Fail2Ban Banning Rejected by acl "domains". Falling back to Digest auth.

[Derick]

Hi there!!

I am wanting to block attempts at accessing my FusionPBX node. I know that the ACL is blocking these connections. But I want to have them banned so I am not getting this in my log and not getting the traffic anymore. This has been a huge problem for me as they scan my system very very often. Any help would be greatly appreciated.

2018-10-02 07:41:49.659090 [DEBUG] sofia.c:10044 IP 37.49.231.147 Rejected by acl "domains". Falling back to Digest auth.

 

[DigitalDaz]

If you are using domain names as is the correct practice then there is a fail2ban rule that you can enable, look in:

/etc/fail2ban/jail.local

There is a rule disabled by default that you can enable:

[freeswitch-ip]
enabled  = false <-------------------------------------------------
port     = 5060:5091
protocol = all
filter   = freeswitch-ip
logpath  = /var/log/freeswitch/freeswitch.log
#logpath  = /usr/local/freeswitch/log/freeswitch.log
action   = iptables-allports[name=freeswitch-ip, protocol=all]
maxretry = 1
findtime = 30
bantime  = 86400

After changing it do a: service fail2ban restart

This rule will ban anything that sniffs at the IP eg 111111@ipaddress rather than 111111@domainname

Bear in mind this means you need to have dids coming into the domain as well rather than IP.

This will block 99% of the bad guys.

 

[NerdUno]

We go a few steps beyond.

First, we tighten up /etc/fail2ban/filter.d/freeswitch-ip.conf replacing the failregex entry with the following (borrowed from another post in this forum):

failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile 'internal' for \[.*@\d+.\d+.\d+.\d+\] from ip <HO$
^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$

Second, in the [default] section of /etc/fail2ban/jail.conf, we also add IP addresses of SIP providers to the ignoreip list so they don't accidentally get blocked. Don't forget to restart Fail2Ban!

Third, we check periodically for the bad guys with this command:

iptables -nL | grep REJECT

After verifying that we didn't accidentally snag a provider, we move the entries into the top of /etc/iptables/rules.v4 and restart IPtables.

Here's our current list:

# Permanent BLOCK LIST
-A INPUT -s 5.62.0.0/16     -j DROP
-A INPUT -s 37.49.231.1/24  -j DROP
-A INPUT -s 51.15.0.0/16    -j DROP
-A INPUT -s 51.158.0.0/16   -j DROP
-A INPUT -s 78.129.150.130  -j DROP
-A INPUT -s 107.175.59.27   -j DROP
-A INPUT -s 145.239.67.12   -j DROP
-A INPUT -s 162.144.89.59   -j DROP
-A INPUT -s 163.172.226.178 -j DROP
-A INPUT -s 185.229.190.40  -j DROP
-A INPUT -s 212.83.0.0/16   -j DROP
-A INPUT -s 212.129.0.0/16  -j DROP

 

[DigitalDaz]

I've just checked the fail2ban rule and @NerdUno, the rule above looks much more like the one I initially submitted a long time ago and not the lame thing I am now seeing....

failregex = \[WARNING\] sofia_reg.c:\d+ Can't find user \[.*@\d+.\d+.\d+.\d+\] from <HOST>

 

[Derick]

Thank you guys! I had already enabled the rules in fail2ban but it seemed like these were still getting through.. Thank you so much guys!

 

[Derick]

I am still getting these... hmm..
69766d54-0b54-4c00-9d6c-7ffd3e016af2 2018-10-02 18:21:16.279098 [DEBUG] sofia.c:9873 sofia/internal/100@18.x.x.x receiving invite from 62.210.146.36:5071 version: 1.6.20 -37-987c9b9 64bit
2018-10-02 18:21:16.279098 [DEBUG] sofia.c:10044 IP 62.210.146.36 Rejected by acl "domains". Falling back to Digest auth.
2018-10-02 18:21:16.279098 [DEBUG] sofia.c:2334 detaching session 69766d54-0b54-4c00-9d6c-7ffd3e016af2
2018-10-02 18:21:16.279098 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [27027000@18.x.x.x] from ip 62.210.146.36
69766d54-0b54-4c00-9d6c-7ffd3e016af2 2018-10-02 18:21:16.279098 [DEBUG] switch_core_state_machine.c:603 (sofia/internal/100@18.x.x.x) State NEW

 

[markjcrane]

After you make changes to fail2ban you would then need to re-load its configuration.
service fail2ban restart

 

[Derick]

Yes sir. I have reloaded and still it persists.

 

[DigitalDaz]

You will still get the odd one come in on the log before they get banned, check with iptables -L or use the command posted by someone else yesterday to check the jails.

 

[Allen]

The failregex entry posted here and on another post in this forum has an error. It starts with ^\.

• ^ Matches the start of a string without consuming any characters.
• \. A period (special character) needs to be escaped by a \

So the regex statement is expecting a literal dot (period) at the very start of the line but the freeswitch log entry starts with date / time:

2019-08-23 01:22:18.550479 [WARNING] sofia_reg.c:1792 SIP auth challenge (REGISTER) on sofia profile 'internal' for [86199@198.205.55.242] from ip 5.62.41.160

The following works correctly and is faster as it excludes everything in front of [WARNING] :

\[WARNING\] sofia_reg.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'(internal|external)\' for \[.*\@\d*.\d+.\d*.\d*\] from ip <HOST>

You can also simply drop the ^ from the original post and it will work ok.

You can check your regex statement against a test string from the freeswitch log at: https://regex101.com/