FreeSWITCH fail2ban CentOS
Требования
Включить «log-auth-failures» для каждого sip профиля, который должен наблюдаться.
<param name="log-auth-failures" value="true"/>
CentOS 6
Установите fail2ban.
yum install fail2ban
Настройка конфигурационных файлов
Фильтр freeswitch.conf будет установлен по умолчанию вместе fail2ban
/etc/fail2ban/filter.d/freeswitch.conf
# Fail2Ban configuration file # # Enable "log-auth-failures" on each Sofia profile to monitor # <param name="log-auth-failures" value="true"/> # -- this requires a high enough loglevel on your logs to save these messages. # # In the fail2ban jail.local file for this filter set ignoreip to the internal # IP addresses on your LAN. # [Definition] failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$ ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$ ignoreregex = # Author: Rupa SChomaker, soapee01, Daniel Black # http://wiki.freeswitch.org/wiki/Fail2ban # Thanks to Jim on mailing list of samples and guidance # # No need to match the following. Its a duplicate of the SIP auth regex. # ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$
Создайте файл 'jail.local'. задайте путь к файлу лога (в centos обычно '/usr/local/freeswitch/log/freeswitch.log') Задайте порты, время бана и кол-во неправильных попыток.
/etc/fail2ban/jail.local
[freeswitch] enabled = true port = 5060,5061,5080,5081 filter = freeswitch logpath = /usr/local/freeswitch/log/freeswitch.log maxretry = 6 action = iptables-allports[name=freeswitch, protocol=all] sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@localhost] bantime = 259200
/etc/fail2ban/jail.conf
параметры по умолчанию настраиваются в файле 'jail.conf':
[DEFAULT] # "ignoreip" Укажите IP адрес CIDR маску или доменные имена, которые не надо банить. # через пробел ignoreip = 127.0.0.1/8 192.168.244.0/24 88.255.5.222 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" Промежуток времени по умолчанию в секундах на которое банится провинившийся хост. bantime = 600 # Хост банится за количество попыток- "maxretry" в течении времени - "findtime" # в секундах. findtime = 4200 # "maxretry" Количество неудачных запросов за которое банится хост. maxretry = 3
Применим настройки:
/etc/init.d/fail2ban restart
Вкл. автозагрузку:
chkconfig fail2ban on
fail2ban-client status freeswitch
Через некоторое время посмотрим улов.
[root@freeswitch ~]# fail2ban-client status freeswitch Status for the jail: freeswitch |- filter | |- File list: /usr/local/freeswitch/log/freeswitch.log | |- Currently failed: 2 | `- Total failed: 111 `- action |- Currently banned: 6 | `- IP list: 199.168.140.186 23.95.82.42 23.95.11.250 142.0.41.115 37.8.53.14 37.8.21.58 `- Total banned: 6
[root@freeswitch ~]# fail2ban-client status freeswitch Status for the jail: freeswitch |- filter | |- File list: /usr/local/freeswitch/log/freeswitch.log | |- Currently failed: 2 | `- Total failed: 126 `- action |- Currently banned: 8 | `- IP list: 199.168.140.186 23.95.82.42 23.95.11.250 142.0.41.115 37.8.53.14 37.8.21.58 37.8.29.135 82.205.18.98 `- Total banned: 8
root@freeswitch ~]# fail2ban-client status freeswitch Status for the jail: freeswitch |- filter | |- File list: /usr/local/freeswitch/log/freeswitch.log | |- Currently failed: 3 | `- Total failed: 5428 `- action |- Currently banned: 16 | `- IP list: 82.205.5.242 134.213.134.160 188.161.245.242 5.11.43.108 37.8.89.110 192.187.100.90 \\ 198.204.237.162 176.31.240.50 37.8.38.70 167.114.0.114 192.198.92.30 82.205.19.163 \\ 37.220.28.170 88.150.246.122 192.111.147.226 66.135.55.34 `- Total banned: 297 [root@freeswitch ~]#