[Freeswitch-users] Will fail2ban work for this?
Raúl Alexis Betancor Santana
rbetancor at gmail.com
Wed Mar 17 06:58:32 UTC 2021
Switching SIP port, is not the solution, sooner than later, they will find
you.
The best approach is to use a combination of solutions, like a blacklist of
know hackers IPs as voipbl.org, correctly setup fail2ban, put your FS
behind a Kamailio with the pike module and other security measures, etc.
On Wed, Mar 17, 2021 at 2:19 AM Steven Schoch <
schoch+freeswitch.org at xwin32.com> wrote:
> I like your 2nd option. I always assumed 5080 was safe because it isn't
> the SIP port. It is listed as the "OnScreen Data Collection Service" in the
> official port number database (
> https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=89),
> but I guess the hackers know the SIP people like to use it. I'll try
> switching to another port.
>
> --
> Steve
>
> On Tue, Mar 16, 2021 at 6:30 PM David Villasmil <
> david.villasmil.work at gmail.com> wrote:
>
>> It works, sure. But needs to be configured.
>>
>> https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban should
>> help you, especially the configuration part.
>>
>> For fail2ban to work, it needs to see a line in the logfile with the
>> originating IP address, for that to work on failed call attempts you need
>> to add a specific failure log. Something like adding a catch-all extension
>> at the very end of the dialplan and log the originating IP. Then grab that
>> with fail2ban.
>>
>> something like:
>>
>> <extension name="catch-all">
>> <condition field="destination_number" expression="^.*$">
>> <condition field="${sip_authorized}" expression="^false$">
>> <action application="log" data="CRIT caught
>> ${variable_sip_received_ip} trying to call."/>
>> <action application="hangup" data=""/>
>> </condition>
>> </condition>
>> </extension>
>>
>> Then a regexp on *filter.d/freeswitch.local*
>>
>> [Definition]
>> failregex = ^.* caught <HOST> trying to call$
>>
>> NOTE: I didn't test any of this, you'll need to test yourself, but it
>> should be a starting point.
>>
>>
>> Another option, which i like on top of the already mentioned, is to _not_
>> use a default port 5080, use something like 9909 (security by obscurity)
>>
>>
>>
>> Regards,
>>
>> David Villasmil
>> email: david.villasmil.work at gmail.com
>> phone: +34669448337
>>
>>
>> On Tue, Mar 16, 2021 at 11:40 PM Steven Schoch <
>> schoch+freeswitch.org at xwin32.com> wrote:
>>
>>> I just set up a new FreeSWITCH system on my home network, and set a
>>> forward for port 5080 to connect to Flowroute. While I'm debugging some
>>> call routing stuff, my logs are getting overrun with stuff like this:
>>>
>>> 2021-03-16 15:52:02.267501 [NOTICE] switch_channel.c:1118 New Channel
>>> sofia/external/7750@<my IP> [2de89b87-cd07-4c0f-b9fb-3da8e5a68d37]
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:585
>>> (sofia/external/7750@<my IP>) Running State Change CS_NEW (Cur 1 Tot
>>> 7822)
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] sofia.c:10280 sofia/external/7750@<my
>>> IP> receiving invite from 80.94.93.12:62635 version: 1.10.5
>>> -release-17-25569c1631 64bit
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] sofia.c:7326 Channel
>>> sofia/external/7750@<my IP> entering state [received][100]
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] sofia.c:7336 Remote SDP:
>>>
>>> v=0
>>>
>>> o=- 81921704 81921704 IN IP4 0.0.0.0
>>>
>>> s=pplsip
>>>
>>> c=IN IP4 0.0.0.0
>>>
>>> t=0 0
>>>
>>> m=audio 7628 RTP/AVP 100 6 0 8 3 18 5 101
>>>
>>> a=rtpmap:100 speex/16000
>>>
>>> a=rtpmap:101 telephone-event/8000
>>>
>>> a=fmtp:101 0-11
>>>
>>> a=alt:1 1 : DF50DC48 0000001F 0.0.0.0 7628
>>>
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] sofia.c:7739 (sofia/external/7750@<my
>>> IP>) State Change CS_NEW -> CS_INIT
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:604
>>> (sofia/external/7750@<my IP>) State NEW
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:585
>>> (sofia/external/7750@<my IP>) Running State Change CS_INIT (Cur 1 Tot
>>> 7822)
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:628
>>> (sofia/external/7750@<my IP>) State INIT
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] mod_sofia.c:93 sofia/external/7750@<my
>>> IP> SOFIA INIT
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:40
>>> sofia/external/7750@<my IP> Standard INIT
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:48
>>> (sofia/external/7750@<my IP>) State Change CS_INIT -> CS_ROUTING
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:628
>>> (sofia/external/7750@<my IP>) State INIT going to sleep
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:585
>>> (sofia/external/7750@<my IP>) Running State Change CS_ROUTING (Cur 1
>>> Tot 7822)
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] switch_channel.c:2332
>>> (sofia/external/7750@<my IP>) Callstate Change DOWN -> RINGING
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:644
>>> (sofia/external/7750@<my IP>) State ROUTING
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] mod_sofia.c:154 sofia/external/7750@<my
>>> IP> SOFIA ROUTING
>>>
>>> 2021-03-16 15:52:02.267501 [DEBUG] switch_core_state_machine.c:236
>>> sofia/external/7750@<my IP> Standard ROUTING
>>>
>>> 2021-03-16 15:52:02.267501 [INFO] mod_dialplan_xml.c:637 Processing 7750
>>> <7750>->900442037697855 in context public
>>>
>>>
>>> I thought fail2ban was designed for stuff like this, but I don't see any
>>> auth attempts here (I set "log-auth-failures" to "true"). These are coming
>>> in a bit faster than 1 per second. It appears they are dialing random
>>> extensions. How can I make them stop?
>>>
>>> --
>>> Steve
>>> _________________________________________________________________________
>>>
>>> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
>>> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>>> services.
>>> Build your next product on our scalable cloud platform.
>>>
>>> Join our online community to chat in real time
>>> https://signalwire.community
>>>
>>> Professional FreeSWITCH Services
>>> sales at freeswitch.com
>>> https://freeswitch.com
>>>
>>> Official FreeSWITCH Sites
>>> https://freeswitch.com/oss
>>> https://freeswitch.org/confluence
>>> https://cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> https://freeswitch.com
>>
>> _________________________________________________________________________
>>
>> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
>> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
>> services.
>> Build your next product on our scalable cloud platform.
>>
>> Join our online community to chat in real time
>> https://signalwire.community
>>
>> Professional FreeSWITCH Services
>> sales at freeswitch.com
>> https://freeswitch.com
>>
>> Official FreeSWITCH Sites
>> https://freeswitch.com/oss
>> https://freeswitch.org/confluence
>> https://cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> https://freeswitch.com
>
> _________________________________________________________________________
>
> The FreeSWITCH project is sponsored by SignalWire https://signalwire.com
> Enhance your FreeSWITCH install with disruptive priced SMS and PSTN
> services.
> Build your next product on our scalable cloud platform.
>
> Join our online community to chat in real time
> https://signalwire.community
>
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210317/aa941a8e/attachment-0001.html>
More information about the FreeSWITCH-users
mailing list