> > wrote:
>>>>> > On 8 September 2016 at 12:54, Don Hawkins <hawkins at hawkinsegroup.com
>>>>> > <mailto:hawkins at hawkinsegroup.com> > wrote:
>>>>> > > Can someone share with me how to block all ports except the
>>>>> important ones?
>>>>> >
>>>>> > I had the same question about a month ago:
>>>>> > http://lists.freeswitch.org/pipermail/freeswitch-users/2016-
>>>>> August/121694.html
>>>>> > <http://lists.freeswitch.org/pipermail/freeswitch-users/2016
>>>>> -August/121694.html>
>>>>> >
>>>>> >
>>>>> > Colin gives good advice here:
>>>>> > http://lists.freeswitch.org/pipermail/freeswitch-users/2016-
>>>>> August/121730.html
>>>>> > <http://lists.freeswitch.org/pipermail/freeswitch-users/2016
>>>>> -August/121730.html>
>>>>> >
>>>>> >
>>>>> > I've also had success with contacting the originating network and
>>>>> > request their customer to stop the traffic to me.
>>>>> >
>>>>> > Here's the abuse form for online.net <http://online.net/> :
>>>>> > https://console.online.net/en/account/abuses/search
>>>>> >
>>>>> > By the way, if the fail2ban page on confluence needs updating, please
>>>>> > update it or list what's wrong with it. I do see it indicates to
>>>>> > create the jail.local and that's what you were missing for yours to
>>>>> > work properly.
>>>>> >
>>>>> >
>>>>> > --
>>>>> > -------
>>>>> > inum: 883510009027723
>>>>> > sip: jungleboogie at sip2sip.info <mailto:jungleboogie at sip2sip.info>
>>>>> >
>>>>> > ____________________________________________________________
>>>>> _____________
>>>>> > Professional FreeSWITCH Consulting Services:
>>>>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolution
>>>>> s.com/>
>>>>> >
>>>>> > Official FreeSWITCH Sites
>>>>> > http://www.freeswitch.org <http://www.freeswitch.org/>
>>>>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>>>> > http://www.cluecon.com <http://www.cluecon.com/>
>>>>> >
>>>>> > FreeSWITCH-users mailing list
>>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>> switch-users
>>>>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>>> > http://www.freeswitch.org <http://www.freeswitch.org/>
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > Sincerely,
>>>>> > Don Hawkins
>>>>> > CEO
>>>>> > Hawkins Enterprise Group LLC
>>>>> > http://hawkinsegroup.com <http://hawkinsegroup.com/>
>>>>> > Zello PTT <http://zello.com/> : push2don
>>>>> > P: 469-214-5044
>>>>> > ____________________________________________________________
>>>>> _____________
>>>>> > Professional FreeSWITCH Consulting Services:
>>>>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolution
>>>>> s.com>
>>>>> >
>>>>> > Official FreeSWITCH Sites
>>>>> > http://www.freeswitch.org <http://www.freeswitch.org>
>>>>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
>>>>> > http://www.cluecon.com <http://www.cluecon.com>
>>>>> >
>>>>> > FreeSWITCH-users mailing list
>>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>> switch-users
>>>>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>>> > http://www.freeswitch.org <http://www.freeswitch.org>
>>>>> >
>>>>> >
>>>>> > ____________________________________________________________
>>>>> _____________
>>>>> > Professional FreeSWITCH Consulting Services:
>>>>> > consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>>> > http://www.freeswitchsolutions.com <http://www.freeswitchsolution
>>>>> s.com>
>>>>> >
>>>>> > Official FreeSWITCH Sites
>>>>> > http://www.freeswitch.org <http://www.freeswitch.org>
>>>>> > http://confluence.freeswitch.org <http://confluence.freeswitch.org>
>>>>> > http://www.cluecon.com <http://www.cluecon.com>
>>>>> >
>>>>> > FreeSWITCH-users mailing list
>>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>>> > <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> > <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>> switch-users
>>>>> > <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>>> > http://www.freeswitch.org <http://www.freeswitch.org>
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > Sincerely,
>>>>> > Don Hawkins
>>>>> > CEO
>>>>> > Hawkins Enterprise Group LLC
>>>>> > http://hawkinsegroup.com <http://hawkinsegroup.com>
>>>>> > Zello PTT <http://zello.com> : push2don
>>>>> > P: 469-214-5044
>>>>> >
>>>>> > ____________________________________________________________
>>>>> _____________
>>>>> >
>>>>> > Professional FreeSWITCH Consulting Services:
>>>>> >
>>>>> > consulting at freeswitch.org
>>>>> >
>>>>> > http://www.freeswitchsolutions.com
>>>>> >
>>>>> >
>>>>> >
>>>>> > Official FreeSWITCH Sites
>>>>> >
>>>>> > http://www.freeswitch.org
>>>>> >
>>>>> > http://confluence.freeswitch.org
>>>>> >
>>>>> > http://www.cluecon.com
>>>>> >
>>>>> >
>>>>> >
>>>>> > FreeSWITCH-users mailing list
>>>>> >
>>>>> > FreeSWITCH-users at lists.freeswitch.org
>>>>> >
>>>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> >
>>>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>> switch-users
>>>>> >
>>>>> > http://www.freeswitch.org
>>>>> >
>>>>> >
>>>>>
>>>>> ____________________________________________________________
>>>>> _____________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>> switch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Sincerely,
>>>> Don Hawkins
>>>> CEO
>>>> Hawkins Enterprise Group LLC
>>>> http://hawkinsegroup.com
>>>> Zello PTT <http://zello.com>: push2don
>>>> P: 469-214-5044
>>>>
>>>> ____________________________________________________________
>>>> _____________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>> David Witham
>>> Senior Voice/Systems Engineer
>>>
>>> Netsip pty ltd – An Over the Wire Company
>>> Level 1, 24 Little Edward St, Spring Hill QLD 4000
>>>
>>> t    +61 1300 638 747
>>> e   david.witham at netsip.com.au    www.netsip.com.au
>>> <https://macowa.netsip.com.au/owa/redir.aspx?C=95eec4d12cf0400796940d56513ed0f7&URL=http%3a%2f%2fwww.netsip.com.au>
>>>
>>> <https://macowa.netsip.com.au/owa/redir.aspx?C=95eec4d12cf0400796940d56513ed0f7&URL=http%3a%2f%2fwww.netsip.com.au>
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>> Guillermo Ruiz Camauer
>>
>
>
>
> --
> Guillermo Ruiz Camauer
>



-- 
Guillermo Ruiz Camauer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160923/ca96d27f/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list