Difference between revisions of "Telephone system:fail2ban"
m (added category) |
(added user registration (dos) rules) |
||
| Line 10: | Line 10: | ||
[Definition] | [Definition] | ||
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST> | failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST> | ||
| + | ignoreregex = | ||
| + | </pre> | ||
| + | |||
| + | '''/etc/fail2ban/filter.d/freeswitch-reg.conf''' | ||
| + | <pre> | ||
| + | [Definition] | ||
| + | failregex = \[WARNING\] sofia_reg\.c:\d+ Can't find user \[.+@\d+\.\d+\.\d+\.\d+\] from <HOST>$ | ||
ignoreregex = | ignoreregex = | ||
</pre> | </pre> | ||
| Line 42: | Line 49: | ||
# ban for 24 hours | # ban for 24 hours | ||
bantime = 86400 | bantime = 86400 | ||
| + | |||
| + | [freeswitch-reg] | ||
| + | enabled = true | ||
| + | port = 5060,5061,5080,5081 | ||
| + | filter = freeswitch-reg | ||
| + | logpath = /var/log/freeswitch/freeswitch.log | ||
| + | findtime = 60 | ||
| + | maxretry = 3 | ||
| + | # ban for 10 minutes | ||
| + | bantime = 600 | ||
| + | action = iptables-allports[name=freeswitch, protocol=all] | ||
| + | |||
| + | [freeswitch-reg-dos] | ||
| + | enabled = true | ||
| + | port = 5060,5061,5080,5081 | ||
| + | filter = freeswitch-reg | ||
| + | logpath = /var/log/freeswitch/freeswitch.log | ||
| + | findtime = 3600 | ||
| + | maxretry = 10 | ||
| + | # ban for a week | ||
| + | bantime = 604800 | ||
| + | action = iptables-allports[name=freeswitch, protocol=all] | ||
[freeswitch-ip] | [freeswitch-ip] | ||
Revision as of 12:30, 14 February 2018
If you have a FreeSWITCH instance running on the public net, changes are people will try to exploit it. Fail2ban tries to mitigate this.
For the telephone system, apart from the (mild) default fail2ban freeswitch filter, two additional filters are created.
Make sure the logpath is correct.
(Source: http://wiki.freeswitch.org/wiki/Fail2ban):
/etc/fail2ban/filter.d/freeswitch-dos.conf
[Definition] failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST> ignoreregex =
/etc/fail2ban/filter.d/freeswitch-reg.conf
[Definition] failregex = \[WARNING\] sofia_reg\.c:\d+ Can't find user \[.+@\d+\.\d+\.\d+\.\d+\] from <HOST>$ ignoreregex =
/etc/fail2ban/filter.d/freeswitch-ip.conf
[Definition] failregex = \[DEBUG\] sofia_reg\.c:\d+ sofia\/external\/.+@\d+\.\d+\.\d+\.\d+\ receiving invite from <HOST> version ignoreregex =
/etc/fail2ban/jail.local
[freeswitch] enabled = true port = 5060,5061,5080,5081 filter = freeswitch logpath = /var/log/freeswitch/freeswitch.log maxretry = 10 # ban for a week bantime = 604800 action = iptables-allports[name=freeswitch, protocol=all] [freeswitch-dos] enabled = true port = 5060,5061,5080,5081 filter = freeswitch-dos logpath = /var/log/freeswitch/freeswitch.log action = iptables-allports[name=freeswitch-dos, protocol=all] maxretry = 20 findtime = 120 # ban for 24 hours bantime = 86400 [freeswitch-reg] enabled = true port = 5060,5061,5080,5081 filter = freeswitch-reg logpath = /var/log/freeswitch/freeswitch.log findtime = 60 maxretry = 3 # ban for 10 minutes bantime = 600 action = iptables-allports[name=freeswitch, protocol=all] [freeswitch-reg-dos] enabled = true port = 5060,5061,5080,5081 filter = freeswitch-reg logpath = /var/log/freeswitch/freeswitch.log findtime = 3600 maxretry = 10 # ban for a week bantime = 604800 action = iptables-allports[name=freeswitch, protocol=all] [freeswitch-ip] enabled = false port = 5060,5061,5080,5081 filter = freeswitch logpath = /var/log/freeswitch/freeswitch.log maxretry = 2 # ban for a week bantime = 604800 action = iptables-allports[name=freeswitch, protocol=all] [DEFAULT] # Considered safe # kingofdos.eu 185.66.250.17 # kingofdos.eu 91.218.127.87 # kingofdos.eu 164.138.31.26 # sip.speakup.nl 193.169.138.26 # sip.speakup.nl 193.169.139.26 # self: 666.666.666.666 ignoreip = 127.0.0.1/8 185.66.250.17 91.218.127.87 164.138.31.26 193.169.138.26 193.169.139.26 666.666.666.666 bantime = 600 maxretry = 3
