Fail2ban

From FreeSWITCH Wiki
Jump to: navigation, search


Warning

Superseded by https://confluence.freeswitch.org/display/FREESWITCH/Fail2Ban

 


Contents

Fail2Ban

Fail2Ban is an intrusion prevention system that works by scanning log files and then taking action based on the entries in those logs.

You can configure Fail2Ban in a way that will update iptables firewall rules, when an authentication failure threshold is reached which helps in preventing SIP brute force attacks against freeswitch instances.

Fail2ban scans your freeswitch log file and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

Fail2Ban is available at fail2ban.org as well as more documentation.

Requirements

Fail2ban needs a log of Authentication Attempts/Failures in order to ban IPs. There are two ways to do that:

OR

  • Enable "log-auth-failures" on each Sofia profile to monitor -- this requires a high enough loglevel on your logs to save these messages.
<param name="log-auth-failures" value="true"/>

Install

Ubuntu/Debian

apt-get install fail2ban

SUSE

zypper sa http://download.opensuse.org/repositories/security/SLE_11 openSUSE-security
zypper refresh
zypper up
zypper install fail2ban

FreeBSD

pkg_add -r py26-fail2ban
... and all the files referenced later are in /usr/local/etc/ rather than /etc/

CentOS

For CentOS the easiest way to do this is to install fail2ban from the EPEL repository. See http://fedoraproject.org/wiki/EPEL/FAQ.

The EPEL repository is non-arch specific, the links to i386 are identical to x86_64.

CentOS 5

yum install http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
yum install fail2ban

CentOS 6

yum install http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
yum install fail2ban

Confgure

Edit Config Files

The maintainers of fail2ban have taken an interest in supporting FreeSWITCH. They have asked that we use the configuration at https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf rather than specify a configuration here. If anyone wishes to submit other regular expressions that should be include, please provide samples to https://github.com/fail2ban/fail2ban/issues.

Create /etc/fail2ban/filter.d/freeswitch.conf with the contents:

   DELETED see above


Modify /etc/fail2ban/jail.conf. Add the following (enter the correct path to *your* freeswitch.log file, and adjust the email addresses if needed for your setup):

The jail.conf file may get overwritten when upgrading fail2ban so, create a /etc/fail2ban/jail.local file with the following data in it, setting the correct path to *your* freeswitch.log file, and adjust the email addresses if needed for your setup :

[freeswitch]
enabled  = true
port     = 5060,5061,5080,5081
filter   = freeswitch
logpath  = /var/log/freeswitch/freeswitch.log
maxretry = 10
action   = iptables-allports[name=freeswitch, protocol=all]
           sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org]

(mine are /usr/local/freeswitch/log/freeswitch.log)

Since the warnings in the log are also sometimes present for valid IP address, like your local LAN, you will want to add the following to the jail.local file:

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.2.0/24 192.168.1.0/24
bantime  = 600
maxretry = 3

Add any additional addresses that may access your system.

Restart fail2ban (/etc/init.d/fail2ban restart or service fail2ban restart) and ensure that fail2ban loads the filter. The following should be in your /var/log/fail2ban.log:

2010-02-05 10:04:23,560 fail2ban.jail   : INFO   Creating new jail 'freeswitch-udp'
2010-02-05 10:04:23,560 fail2ban.jail   : INFO   Jail 'freeswitch-udp' uses poller
2010-02-05 10:04:23,561 fail2ban.filter : INFO   Added logfile = /var/log/freeswitch/freeswitch.log
2010-02-05 10:04:23,562 fail2ban.filter : INFO   Set maxRetry = 3
2010-02-05 10:04:23,562 fail2ban.filter : INFO   Set findtime = 600
2010-02-05 10:04:23,563 fail2ban.actions: INFO   Set banTime = 600
2010-02-05 10:04:23,677 fail2ban.jail   : INFO   Creating new jail 'freeswitch-tcp'
2010-02-05 10:04:23,677 fail2ban.jail   : INFO   Jail 'freeswitch-tcp' uses poller
2010-02-05 10:04:23,678 fail2ban.filter : INFO   Added logfile = /var/log/freeswitch/freeswitch.log
2010-02-05 10:04:23,679 fail2ban.filter : INFO   Set maxRetry = 3
2010-02-05 10:04:23,680 fail2ban.filter : INFO   Set findtime = 600
2010-02-05 10:04:23,680 fail2ban.actions: INFO   Set banTime = 600
2010-02-05 10:04:23,723 fail2ban.jail   : INFO   Jail 'freeswitch-tcp' started
2010-02-05 10:04:23,723 fail2ban.jail   : INFO   Jail 'freeswitch-udp' started

Verify that the iptables rules were created:

#iptables -L fail2ban-freeswitch-udp
Chain fail2ban-freeswitch-udp (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
#iptables -L fail2ban-freeswitch-tcp
Chain fail2ban-freeswitch-tcp (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Test the actual failure mode

Setup your favorite client with an invalid userid or invalid password. Try to login as many times as you have set your failure threshold in fail2ban. Watch the fail2ban log:

tail -f /var/log/fail2ban.log
2010-02-05 10:13:12,070 fail2ban.actions: WARNING [freeswitch-udp] Ban 192.168.1.10
2010-02-05 10:13:12,098 fail2ban.actions: WARNING [freeswitch-tcp] Ban 192.168.1.10

Verify your client can no longer do a register (should just time out). Also verify iptables:

#iptables -n -L fail2ban-freeswitch-tcp
Chain fail2ban-freeswitch-tcp (1 references)
target     prot opt source               destination
DROP       all  --  192.168.1.10         0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
#iptables -n -L fail2ban-freeswitch-udp
Chain fail2ban-freeswitch-udp (1 references)
target     prot opt source               destination
DROP       all  --  192.168.1.10         0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

You can then wait for fail2ban to clear the the block, or do it yourself:

#iptables -D fail2ban-freeswitch-udp 1
#iptables -L fail2ban-freeswitch-udp
RETURN     all  --  anywhere             anywhere

#iptables -D fail2ban-freeswitch-tcp 1
#iptables -L fail2ban-freeswitch-udp
Chain fail2ban-freeswitch-udp (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

SIP DOS Attack

There is a new SIP based attack that appears to be a Denial of Service attack. Here's an example of what you might see in your logfile:

2011-03-10 08:59:56.319954 [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia profile 'internal' for [qwerty123@10.2.39.4] from ip 109.169.63.142
2011-03-10 08:59:56.355872 [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia profile 'internal' for [qwerty123@10.2.39.4] from ip 109.169.63.142
2011-03-10 08:59:56.382909 [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia profile 'internal' for [qwerty123@10.2.39.4] from ip 109.169.63.142
2011-03-10 08:59:56.894607 [WARNING] sofia_reg.c:1247 SIP auth challenge (REGISTER) on sofia profile 'internal' for [qwerty123@10.2.39.4] from ip 109.169.63.142


grep qwerty123 /usr/local/freeswitch/log/freeswitch.log |wc -l

Returns 19,289 attempts in a little over an hour. This is a particularly nasty attack, that actually crashed my FreeSWITCH installation. I didn't see it live, or I would have set 'sofia global siptrace on' to obtain more information. Regardless, here's how you can block it with fail2ban. You might want to adjust findtime, maxtretry and bantime, but it did work on a second live attack.

vim /etc/fail2ban/filter.d/freeswitch-dos.conf

# Fail2Ban configuration file
#
# Author: soapee01
#

[Definition]
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

add the following to /etc/fail2ban/jail.local

[freeswitch-dos]
enabled = true
port = 5060,5061,5080,5081
filter = freeswitch-dos
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-dos, protocol=all]
maxretry = 50
findtime = 30
bantime  = 6000

You might also take a look at this oreilly script

Keep yourself from getting banned.

add to /etc/fail2ban/jail.local

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.0.99
bantime  = 600
maxretry = 3

Errors

If you're seeing something like this in your fail2ban logfile:

2011-02-27 14:11:42,326 fail2ban.actions.action: ERROR  iptables -N fail2ban-freeswitch-tcp

add the time.sleep(0.1) to /usr/bin/fail2ban-client

def __processCmd(self, cmd, showRet = True):
	beautifier = Beautifier()
	for c in cmd:
		time.sleep(0.1)
		beautifier.setInputCmd(c)

or

sed -i -e s,beautifier\.setInputCmd\(c\),'time.sleep\(0\.1\)\n\t\t\tbeautifier.setInputCmd\(c\)', /usr/bin/fail2ban-client

Source: fail2ban wiki