Difference between revisions of "Telephone system:fail2ban"
(My script failed repeatedly after a while, trying fail2ban with progressive insights) |
m (added reload commands) |
||
| Line 80: | Line 80: | ||
maxretry = 3 | maxretry = 3 | ||
</pre> | </pre> | ||
| + | |||
| + | Apply the new config with <code>service fail2ban reload</code> and <code>fs_cli -x reloadxml</code> | ||
[[Category:Telephony]][[Category:Telephone snippet]][[Category:FreeSWITCH]] | [[Category:Telephony]][[Category:Telephone snippet]][[Category:FreeSWITCH]] | ||
Revision as of 15:52, 4 December 2019
If you have a FreeSWITCH instance running on the public net, changes are people will try to exploit it. Fail2ban tries to mitigate this. This is a re-attempt since the alternative perl autoblock script would freeze/hang.
Forget the provided configs both of fail2ban and FreeSWITCH itself (here is a defect stating more or less the same): try these instead and keep an eye on the logs with tail -f /var/log/fail2ban.log for a while, together with a realtime FS log.
Also, make sure the logpath is correct.
/etc/freeswitch/dialplan/public.xml before the subsirectory includes:
<extension name="IP based call">
<condition field="${acl(${network_addr} trunks)}" expression="false"/>
<condition field="${sip_to_host}" expression="${local_ip_v4}">
<action application="log" data="WARNING IP based INVITE not from trunk ${network_addr}"/>
<action application="respond" data="403"/>
</condition>
</extension>
<extension name="Vicious scanners">
<condition field="${acl(${network_addr} trunks)}" expression="false"/>
<condition regex="any">
<regex field="${sip_to_host}" expression="1\.1\.1\.1"/>
<regex field="${sip_user_agent}" expression="friendly-scanner"/>
<action application="log" data="WARNING vicious INVITE not from trunk ${network_addr}"/>
<action application="respond" data="488"/>
</condition>
</extension>
/etc/fail2ban/filter.d/freeswitch.conf
Definition]
# NOTE: don't trigger on challenge, only failure
failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
ignoreregex =
/etc/fail2ban/filter.d/freeswitch-ip.conf
[Definition] # Remote is calling us by IP in stead of name failregex = ^.*(IP based|vicious) INVITE not from trunk <HOST>$ ignoreregex =
/etc/fail2ban/jail.local
[freeswitch] enabled = true port = 5060,5061,5080,5081 filter = freeswitch logpath = /var/log/freeswitch/freeswitch.log maxretry = 4 ; for a total of five failures findtime = 3600 bantime = 28800 ; 1200=20m, 7200=2h, 28800=8h action = iptables-allports[name=freeswitch, protocol=all] [freeswitch-ip] enabled = true port = 5060,5061,5080,5081 filter = freeswitch-ip logpath = /var/log/freeswitch/freeswitch.log findtime = 300 maxretry = 0 # ban for a week bantime = 604800 action = iptables-allports[name=freeswitch, protocol=all] [DEFAULT] # Considered safe # kingofdos.eu 185.66.250.17 # kingofdos.eu 91.218.127.87 # kingofdos.eu 164.138.31.26 # sip.speakup.nl 193.169.138.26 # sip.speakup.nl 193.169.139.26 # self: 666.666.666.666 ignoreip = 127.0.0.1/8 185.66.250.17 91.218.127.87 164.138.31.26 193.169.138.26 193.169.139.26 666.666.666.666 bantime = 600 maxretry = 3
Apply the new config with service fail2ban reload and fs_cli -x reloadxml
