Telephone system:fail2ban

From Hackerspace ACKspace
Jump to: navigation, search

If you have a FreeSWITCH instance running on the public net, changes are people will try to exploit it. Fail2ban tries to mitigate this. This is a re-attempt since the alternative perl autoblock script would freeze/hang.

Forget the provided configs both of fail2ban and FreeSWITCH itself (here is a defect stating more or less the same): try these instead and keep an eye on the logs with tail -f /var/log/fail2ban.log for a while, together with a realtime FS log. Also, make sure the logpath is correct.

/etc/freeswitch/dialplan/public.xml before the subsirectory includes:

<extension name="IP based call">
  <condition field="${acl(${network_addr} trunks)}" expression="false"/>
  <condition field="${sip_to_host}" expression="${local_ip_v4}">
    <action application="log" data="WARNING IP based INVITE not from trunk ${network_addr}"/>
    <action application="respond" data="403"/>

<extension name="Vicious scanners">
  <condition field="${acl(${network_addr} trunks)}" expression="false"/>
  <condition regex="any">
    <regex field="${sip_to_host}" expression="1\.1\.1\.1"/>
    <regex field="${sip_user_agent}" expression="friendly-scanner"/>
    <action application="log" data="WARNING vicious INVITE not from trunk ${network_addr}"/>
    <action application="respond" data="488"/>


# NOTE: don't trigger on challenge, only failure
failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
            ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
ignoreregex =


# Remote is calling us by IP in stead of name
failregex = ^.*(IP based|vicious) INVITE not from trunk <HOST>$
ignoreregex =


enabled  = true
port     = 5060,5061,5080,5081
filter   = freeswitch
logpath  = /var/log/freeswitch/freeswitch.log
maxretry = 4 ; for a total of five failures
findtime = 3600
bantime  = 28800 ; 1200=20m, 7200=2h, 28800=8h
action = iptables-allports[name=freeswitch, protocol=all]

enabled  = true
port     = 5060,5061,5080,5081
filter   = freeswitch-ip
logpath  = /var/log/freeswitch/freeswitch.log
findtime = 300
maxretry = 0
# ban for a week
bantime  = 604800
action   = iptables-allports[name=freeswitch, protocol=all]

# Considered safe
# self: 666.666.666.666
ignoreip = 666.666.666.666
bantime  = 600
maxretry = 3

Apply the new config with service fail2ban reload and fs_cli -x reloadxml