Difference between revisions of "Telephone system:fail2ban"
m (fixed logpath) |
(Added unauthorized targeted call filter) |
||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | + | <onlyinclude>If you have a FreeSWITCH instance running on the public net, changes are people will try to exploit it. Fail2ban tries to mitigate this. | |
− | + | This is a re-attempt since the alternative [https://gist.github.com/xopr/9482982786fde3d21fcf5b3ada97a6ee perl autoblock script] would freeze/hang. | |
− | + | </onlyinclude> | |
− | '''/etc/fail2ban/filter.d/freeswitch- | + | Forget the provided configs both of fail2ban and FreeSWITCH itself ([https://github.com/fail2ban/fail2ban/issues/2163 here is a defect] stating more or less the same): try these instead and keep an eye on the logs with <code>tail -f /var/log/fail2ban.log</code> for a while, together with a realtime FS log. |
+ | Also, make sure the <code>logpath</code> is correct. | ||
+ | |||
+ | '''/etc/freeswitch/dialplan/public.xml''' before the subsirectory includes: | ||
+ | <pre> | ||
+ | <extension name="IP based call"> | ||
+ | <condition field="${acl(${network_addr} trunks)}" expression="false"/> | ||
+ | <condition field="${sip_to_host}" expression="${local_ip_v4}"> | ||
+ | <action application="log" data="WARNING IP based INVITE not from trunk ${network_addr}"/> | ||
+ | <action application="respond" data="403"/> | ||
+ | </condition> | ||
+ | </extension> | ||
+ | |||
+ | <extension name="Vicious scanners"> | ||
+ | <condition field="${acl(${network_addr} trunks)}" expression="false"/> | ||
+ | <condition regex="any"> | ||
+ | <regex field="${sip_to_host}" expression="1\.1\.1\.1"/> | ||
+ | <regex field="${sip_user_agent}" expression="friendly-scanner"/> | ||
+ | <action application="log" data="WARNING vicious INVITE not from trunk ${network_addr}"/> | ||
+ | <action application="respond" data="488"/> | ||
+ | </condition> | ||
+ | </extension> | ||
+ | </pre> | ||
+ | |||
+ | And after <code><X-PRE-PROCESS cmd="include" data="public/*.xml"/></code>, you can place the following | ||
+ | (note that this only applies to setups that allow certain public extensions/incoming trunks while also having (dynamic IP) users logged into their extension remotely (gained access by responding to the <code>407 Proxy authentication required</code>): | ||
+ | <pre> | ||
+ | <extension name="check_auth" continue="true"> | ||
+ | <condition field="${sip_authorized}" expression="^true$" break="never"> | ||
+ | <anti-action application="log" data="WARNING flag unauthorized: ${network_addr} (from ${sip_from_uri} to ${sip_to_uri})"/> | ||
+ | <anti-action application="respond" data="407"/> | ||
+ | </condition> | ||
+ | </extension> | ||
+ | </pre> | ||
+ | |||
+ | '''/etc/fail2ban/filter.d/freeswitch.conf''' | ||
+ | <pre> | ||
+ | Definition] | ||
+ | # NOTE: don't trigger on challenge, only failure | ||
+ | failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$ | ||
+ | ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$ | ||
+ | ignoreregex = | ||
+ | </pre> | ||
+ | |||
+ | '''/etc/fail2ban/filter.d/freeswitch-ip.conf''' | ||
<pre> | <pre> | ||
[Definition] | [Definition] | ||
− | failregex = | + | # Remote is calling us by IP in stead of name |
+ | failregex = ^.*(IP based|vicious) INVITE not from trunk <HOST>$ | ||
ignoreregex = | ignoreregex = | ||
</pre> | </pre> | ||
− | '''/etc/fail2ban/filter.d/freeswitch- | + | |
+ | '''/etc/fail2ban/filter.d/freeswitch-reg-dos.conf''' | ||
<pre> | <pre> | ||
[Definition] | [Definition] | ||
− | failregex = \[ | + | # Remote is trying to call without permission |
+ | failregex = \[WARNING\] mod_dptools\.c:\d+ flag unauthorized: <HOST> \(from [^ ]* to [^ ]*\)$ | ||
ignoreregex = | ignoreregex = | ||
</pre> | </pre> | ||
+ | |||
'''/etc/fail2ban/jail.local''' | '''/etc/fail2ban/jail.local''' | ||
Line 24: | Line 72: | ||
filter = freeswitch | filter = freeswitch | ||
logpath = /var/log/freeswitch/freeswitch.log | logpath = /var/log/freeswitch/freeswitch.log | ||
− | maxretry = | + | maxretry = 4 ; for a total of five failures |
+ | findtime = 3600 | ||
+ | bantime = 28800 ; 1200=20m, 7200=2h, 28800=8h | ||
+ | action = iptables-allports[name=freeswitch, protocol=all] | ||
+ | |||
+ | [freeswitch-ip] | ||
+ | enabled = true | ||
+ | port = 5060,5061,5080,5081 | ||
+ | filter = freeswitch-ip | ||
+ | logpath = /var/log/freeswitch/freeswitch.log | ||
+ | findtime = 300 | ||
+ | maxretry = 0 | ||
# ban for a week | # ban for a week | ||
bantime = 604800 | bantime = 604800 | ||
action = iptables-allports[name=freeswitch, protocol=all] | action = iptables-allports[name=freeswitch, protocol=all] | ||
− | [freeswitch- | + | [freeswitch-reg-dos] |
− | + | enabled = true | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | enabled = | ||
port = 5060,5061,5080,5081 | port = 5060,5061,5080,5081 | ||
− | filter = freeswitch | + | filter = freeswitch-reg |
logpath = /var/log/freeswitch/freeswitch.log | logpath = /var/log/freeswitch/freeswitch.log | ||
− | maxretry = | + | findtime = 3600 |
+ | maxretry = 10 | ||
# ban for a week | # ban for a week | ||
bantime = 604800 | bantime = 604800 | ||
Line 63: | Line 112: | ||
</pre> | </pre> | ||
− | [[Category:Telephony]] | + | Apply the new config with <code>service fail2ban reload</code> and <code>fs_cli -x reloadxml</code> |
+ | |||
+ | [[Category:Telephony]][[Category:Telephone snippet]][[Category:FreeSWITCH]] |
Latest revision as of 10:15, 23 December 2020
If you have a FreeSWITCH instance running on the public net, changes are people will try to exploit it. Fail2ban tries to mitigate this. This is a re-attempt since the alternative perl autoblock script would freeze/hang.
Forget the provided configs both of fail2ban and FreeSWITCH itself (here is a defect stating more or less the same): try these instead and keep an eye on the logs with tail -f /var/log/fail2ban.log
for a while, together with a realtime FS log.
Also, make sure the logpath
is correct.
/etc/freeswitch/dialplan/public.xml before the subsirectory includes:
<extension name="IP based call"> <condition field="${acl(${network_addr} trunks)}" expression="false"/> <condition field="${sip_to_host}" expression="${local_ip_v4}"> <action application="log" data="WARNING IP based INVITE not from trunk ${network_addr}"/> <action application="respond" data="403"/> </condition> </extension> <extension name="Vicious scanners"> <condition field="${acl(${network_addr} trunks)}" expression="false"/> <condition regex="any"> <regex field="${sip_to_host}" expression="1\.1\.1\.1"/> <regex field="${sip_user_agent}" expression="friendly-scanner"/> <action application="log" data="WARNING vicious INVITE not from trunk ${network_addr}"/> <action application="respond" data="488"/> </condition> </extension>
And after <X-PRE-PROCESS cmd="include" data="public/*.xml"/>
, you can place the following
(note that this only applies to setups that allow certain public extensions/incoming trunks while also having (dynamic IP) users logged into their extension remotely (gained access by responding to the 407 Proxy authentication required
):
<extension name="check_auth" continue="true"> <condition field="${sip_authorized}" expression="^true$" break="never"> <anti-action application="log" data="WARNING flag unauthorized: ${network_addr} (from ${sip_from_uri} to ${sip_to_uri})"/> <anti-action application="respond" data="407"/> </condition> </extension>
/etc/fail2ban/filter.d/freeswitch.conf
Definition] # NOTE: don't trigger on challenge, only failure failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$ ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$ ignoreregex =
/etc/fail2ban/filter.d/freeswitch-ip.conf
[Definition] # Remote is calling us by IP in stead of name failregex = ^.*(IP based|vicious) INVITE not from trunk <HOST>$ ignoreregex =
/etc/fail2ban/filter.d/freeswitch-reg-dos.conf
[Definition] # Remote is trying to call without permission failregex = \[WARNING\] mod_dptools\.c:\d+ flag unauthorized: <HOST> \(from [^ ]* to [^ ]*\)$ ignoreregex =
/etc/fail2ban/jail.local
[freeswitch] enabled = true port = 5060,5061,5080,5081 filter = freeswitch logpath = /var/log/freeswitch/freeswitch.log maxretry = 4 ; for a total of five failures findtime = 3600 bantime = 28800 ; 1200=20m, 7200=2h, 28800=8h action = iptables-allports[name=freeswitch, protocol=all] [freeswitch-ip] enabled = true port = 5060,5061,5080,5081 filter = freeswitch-ip logpath = /var/log/freeswitch/freeswitch.log findtime = 300 maxretry = 0 # ban for a week bantime = 604800 action = iptables-allports[name=freeswitch, protocol=all] [freeswitch-reg-dos] enabled = true port = 5060,5061,5080,5081 filter = freeswitch-reg logpath = /var/log/freeswitch/freeswitch.log findtime = 3600 maxretry = 10 # ban for a week bantime = 604800 action = iptables-allports[name=freeswitch, protocol=all] [DEFAULT] # Considered safe # kingofdos.eu 185.66.250.17 # kingofdos.eu 91.218.127.87 # kingofdos.eu 164.138.31.26 # sip.speakup.nl 193.169.138.26 # sip.speakup.nl 193.169.139.26 # self: 666.666.666.666 ignoreip = 127.0.0.1/8 185.66.250.17 91.218.127.87 164.138.31.26 193.169.138.26 193.169.139.26 666.666.666.666 bantime = 600 maxretry = 3
Apply the new config with service fail2ban reload
and fs_cli -x reloadxml