Fail2Ban is an intrusion prevention system that works by scanning log files and then taking action based on the entries in those logs.
You can configure Fail2Ban in a way that will update iptables firewall rules when an authentication failure threshold is reached, which helps in preventing SIP brute force attacks against FS instances.
Fail2Ban scans your freeswitch log file and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
Fail2Ban needs a log of Authentication Attempts/Failures in order to ban IPs. There are two ways to do that:
- Beta: mod_fail2ban
Enable "log-auth-failures" on each Sofia profile to monitor -- this requires a high enough loglevel on your logs to save these messages.
For CentOS the easiest way to do this is to install fail2ban from the EPEL repository. See http://fedoraproject.org/wiki/EPEL/FAQ.
The EPEL repository is non-arch specific, the links to i386 are identical to x86_64.
Edit Config Files
The maintainers of Fail2Ban have taken an interest in supporting FreeSWITCH. They have asked that we use the configuration at https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf rather than specify a configuration here. If anyone wishes to submit other regular expressions that should be include, please provide samples to https://github.com/fail2ban/fail2ban/issues.
The jail.conf file may get overwritten when upgrading Fail2Ban. Create a /etc/fail2ban/jail.local file with the following data in it, setting the correct path to *your* freeswitch.log file, and adjust the email addresses if needed for your setup:
(mine are /usr/local/freeswitch/log/freeswitch.log)
Since the warnings in the log are also sometimes present for valid IP address, like your local LAN, you will want to add the following to the jail.local file:
Add any additional addresses that may access your system.
Restart fail2ban (/etc/init.d/fail2ban restart or service fail2ban restart) and ensure that fail2ban loads the filter. The following should be in your /var/log/fail2ban.log:
2010-02-05 10:04:23,560 fail2ban.jail : INFO Creating new jail 'freeswitch-udp' 2010-02-05 10:04:23,560 fail2ban.jail : INFO Jail 'freeswitch-udp' uses poller 2010-02-05 10:04:23,561 fail2ban.filter : INFO Added logfile = /var/log/freeswitch/freeswitch.log 2010-02-05 10:04:23,562 fail2ban.filter : INFO Set maxRetry = 3 2010-02-05 10:04:23,562 fail2ban.filter : INFO Set findtime = 600 2010-02-05 10:04:23,563 fail2ban.actions: INFO Set banTime = 600 2010-02-05 10:04:23,677 fail2ban.jail : INFO Creating new jail 'freeswitch-tcp' 2010-02-05 10:04:23,677 fail2ban.jail : INFO Jail 'freeswitch-tcp' uses poller 2010-02-05 10:04:23,678 fail2ban.filter : INFO Added logfile = /var/log/freeswitch/freeswitch.log 2010-02-05 10:04:23,679 fail2ban.filter : INFO Set maxRetry = 3 2010-02-05 10:04:23,680 fail2ban.filter : INFO Set findtime = 600 2010-02-05 10:04:23,680 fail2ban.actions: INFO Set banTime = 600 2010-02-05 10:04:23,723 fail2ban.jail : INFO Jail 'freeswitch-tcp' started 2010-02-05 10:04:23,723 fail2ban.jail : INFO Jail 'freeswitch-udp' started
Verify that the iptables rules were created:
Test the actual failure mode
Setup your favorite client with an invalid userid or invalid password. Try to login as many times as you have set your failure threshold in Fail2Ban. Watch Fail2Ban log:
tail -f /var/log/fail2ban.log 2010-02-05 10:13:12,070 fail2ban.actions: WARNING [freeswitch-udp] Ban 192.168.1.10 2010-02-05 10:13:12,098 fail2ban.actions: WARNING [freeswitch-tcp] Ban 192.168.1.10
Verify your client can no longer do a register (should just time out). Also verify iptables:
You can then wait for Fail2Ban to clear the the block, or do it yourself:
You might also take a look at this oreilly script
If you're seeing something like this in your Fail2Ban logfile:
2011-02-27 14:11:42,326 fail2ban.actions.action: ERROR iptables -N fail2ban-freeswitch-tcp
add the time.sleep(0.1) to /usr/bin/fail2ban-client
def __processCmd(self, cmd, showRet = True): beautifier = Beautifier() for c in cmd: time.sleep(0.1) beautifier.setInputCmd(c)
sed -i -e s,beautifier\.setInputCmd\(c\),'time.sleep\(0\.1\)\n\t\t\tbeautifier.setInputCmd\(c\)', /usr/bin/fail2ban-client