FreeSWITCH fail2ban CentOS
Требования
Включить «log-auth-failures» для каждого sip профиля, который должен наблюдаться.
<param name="log-auth-failures" value="true"/>
CentOS 6
Установите fail2ban.
yum install fail2ban
Настройка конфигурационных файлов
Фильтр freeswitch.conf будет установлен по умолчанию вместе fail2ban
/etc/fail2ban/filter.d/freeswitch.conf
# Fail2Ban configuration file
#
# Enable "log-auth-failures" on each Sofia profile to monitor
# <param name="log-auth-failures" value="true"/>
# -- this requires a high enough loglevel on your logs to save these messages.
#
# In the fail2ban jail.local file for this filter set ignoreip to the internal
# IP addresses on your LAN.
#
[Definition]
failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
ignoreregex =
# Author: Rupa SChomaker, soapee01, Daniel Black
# http://wiki.freeswitch.org/wiki/Fail2ban
# Thanks to Jim on mailing list of samples and guidance
#
# No need to match the following. Its a duplicate of the SIP auth regex.
# ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$
Создайте файл 'jail.local'. задайте путь к файлу лога (в centos обычно '/usr/local/freeswitch/log/freeswitch.log') Задайте порты, время бана и кол-во неправильных попыток.
/etc/fail2ban/jail.local
[freeswitch]
enabled = true
port = 5060,5061,5080,5081
filter = freeswitch
logpath = /usr/local/freeswitch/log/freeswitch.log
maxretry = 6
action = iptables-allports[name=freeswitch, protocol=all]
sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@localhost]
bantime = 259200
/etc/fail2ban/jail.conf
параметры по умолчанию настраиваются в файле 'jail.conf':
[DEFAULT] # "ignoreip" Укажите IP адрес CIDR маску или доменные имена, которые не надо банить. # через пробел ignoreip = 127.0.0.1/8 192.168.244.0/24 88.255.5.222 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" Промежуток времени по умолчанию в секундах на которое банится провинившийся хост. bantime = 600 # Хост банится за количество попыток- "maxretry" в течении времени - "findtime" # в секундах. findtime = 4200 # "maxretry" Количество неудачных запросов за которое банится хост. maxretry = 3
Применим настройки:
/etc/init.d/fail2ban restart
Вкл. автозагрузку:
chkconfig fail2ban on
fail2ban-client status freeswitch
Через некоторое время посмотрим улов.
[root@freeswitch ~]# fail2ban-client status freeswitch Status for the jail: freeswitch |- filter | |- File list: /usr/local/freeswitch/log/freeswitch.log | |- Currently failed: 2 | `- Total failed: 111 `- action |- Currently banned: 6 | `- IP list: 199.168.140.186 23.95.82.42 23.95.11.250 142.0.41.115 37.8.53.14 37.8.21.58 `- Total banned: 6
[root@freeswitch ~]# fail2ban-client status freeswitch Status for the jail: freeswitch |- filter | |- File list: /usr/local/freeswitch/log/freeswitch.log | |- Currently failed: 2 | `- Total failed: 126 `- action |- Currently banned: 8 | `- IP list: 199.168.140.186 23.95.82.42 23.95.11.250 142.0.41.115 37.8.53.14 37.8.21.58 37.8.29.135 82.205.18.98 `- Total banned: 8
root@freeswitch ~]# fail2ban-client status freeswitch
Status for the jail: freeswitch
|- filter
| |- File list: /usr/local/freeswitch/log/freeswitch.log
| |- Currently failed: 3
| `- Total failed: 5428
`- action
|- Currently banned: 16
| `- IP list: 82.205.5.242 134.213.134.160 188.161.245.242 5.11.43.108 37.8.89.110 192.187.100.90 \\
198.204.237.162 176.31.240.50 37.8.38.70 167.114.0.114 192.198.92.30 82.205.19.163 \\
37.220.28.170 88.150.246.122 192.111.147.226 66.135.55.34
`- Total banned: 297
[root@freeswitch ~]#