SOLVED fail2ban - freeswitch.conf not catching "SIP auth challenge"

[hailthemelody]

Hi all,

Unless I'm misunderstanding something, the default freeswitch.conf file (fail2ban/filter.d/freeswitch.conf) does not appear to be capturing "SIP auth challenge" log entries, only "SIP auth failure". The differences can be seen here in bold:

default freeswitch.conf, via fail2ban's github:

failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$

default fusionpbx, via fusionpbx installer (at least with debian):

failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
            \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>

Should fusionpbx instead be using "SIP auth (failure|challenge)"?

 

[DigitalDaz]

No, if it were logging challenges, potentially all your devices would get banned, it should always challenge.

 

[hailthemelody]

Ok, understood. I have an alarming amount of challenges in my log from presumably nefarious sources. Is there any appropriate way to deal with this, or is that just part of having services available in this context.

 

[DigitalDaz]

There is a way as long as you are using domains in the correct way and that is to ban anything@ip

Probably 100% of them are to something@ipaddress rather than something@domain name.

If you look in /etc/fail2ban/jail.local you will see a couple of rules to handle this commented out with #

Just uncomment those, restart fail2ban and you should be good.

 

[hailthemelody]

Perfect, thanks.

 

[hailthemelody]

Hi @DigitalDaz , I looked around in the jail.local file (and several other related files) and wasn't able to find what you were describing. And the only commented lines in the jail.local file had to with with alerting, I assume, as they had smtp values. Would you mind providing a more specific example? Here's my jail.local file. The only entry I've changed is the maxretry value under ssh.

jail.local

[ssh]
enabled  = true
port     = 22
protocol = ssh
filter   = sshd
logpath  = /var/log/auth.log
action   = iptables-allports[name=sshd, protocol=all]
maxretry = 3
findtime = 7200
bantime  = 86400

[freeswitch-udp]
enabled  = true
port     = 5060:5090
protocol = all
filter   = freeswitch
logpath  = /var/log/freeswitch/freeswitch.log
action   = iptables-multiport[name=freeswitch-udp, port="5060:5090", protocol=udp]
maxretry = 5
findtime = 600
bantime  = 3600
#          sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed

[freeswitch-tcp]
enabled  = true
port     = 5060:5090
protocol = all
filter   = freeswitch
logpath  = /var/log/freeswitch/freeswitch.log
action   = iptables-multiport[name=freeswitch-tcp, port="5060:5090", protocol=tcp]
maxretry = 5
findtime = 600
bantime  = 3600
#          sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed

[freeswitch-ip-tcp]
enabled  = false
port     = 5060:5090
protocol = all
filter   = freeswitch-ip
logpath  = /var/log/freeswitch/freeswitch.log
action   = iptables-multiport[name=freeswitch-ip-tcp, port="5060:5090", protocol=tcp]
maxretry = 1
findtime = 30
bantime  = 86400

[freeswitch-ip-udp]
enabled  = false
port     = 5060:5090
protocol = all
filter   = freeswitch-ip
logpath  = /var/log/freeswitch/freeswitch.log
action   = iptables-multiport[name=freeswitch-ip-udp, port="5060:5090", protocol=udp]
maxretry = 1
findtime = 30
bantime  = 86400

[freeswitch-dos-udp]
enabled  = true
port     = 5060:5090
protocol = all
filter   = freeswitch-dos
logpath  = /var/log/freeswitch/freeswitch.log
action   = iptables-multiport[name=freeswitch-dos-udp, port="5060:5090", protocol=udp]
maxretry = 50
findtime = 30
bantime  = 6000

[freeswitch-dos-tcp]
enabled  = true
port     = 5060:5090
protocol = all
filter   = freeswitch-dos
logpath  = /var/log/freeswitch/freeswitch.log
action   = iptables-multiport[name=freeswitch-dos-tcp, port="5060:5090", protocol=tcp]
maxretry = 50
findtime = 30
bantime  = 7200

[freeswitch-404]
enabled  = true
port     = 5060:5090
protocol = all
filter   = freeswitch-404
logpath  = /var/log/freeswitch/freeswitch.log
action   = iptables-allports[name=freeswitch-404, protocol=all]
maxretry = 3
findtime = 300
bantime  = 86400

[fusionpbx]
enabled  = true
port     = 80,443
protocol = tcp
filter   = fusionpbx
logpath  = /var/log/auth.log
action   = iptables-multiport[name=fusionpbx, port="http,https", protocol=tcp]
#          sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed
maxretry = 10
findtime = 600
bantime  = 3600

[fusionpbx-mac]
enabled  = true
port     = 80,443
protocol = tcp
filter   = fusionpbx-mac
logpath  = /var/log/syslog
action   = iptables-multiport[name=fusionpbx-mac, port="http,https", protocol=tcp]
#          sendmail-whois[name=fusionpbx-mac, dest=root, sender=fail2ban@example.org] #no smtp server installed
maxretry = 5
findtime = 300
bantime  = -1

[nginx-404]
enabled  = true
port     = 80,443
protocol = tcp
filter   = nginx-404
logpath  = /var/log/nginx/access*.log
bantime  = 3600
findtime = 60
maxretry = 120

[nginx-dos]
# Based on apache-badbots but a simple IP check (any IP requesting more than
# 240 pages in 60 seconds, or 4p/s average, is suspicious)
enabled  = true
port     = 80,443
protocol = tcp
filter   = nginx-dos
logpath  = /var/log/nginx/access*.log
findtime = 60
bantime  = -1
maxretry = 240

 

[DigitalDaz]

freeswitch-ip-tcp and udp, on yours they are not commented, just not enabled.

 

[hailthemelody]

Thank you @DigitalDaz for your continued help. I enabled freeswitch-ip-tcp and freeswitch-ip-udp and have been experimenting, with no luck thus far. It appears that those jails both use fail2ban/filter.d/freeswitch-ip.conf for their definitions, which defaults to "SIP auth failure" based regexes. Is your advice to add a line/s that explicitly states the host IP (not domain/FQDN) I wish to block access to? My gut feeling says there's a more abstract definition up-the-chain that will block access to the host IP. Any thoughts?

 

[DigitalDaz]

Hmmm....

The contents of mine are as so:

# Fail2Ban configuration file
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
#2014-12-01 00:47:54.331821 [WARNING] sofia_reg.c:2752 Can't find user [1000@xxx.xxx.xxx.xxx] from 62.210.151.162
failregex = \[WARNING\] sofia_reg.c:\d+ Can't find user \[.*@\d+.\d+.\d+.\d+\] from <HOST>

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

 

[DigitalDaz]

As is the one I just looked at one github! Where and when did you install this from??

 

[hailthemelody]

I mixed up my filters, sorry. Here are the contents of each, which appear to be defaults (I installed directly from the FusionPBX instructions.)

freeswitch-ip.conf

# Fail2Ban configuration file
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
#2014-12-01 00:47:54.331821 [WARNING] sofia_reg.c:2752 Can't find user [1000@xxx.xxx.xxx.xxx] from 62.210.151.162
failregex = \[WARNING\] sofia_reg.c:\d+ Can't find user \[.*@\d+.\d+.\d+.\d+\] from <HOST>

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

freeswitch.conf

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
            \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

 

[DigitalDaz]

Hmm.. yes, let me look into that.

 

[DigitalDaz]

Mine looks like so for the freeswitch-ip:

[Definition]

failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile 'internal' for \[.*@\d+.\d+.\d+.\d+\] from ip <HOST>$
^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
ignoreregex =

 

[DigitalDaz]

Actually better is:

[Definition]

failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile 'internal' for \[.*@\d+.\d+.\d+.\d+\] from ip <HOST>$
            ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[.*@\d+\.\d+\.\d+\.\d+\] from <HOST>$
ignoreregex =

 

[hailthemelody]

Ah - I think I see. By using the \[.*@\d+\.\d+\.\d+\.\d+\] regex you are catching any IP, which effectively blocks anyone addressing the system in this way with an IP (rather than domain/FQDN). And further, the "challenge" pattern can be added since it will only block against IPs (again, not by domain/FQDN), which is what I want in this context.

Am I understanding your filter correctly?

 

[DigitalDaz]

Yes

 

[hailthemelody]

It's working great - thanks @DigitalDaz !!

 

[Buzzard]

Despite using the filter "Actually better is:" DigiDaz shows in the above post, I get lots of attempts coming through the "external" profile (used of course to register the gateway) that don't show up as a registration attempt. The log does show:

[NOTICE] switch_channel.c:1104 New Channel sofia/external/&@XX.XX.XXX.XXX:8547

where the X's are the offending IP.

Using that log line, I added to the freeswitch-ip.conf filter and it fixed the problem. Nice clean log file now.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Fail2Ban configuration file
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>[\w\-.^_]+)
# Values: TEXT
#[NOTICE] switch_channel.c:1104 New Channel sofia/external/&@37.49.231.122:8547
#2014-12-01 00:47:54.331821 [WARNING] sofia_reg.c:2752 Can't find user [1000@xxx.xxx.xxx.xxx] from xxx.xxx.xxx.xxx
failregex = ^\.\d+ \[WARNING\] sofia_reg.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile 'internal' for \[.*@\d+.\d+.\d+.\d+\] from ip <HOST>$
^\.\d+ \[WARNING\] sofia_reg.c:\d+ Can't find user \[.*@\d+\.\d+\.\d+\.\d+\] from <HOST>$
(\[NOTICE\]\s+([\w\-\.]+[\-\.][\w\-\.]+)\\d+)\s+New\s+Channel\s+sofia\/external\/\&@<HOST>\\d{1,5})\s+\[([\w\-\.]+[\-\.][\w\-\.]+)(\d+)([\w\-\.]+[\-\.][\w\-\.]+)\])


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edit: on my screen the colon followed by an open parenthesis characters in the regex show as frowning emojis for some reason, so if you see that replace them with a colon followed by an open parenthesis.

Amateur solution, but it works. If you suffer attempts on the external profile, and find a better solution, or know why I get a lot of lines in the log related to the "New Channel" from IPs in europe (when I'm in the US) I'm all ears. Thanks in advance.

 

[DigitalDaz]

The external profile should only be being used by your carriers anyway so just block all traffic except from your carriers IPs.

 

[MTR]

On a different note my Fail2ban is using very high CPU and restarting Fail2ban will take 40 seconds

I recall once someone told me about using journal rather then syslog

I am not sure how to go about it as I am coming from the world of windows still learning Debian
Can anyone guide me in the right directions? Google didn’t help