Difference between revisions of "Telephone system:fail2ban"

From Hackerspace ACKspace
Jump to: navigation, search
m (fixed logpath)
(Added unauthorized targeted call filter)
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
For the telephone system, apart from the (mild) default fail2ban freeswitch filter, two additional filters are created.
+
<onlyinclude>If you have a FreeSWITCH instance running on the public net, changes are people will try to exploit it.  Fail2ban tries to mitigate this.
Make sure the logpath is correct.
+
This is a re-attempt since the alternative [https://gist.github.com/xopr/9482982786fde3d21fcf5b3ada97a6ee perl autoblock script] would freeze/hang.
(Source: [http://wiki.freeswitch.org/wiki/Fail2ban http://wiki.freeswitch.org/wiki/Fail2ban]):
+
</onlyinclude>
  
'''/etc/fail2ban/filter.d/freeswitch-dos.conf'''
+
Forget the provided configs both of fail2ban and FreeSWITCH itself ([https://github.com/fail2ban/fail2ban/issues/2163 here is a defect] stating more or less the same): try these instead and keep an eye on the logs with <code>tail -f /var/log/fail2ban.log</code> for a while, together with a realtime FS log.
 +
Also, make sure the <code>logpath</code> is correct.
 +
 
 +
'''/etc/freeswitch/dialplan/public.xml''' before the subsirectory includes:
 +
<pre>
 +
<extension name="IP based call">
 +
  <condition field="${acl(${network_addr} trunks)}" expression="false"/>
 +
  <condition field="${sip_to_host}" expression="${local_ip_v4}">
 +
    <action application="log" data="WARNING IP based INVITE not from trunk ${network_addr}"/>
 +
    <action application="respond" data="403"/>
 +
  </condition>
 +
</extension>
 +
 
 +
<extension name="Vicious scanners">
 +
  <condition field="${acl(${network_addr} trunks)}" expression="false"/>
 +
  <condition regex="any">
 +
    <regex field="${sip_to_host}" expression="1\.1\.1\.1"/>
 +
    <regex field="${sip_user_agent}" expression="friendly-scanner"/>
 +
    <action application="log" data="WARNING vicious INVITE not from trunk ${network_addr}"/>
 +
    <action application="respond" data="488"/>
 +
  </condition>
 +
</extension>
 +
</pre>
 +
 
 +
And after <code><X-PRE-PROCESS cmd="include" data="public/*.xml"/></code>, you can place the following
 +
(note that this only applies to setups that allow certain public extensions/incoming trunks while also having (dynamic IP) users logged into their extension remotely (gained access by responding to the <code>407 Proxy authentication required</code>):
 +
<pre>
 +
<extension name="check_auth" continue="true">
 +
  <condition field="${sip_authorized}" expression="^true$" break="never">
 +
    <anti-action application="log" data="WARNING flag unauthorized: ${network_addr} (from ${sip_from_uri} to ${sip_to_uri})"/>
 +
    <anti-action application="respond" data="407"/>
 +
  </condition>
 +
</extension>
 +
</pre>
 +
 
 +
'''/etc/fail2ban/filter.d/freeswitch.conf'''
 +
<pre>
 +
Definition]
 +
# NOTE: don't trigger on challenge, only failure
 +
failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
 +
            ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
 +
ignoreregex =
 +
</pre>
 +
 
 +
'''/etc/fail2ban/filter.d/freeswitch-ip.conf'''
 
<pre>
 
<pre>
 
[Definition]
 
[Definition]
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>
+
# Remote is calling us by IP in stead of name
 +
failregex = ^.*(IP based|vicious) INVITE not from trunk <HOST>$
 
ignoreregex =
 
ignoreregex =
 
</pre>
 
</pre>
  
'''/etc/fail2ban/filter.d/freeswitch-ip.conf'''
+
 
 +
'''/etc/fail2ban/filter.d/freeswitch-reg-dos.conf'''
 
<pre>
 
<pre>
 
[Definition]
 
[Definition]
failregex = \[DEBUG\] sofia_reg\.c:\d+ sofia\/external\/.+@\d+\.\d+\.\d+\.\d+\ receiving invite from <HOST> version
+
# Remote is trying to call without permission
 +
failregex = \[WARNING\] mod_dptools\.c:\d+ flag unauthorized: <HOST> \(from [^ ]* to [^ ]*\)$
 
ignoreregex =
 
ignoreregex =
 
</pre>
 
</pre>
 +
  
 
'''/etc/fail2ban/jail.local'''
 
'''/etc/fail2ban/jail.local'''
Line 24: Line 72:
 
filter  = freeswitch
 
filter  = freeswitch
 
logpath  = /var/log/freeswitch/freeswitch.log
 
logpath  = /var/log/freeswitch/freeswitch.log
maxretry = 10
+
maxretry = 4 ; for a total of five failures
 +
findtime = 3600
 +
bantime  = 28800 ; 1200=20m, 7200=2h, 28800=8h
 +
action = iptables-allports[name=freeswitch, protocol=all]
 +
 
 +
[freeswitch-ip]
 +
enabled  = true
 +
port    = 5060,5061,5080,5081
 +
filter  = freeswitch-ip
 +
logpath  = /var/log/freeswitch/freeswitch.log
 +
findtime = 300
 +
maxretry = 0
 
# ban for a week
 
# ban for a week
 
bantime  = 604800
 
bantime  = 604800
 
action  = iptables-allports[name=freeswitch, protocol=all]
 
action  = iptables-allports[name=freeswitch, protocol=all]
  
[freeswitch-dos]
+
[freeswitch-reg-dos]
enabled = true
+
enabled  = true
port = 5060,5061,5080,5081
 
filter = freeswitch-dos
 
logpath = /var/log/freeswitch/freeswitch.log
 
action = iptables-allports[name=freeswitch-dos, protocol=all]
 
maxretry = 20
 
findtime = 120
 
# ban for 24 hours
 
bantime  = 86400
 
 
 
[freeswitch-ip]
 
enabled  = false
 
 
port    = 5060,5061,5080,5081
 
port    = 5060,5061,5080,5081
filter  = freeswitch
+
filter  = freeswitch-reg
 
logpath  = /var/log/freeswitch/freeswitch.log
 
logpath  = /var/log/freeswitch/freeswitch.log
maxretry = 2
+
findtime = 3600
 +
maxretry = 10
 
# ban for a week
 
# ban for a week
 
bantime  = 604800
 
bantime  = 604800
Line 63: Line 112:
 
</pre>
 
</pre>
  
[[Category:Telephony]]
+
Apply the new config with <code>service fail2ban reload</code> and <code>fs_cli -x reloadxml</code>
 +
 
 +
[[Category:Telephony]][[Category:Telephone snippet]][[Category:FreeSWITCH]]

Latest revision as of 10:15, 23 December 2020

If you have a FreeSWITCH instance running on the public net, changes are people will try to exploit it. Fail2ban tries to mitigate this. This is a re-attempt since the alternative perl autoblock script would freeze/hang.


Forget the provided configs both of fail2ban and FreeSWITCH itself (here is a defect stating more or less the same): try these instead and keep an eye on the logs with tail -f /var/log/fail2ban.log for a while, together with a realtime FS log. Also, make sure the logpath is correct.

/etc/freeswitch/dialplan/public.xml before the subsirectory includes:

<extension name="IP based call">
  <condition field="${acl(${network_addr} trunks)}" expression="false"/>
  <condition field="${sip_to_host}" expression="${local_ip_v4}">
    <action application="log" data="WARNING IP based INVITE not from trunk ${network_addr}"/>
    <action application="respond" data="403"/>
  </condition>
</extension>

<extension name="Vicious scanners">
  <condition field="${acl(${network_addr} trunks)}" expression="false"/>
  <condition regex="any">
    <regex field="${sip_to_host}" expression="1\.1\.1\.1"/>
    <regex field="${sip_user_agent}" expression="friendly-scanner"/>
    <action application="log" data="WARNING vicious INVITE not from trunk ${network_addr}"/>
    <action application="respond" data="488"/>
  </condition>
</extension>

And after <X-PRE-PROCESS cmd="include" data="public/*.xml"/>, you can place the following (note that this only applies to setups that allow certain public extensions/incoming trunks while also having (dynamic IP) users logged into their extension remotely (gained access by responding to the 407 Proxy authentication required):

<extension name="check_auth" continue="true">
  <condition field="${sip_authorized}" expression="^true$" break="never">
    <anti-action application="log" data="WARNING flag unauthorized: ${network_addr} (from ${sip_from_uri} to ${sip_to_uri})"/>
    <anti-action application="respond" data="407"/>
  </condition>
</extension>

/etc/fail2ban/filter.d/freeswitch.conf

Definition]
# NOTE: don't trigger on challenge, only failure
failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
            ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
ignoreregex =

/etc/fail2ban/filter.d/freeswitch-ip.conf

[Definition]
# Remote is calling us by IP in stead of name
failregex = ^.*(IP based|vicious) INVITE not from trunk <HOST>$
ignoreregex =


/etc/fail2ban/filter.d/freeswitch-reg-dos.conf

[Definition]
# Remote is trying to call without permission
failregex = \[WARNING\] mod_dptools\.c:\d+ flag unauthorized: <HOST> \(from [^ ]* to [^ ]*\)$
ignoreregex =


/etc/fail2ban/jail.local

[freeswitch]
enabled  = true
port     = 5060,5061,5080,5081
filter   = freeswitch
logpath  = /var/log/freeswitch/freeswitch.log
maxretry = 4 ; for a total of five failures
findtime = 3600
bantime  = 28800 ; 1200=20m, 7200=2h, 28800=8h
action = iptables-allports[name=freeswitch, protocol=all]

[freeswitch-ip]
enabled  = true
port     = 5060,5061,5080,5081
filter   = freeswitch-ip
logpath  = /var/log/freeswitch/freeswitch.log
findtime = 300
maxretry = 0
# ban for a week
bantime  = 604800
action   = iptables-allports[name=freeswitch, protocol=all]

[freeswitch-reg-dos]
enabled  = true
port     = 5060,5061,5080,5081
filter   = freeswitch-reg
logpath  = /var/log/freeswitch/freeswitch.log
findtime = 3600
maxretry = 10
# ban for a week
bantime  = 604800
action   = iptables-allports[name=freeswitch, protocol=all]

[DEFAULT]
# Considered safe
# kingofdos.eu 185.66.250.17
# kingofdos.eu 91.218.127.87
# kingofdos.eu 164.138.31.26
# sip.speakup.nl 193.169.138.26
# sip.speakup.nl 193.169.139.26
# self: 666.666.666.666
ignoreip = 127.0.0.1/8 185.66.250.17 91.218.127.87 164.138.31.26 193.169.138.26 193.169.139.26 666.666.666.666
bantime  = 600
maxretry = 3

Apply the new config with service fail2ban reload and fs_cli -x reloadxml