FreeSWITCH中文网,电话机器人开发网 ,微信订阅号:

FreeSWITCH及VOIP,Openser,电话机器人等产品中文技术资讯、交流、沟通、培训、咨询、服务一体化网络。QQ群:293697898

Home

FreeSWITCH配置fail2ban拦载一般的恶意骚扰
tags:FreeSWITCH Fail2ban 创建时间:2015-09-10 11:37:48

QQ群: 293697898 FreeSWITCH+Kamailio+OpenSIPS

来源: https://wiki.freeswitch.org/wiki/Fail2ban

Fail2Ban
Fail2Ban is an intrusion prevention system that works by scanning log files and then taking action based on the entries in those logs.
You can configure Fail2Ban in a way that will update iptables firewall rules, when an authentication failure threshold is reached which helps in preventing SIP brute force attacks against freeswitch instances.
Fail2ban scans your freeswitch log file and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
Fail2Ban is available at fail2ban.org as well as more documentation.
Requirements

Fail2ban needs a log of Authentication Attempts/Failures in order to ban IPs. There are two ways to do that:
Beta: mod_fail2ban
OR
Enable "log-auth-failures" on each Sofia profile to monitor -- this requires a high enough loglevel on your logs to save these messages.
<param name="log-auth-failures" value="true"/>
Install

Ubuntu/Debian
apt-get install fail2ban
SUSE
zypper sa http://download.opensuse.org/repositories/security/SLE_11 openSUSE-security
zypper refresh
zypper up
zypper install fail2ban
FreeBSD
pkg_add -r py26-fail2ban
... and all the files referenced later are in /usr/local/etc/ rather than /etc/
CentOS
For CentOS the easiest way to do this is to install fail2ban from the EPEL repository. See http://fedoraproject.org/wiki/EPEL/FAQ.
The EPEL repository is non-arch specific, the links to i386 are identical to x86_64.
CentOS 5
yum install http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
yum install fail2ban
CentOS 6
yum install http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
yum install fail2ban
Confgure

Edit Config Files
The maintainers of fail2ban have taken an interest in supporting FreeSWITCH. They have asked that we use the configuration at https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf rather than specify a configuration here. If anyone wishes to submit other regular expressions that should be include, please provide samples to https://github.com/fail2ban/fail2ban/issues.
Create /etc/fail2ban/filter.d/freeswitch.conf with the contents:
   DELETED see above

Modify /etc/fail2ban/jail.conf. Add the following (enter the correct path to *your* freeswitch.log file, and adjust the email addresses if needed for your setup):
The jail.conf file may get overwritten when upgrading fail2ban so, create a /etc/fail2ban/jail.local file with the following data in it, setting the correct path to *your* freeswitch.log file, and adjust the email addresses if needed for your setup :
[freeswitch]
enabled  = true
port     = 5060,5061,5080,5081
filter   = freeswitch
logpath  = /var/log/freeswitch/freeswitch.log
maxretry = 10
action   = iptables-allports[name=freeswitch, protocol=all]
           sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org]
(mine are /usr/local/freeswitch/log/freeswitch.log)
Since the warnings in the log are also sometimes present for valid IP address, like your local LAN, you will want to add the following to the jail.local file:
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.2.0/24 192.168.1.0/24
bantime  = 600
maxretry = 3
Add any additional addresses that may access your system.
Restart fail2ban (/etc/init.d/fail2ban restart or service fail2ban restart) and ensure that fail2ban loads the filter. The following should be in your /var/log/fail2ban.log:
2010-02-05 10:04:23,560 fail2ban.jail   : INFO   Creating new jail 'freeswitch-udp'
2010-02-05 10:04:23,560 fail2ban.jail   : INFO   Jail 'freeswitch-udp' uses poller
2010-02-05 10:04:23,561 fail2ban.filter : INFO   Added logfile = /var/log/freeswitch/freeswitch.log
2010-02-05 10:04:23,562 fail2ban.filter : INFO   Set maxRetry = 3
2010-02-05 10:04:23,562 fail2ban.filter : INFO   Set findtime = 600
2010-02-05 10:04:23,563 fail2ban.actions: INFO   Set banTime = 600
2010-02-05 10:04:23,677 fail2ban.jail   : INFO   Creating new jail 'freeswitch-tcp'
2010-02-05 10:04:23,677 fail2ban.jail   : INFO   Jail 'freeswitch-tcp' uses poller
2010-02-05 10:04:23,678 fail2ban.filter : INFO   Added logfile = /var/log/freeswitch/freeswitch.log
2010-02-05 10:04:23,679 fail2ban.filter : INFO   Set maxRetry = 3
2010-02-05 10:04:23,680 fail2ban.filter : INFO   Set findtime = 600
2010-02-05 10:04:23,680 fail2ban.actions: INFO   Set banTime = 600
2010-02-05 10:04:23,723 fail2ban.jail   : INFO   Jail 'freeswitch-tcp' started
2010-02-05 10:04:23,723 fail2ban.jail   : INFO   Jail 'freeswitch-udp' started
Verify that the iptables rules were created:
#iptables -L fail2ban-freeswitch-udp
Chain fail2ban-freeswitch-udp (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
#iptables -L fail2ban-freeswitch-tcp
Chain fail2ban-freeswitch-tcp (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Test the actual failure mode
Setup your favorite client with an invalid userid or invalid password. Try to login as many times as you have set your failure threshold in fail2ban. Watch the fail2ban log:
tail -f /var/log/fail2ban.log
2010-02-05 10:13:12,070 fail2ban.actions: WARNING [freeswitch-udp] Ban 192.168.1.10
2010-02-05 10:13:12,098 fail2ban.actions: WARNING [freeswitch-tcp] Ban 192.168.1.10
Verify your client can no longer do a register (should just time out). Also verify iptables:
#iptables -n -L fail2ban-freeswitch-tcp
Chain fail2ban-freeswitch-tcp (1 references)
target     prot opt source               destination
DROP       all  --  192.168.1.10         0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
#iptables -n -L fail2ban-freeswitch-udp
Chain fail2ban-freeswitch-udp (1 references)
target     prot opt source               destination
DROP       all  --  192.168.1.10         0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
You can then wait for fail2ban to clear the the block, or do it yourself:
#iptables -D fail2ban-freeswitch-udp 1
#iptables -L fail2ban-freeswitch-udp
RETURN     all  --  anywhere             anywhere

#iptables -D fail2ban-freeswitch-tcp 1
#iptables -L fail2ban-freeswitch-udp
Chain fail2ban-freeswitch-udp (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
SIP DOS Attack
There is a new SIP based attack that appears to be a Denial of Service attack. Here's an example of what you might see in your logfile:
2011-03-10 08:59:56.319954 [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia profile 'internal' for [qwerty123@10.2.39.4] from ip 109.169.63.142
2011-03-10 08:59:56.355872 [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia profile 'internal' for [qwerty123@10.2.39.4] from ip 109.169.63.142
2011-03-10 08:59:56.382909 [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia profile 'internal' for [qwerty123@10.2.39.4] from ip 109.169.63.142
2011-03-10 08:59:56.894607 [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia profile 'internal' for [qwerty123@10.2.39.4] from ip 109.169.63.142

grep qwerty123 /usr/local/freeswitch/log/freeswitch.log |wc -l
Returns 19,289 attempts in a little over an hour. This is a particularly nasty attack, that actually crashed my FreeSWITCH installation. I didn't see it live, or I would have set 'sofia global siptrace on' to obtain more information. Regardless, here's how you can block it with fail2ban. You might want to adjust findtime, maxtretry and bantime, but it did work on a second live attack.
vim /etc/fail2ban/filter.d/freeswitch-dos.conf
# Fail2Ban configuration file
#
# Author: soapee01
#

[Definition]
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
add the following to /etc/fail2ban/jail.local
[freeswitch-dos]
enabled = true
port = 5060,5061,5080,5081
filter = freeswitch-dos
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-dos, protocol=all]
maxretry = 50
findtime = 30
bantime  = 6000
You might also take a look at this oreilly script
Keep yourself from getting banned.
add to /etc/fail2ban/jail.local
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.0.99
bantime  = 600
maxretry = 3
Errors
If you're seeing something like this in your fail2ban logfile:
2011-02-27 14:11:42,326 fail2ban.actions.action: ERROR  iptables -N fail2ban-freeswitch-tcp
add the time.sleep(0.1) to /usr/bin/fail2ban-client
def __processCmd(self, cmd, showRet = True):
    beautifier = Beautifier()
    for c in cmd:
        time.sleep(0.1)
        beautifier.setInputCmd(c)
or
sed -i -e s,beautifier\.setInputCmd\(c\),'time.sleep\(0\.1\)\n\t\t\tbeautifier.setInputCmd\(c\)', /usr/bin/fail2ban-client
Source: fail2ban wiki

上海老李,QQ:1354608370,FreeSWITCH QQ群: