Fail2ban

Hailey's Personal Blog bout Things

Last update:

Configuring fail2ban to Work With Freeswitch

AWS sent me a Retirement Notification for my EC2 instance that hosted my freeswitch and this webserver telling me I had to recreate the instance. So I recreated a new instance and moved over the file systems from the previous VM to the new one to copy configs over. One of the things I didn’t handle the first time around was setting up software such as fail2ban or denyhosts to monitor failed logins.

Quite common I see many attempts to connect and authenticate credentials that are not valid on my sip server. I use to not care but like, I know there is software to handle this very task, so I set up fail2ban to work on freeswitch. I wanted to convey the one line in the config I had to change from other guides.

First things first, you gotta configure your freeswitch to log auth errors. This can be done by editing your sofia profile. In your profile should be a param that is called log-auth-failures this variable will enable logging for any auth failures for this profile. Be sure to do this in any profile you wish to check authentication failures against.

<param name=“log-auth-failures” value=“true”/>

Be sure to run reloadxml in your freeswitch console to apply the new settings.

Next you need to install fail2ban. I am using ubuntu for this case and you can install it by issuing the following command.

apt-get install fail2ban

If you do not use ubuntu instead use some other distro, you will need to find the correct package names to install fail2ban. For other distros see their fail2ban downloads section. A lot of this was provided from websites such as the freeswitch wiki.

First we gotta install a filter for freeswitch. Put this in a file named /etc/fail2ban/filter.d/freeswitch.conf.

/etc/fail2ban/filter.d/freeswitch.conf


# Fail2Ban configuration file
#
# Author: Rupa SChomaker (first two regex)
[Definition]
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values:  TEXT
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
            \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
            \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
            \[WARNING\] sofia_reg.c:\d+ Can\'t find user \[.*\] from <HOST>
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Next we need to add the config in jail.conf for freeswitch, so now you got to open up your /etc/fail2ban/jail.conf and goto the last line and enter the following code.

/etc/fail2ban/jail.conf


[freeswitch-tcp]
enabled  = true
port     = 5060,5061,5080,5081
protocol = tcp
filter   = freeswitch
logpath  = /var/log/freeswitch/freeswitch.log
action   = iptables-allports[name=freeswitch-tcp, protocol=all]
           sendmail-whois[name=FreeSwitch, dest=your@email.com, sender=yourserver@yourdomain.com]
[freeswitch-udp]
enabled  = true
port     = 5060,5061,5080,5081
protocol = udp
filter   = freeswitch
logpath  = /var/log/freeswitch/freeswitch.log
action   = iptables-allports[name=freeswitch-udp, protocol=all]

Be sure to change the logpath variable with the location of your freeswitch log. In my server it is /opt/freeswitch/log/freeswitch.log but the default is /var/log/freeswitch/freeswitch.log. Be sure to check the locations of these files otherwise fail2ban will not know what logs to read so that it can ban people.