Upgrade to 1.10.7

[Incubugs]

Hi Guys,

so i have been reading about the issues in 1.10.6 and wonder if it may be a good time to upgrade, i did it on a test vm and the upgrade went ok to be honest and freeswitch started fine, however i noticed that fail2ban filters for freeswitch have stopped working, this obviously cant be rolled out to production servers till we figure out whats wrong, anyone managed to upgrade yet and fix the fail2ban issues ?

Thanks
K

 

[ad5ou]

a note from another thread here. https://github.com/fail2ban/fail2ban/issues/3143

New Freeswitch Vulnerabilities

Looks like we're all going to 1.10.7... https://portswigger.net/daily-swig/multiple-flaws-in-telecoms-stack-software-freeswitch-uncovered CVE-2021-41105 CVE-2021-41145 CVE-2021-37624 CVE-2021-41158 If anyone has a painless upgrade procedure please share.

www.pbxforums.com

 

[bcmike]

See this thread: https://www.pbxforums.com/threads/new-freeswitch-vulnerabilities.5725/

 

[DigitalDaz]

I'm just testing fail2ban now. A quick look at the filters look OK though.

I've spun up a box but not may hackers have come yet

 

[Incubugs]

It was something about the freeswitch filter and that freeswitch have added in a cpu string or something ?

 

[Incubugs]

I'm just testing fail2ban now. A quick look at the filters look OK though.

I've spun up a box but not may hackers have come yet

Any update would be great m8 when you can, its kinda imperative to update now that the security issue is fixed.

 

[bcmike]

It was something about the freeswitch filter and that freeswitch have added in a cpu string or something ?

The Freeswitch people have prefixed the warning lines in the log with cpu percentage. Not sure why as the cpu utilization does not seem accurate, but anyway that's what breaks the filter in fail2ban. I haven't tried to fix it yet as the wrong fail2ban filter in production would be bad and I haven't had time to spin up a test box.

 

[DigitalDaz]

Oh, now I see.

I think all that needs to happen then is the rules need prefixing with ^ maybe.

 

[DigitalDaz]

Yes, that definitely banned me on the first rule I tested

 

[DigitalDaz]

eg:

failregex = ^\[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST>

 

[Incubugs]

Any updates on this ?

 

[UCtech]

Kinda confused . . . I upgraded to the latest Freeswitch 1.10.7 and rebooted, etc. Tested using a phone with a wrong password (Grandstream phone, I put 2 sip accounts in to get enough failures in 1 minute to trigger). Fail2ban worked like it always has without modifications. The default I think is 6 auth failures in 1 minute. In the /var/log/fail2ban.log:
2021-11-18 02:56:58,665 fail2ban.filter [30042]: INFO [sip-auth-failure] Found 192.168.x.x - 2021-11-18 02:56:58
2021-11-18 02:56:58,666 fail2ban.filter [30042]: INFO [freeswitch] Found 192.168.x.x - 2021-11-18 02:56:58
2021-11-18 02:56:58,682 fail2ban.actions [30042]: NOTICE [sip-auth-failure] Ban 192.168.x.x
2021-11-18 02:56:58,720 fail2ban.actions [30042]: NOTICE [freeswitch] Ban 192.168.x.x
(IP addresses changed to something generic; in the actual log there are no x.x's)

Note I did a default install Debian 10 and FusionPBX maybe early 2021 or so ago, and never modified Fail2ban. Tried putting the ^ in like Daz suggested and it no longer works. Removed it and it works again. Just to make sure we are looking at the same thing, I'm looking at the filter config files:
/etc/fail2ban/filter.d/sip-auth-failure.conf
/etc/fail2ban/filter.d/freeswitch.conf

Also confused why the freeswitch and sip-auth-failure filters appear to do the same thing, and why both are enabled by default.

Running:
Fail2Ban Version 0.10.2 (default install and with whatever normal OS patching provides)
Freeswitch 1.10.7 (64bit)
FusionPBX Main branch 4.5.30 (I think I tested with an earlier branch also)
Debian 10

 

[DigitalDaz]

The log entries should now look similar to:

2021-11-18 15:38:53.348548 98.93% [WARNING] sofia_reg.c:1861 SIP auth challenge

That percentage before the [WARNING] is new.

 

[UCtech]

So any idea why my log entries don't look like that, but I'm on 1.10.7? Any suggestions for what I should check?

 

[UCtech]

Correction, I do see the percentage in the Freeswitch log, but not in the Fail2ban log. It does not appear that the percentage being in the Freeswitch log has impaired the Fail2ban on my system from working by default, as seen from my Fail2ban log entries above . . .

 

[DigitalDaz]

I'll have to double check later but it was:

failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST>

I'm not sure whether it does a partial match, I didn't think it did.

 

[UCtech]

Which file are you looking at? I'm looking at /etc/fail2ban/filter.d/sip-auth-failure.conf
Here are the two options I tested, the default which still works on my system despite upgrading to Freeswich 1.10.7 and the edit you suggested (commented out, but when commented in I cannot get to work):
#failregex = ^\[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST>
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST>

 

[Incubugs]

has anyone got this sorted yet as updating to 1.10.7 is becoming a urgent case as the latest yealink firmware BLF especially isn't playing nice with the older freeswitch version.

 

[bcmike]

has anyone got this sorted yet as updating to 1.10.7 is becoming a urgent case as the latest yealink firmware BLF especially isn't playing nice with the older freeswitch version.

See this thread for the upgrade procedure that worked for me. Your mileage may vary: https://www.pbxforums.com/threads/new-freeswitch-vulnerabilities.5725/

 

[Incubugs]

That just relinks back to this port ?