Upgrade to 1.10.7

a note from another thread here. https://github.com/fail2ban/fail2ban/issues/3143

See this thread: https://www.pbxforums.com/threads/new-freeswitch-vulnerabilities.5725/

Incubugs said:

It was something about the freeswitch filter and that freeswitch have added in a cpu string or something ?

Click to expand...

The Freeswitch people have prefixed the warning lines in the log with cpu percentage. Not sure why as the cpu utilization does not seem accurate, but anyway that's what breaks the filter in fail2ban. I haven't tried to fix it yet as the wrong fail2ban filter in production would be bad and I haven't had time to spin up a test box.

Kinda confused . . . I upgraded to the latest Freeswitch 1.10.7 and rebooted, etc. Tested using a phone with a wrong password (Grandstream phone, I put 2 sip accounts in to get enough failures in 1 minute to trigger). Fail2ban worked like it always has without modifications. The default I think is 6 auth failures in 1 minute. In the /var/log/fail2ban.log:
2021-11-18 02:56:58,665 fail2ban.filter [30042]: INFO [sip-auth-failure] Found 192.168.x.x - 2021-11-18 02:56:58
2021-11-18 02:56:58,666 fail2ban.filter [30042]: INFO [freeswitch] Found 192.168.x.x - 2021-11-18 02:56:58
2021-11-18 02:56:58,682 fail2ban.actions [30042]: NOTICE [sip-auth-failure] Ban 192.168.x.x
2021-11-18 02:56:58,720 fail2ban.actions [30042]: NOTICE [freeswitch] Ban 192.168.x.x
(IP addresses changed to something generic; in the actual log there are no x.x's)

Note I did a default install Debian 10 and FusionPBX maybe early 2021 or so ago, and never modified Fail2ban. Tried putting the ^ in like Daz suggested and it no longer works. Removed it and it works again. Just to make sure we are looking at the same thing, I'm looking at the filter config files:
/etc/fail2ban/filter.d/sip-auth-failure.conf
/etc/fail2ban/filter.d/freeswitch.conf

Also confused why the freeswitch and sip-auth-failure filters appear to do the same thing, and why both are enabled by default.

Running:
Fail2Ban Version 0.10.2 (default install and with whatever normal OS patching provides)
Freeswitch 1.10.7 (64bit)
FusionPBX Main branch 4.5.30 (I think I tested with an earlier branch also)
Debian 10

So any idea why my log entries don't look like that, but I'm on 1.10.7? Any suggestions for what I should check?

Correction, I do see the percentage in the Freeswitch log, but not in the Fail2ban log. It does not appear that the percentage being in the Freeswitch log has impaired the Fail2ban on my system from working by default, as seen from my Fail2ban log entries above . . .

Which file are you looking at? I'm looking at /etc/fail2ban/filter.d/sip-auth-failure.conf
Here are the two options I tested, the default which still works on my system despite upgrading to Freeswich 1.10.7 and the edit you suggested (commented out, but when commented in I cannot get to work):
#failregex = ^\[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST>
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST>

Incubugs said:

has anyone got this sorted yet as updating to 1.10.7 is becoming a urgent case as the latest yealink firmware BLF especially isn't playing nice with the older freeswitch version.

Click to expand...

See this thread for the upgrade procedure that worked for me. Your mileage may vary: https://www.pbxforums.com/threads/new-freeswitch-vulnerabilities.5725/