Fail2Ban Banning Rejected by acl "domains". Falling back to Digest auth.

Status
Not open for further replies.

Derick

New Member
Jun 21, 2018
15
2
1
Sydney Australia
Hi there!!

I am wanting to block attempts at accessing my FusionPBX node. I know that the ACL is blocking these connections. But I want to have them banned so I am not getting this in my log and not getting the traffic anymore. This has been a huge problem for me as they scan my system very very often. Any help would be greatly appreciated.

2018-10-02 07:41:49.659090 [DEBUG] sofia.c:10044 IP 37.49.231.147 Rejected by acl "domains". Falling back to Digest auth.
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
If you are using domain names as is the correct practice then there is a fail2ban rule that you can enable, look in:
Code:
/etc/fail2ban/jail.local

There is a rule disabled by default that you can enable:
Code:
[freeswitch-ip]
enabled  = false <-------------------------------------------------
port     = 5060:5091
protocol = all
filter   = freeswitch-ip
logpath  = /var/log/freeswitch/freeswitch.log
#logpath  = /usr/local/freeswitch/log/freeswitch.log
action   = iptables-allports[name=freeswitch-ip, protocol=all]
maxretry = 1
findtime = 30
bantime  = 86400

After changing it do a: service fail2ban restart

This rule will ban anything that sniffs at the IP eg 111111@ipaddress rather than 111111@domainname

Bear in mind this means you need to have dids coming into the domain as well rather than IP.

This will block 99% of the bad guys.
 
  • Like
Reactions: NerdUno

NerdUno

New Member
Sep 4, 2018
17
9
3
77
We go a few steps beyond.

First, we tighten up /etc/fail2ban/filter.d/freeswitch-ip.conf replacing the failregex entry with the following (borrowed from another post in this forum):

Code:
failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile 'internal' for \[.*@\d+.\d+.\d+.\d+\] from ip <HO$
^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$

Second, in the [default] section of /etc/fail2ban/jail.conf, we also add IP addresses of SIP providers to the ignoreip list so they don't accidentally get blocked. Don't forget to restart Fail2Ban!

Third, we check periodically for the bad guys with this command:
Code:
iptables -nL | grep REJECT

After verifying that we didn't accidentally snag a provider, we move the entries into the top of /etc/iptables/rules.v4 and restart IPtables.

Here's our current list:
Code:
# Permanent BLOCK LIST
-A INPUT -s 5.62.0.0/16     -j DROP
-A INPUT -s 37.49.231.1/24  -j DROP
-A INPUT -s 51.15.0.0/16    -j DROP
-A INPUT -s 51.158.0.0/16   -j DROP
-A INPUT -s 78.129.150.130  -j DROP
-A INPUT -s 107.175.59.27   -j DROP
-A INPUT -s 145.239.67.12   -j DROP
-A INPUT -s 162.144.89.59   -j DROP
-A INPUT -s 163.172.226.178 -j DROP
-A INPUT -s 185.229.190.40  -j DROP
-A INPUT -s 212.83.0.0/16   -j DROP
-A INPUT -s 212.129.0.0/16  -j DROP
 
  • Like
Reactions: Derick and Billy

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
I've just checked the fail2ban rule and @NerdUno, the rule above looks much more like the one I initially submitted a long time ago and not the lame thing I am now seeing....

failregex = \[WARNING\] sofia_reg.c:\d+ Can't find user \[.*@\d+.\d+.\d+.\d+\] from <HOST>
 
  • Like
Reactions: Derick and NerdUno

Derick

New Member
Jun 21, 2018
15
2
1
Sydney Australia
I am still getting these... hmm..
69766d54-0b54-4c00-9d6c-7ffd3e016af2 2018-10-02 18:21:16.279098 [DEBUG] sofia.c:9873 sofia/internal/100@18.x.x.x receiving invite from 62.210.146.36:5071 version: 1.6.20 -37-987c9b9 64bit
2018-10-02 18:21:16.279098 [DEBUG] sofia.c:10044 IP 62.210.146.36 Rejected by acl "domains". Falling back to Digest auth.
2018-10-02 18:21:16.279098 [DEBUG] sofia.c:2334 detaching session 69766d54-0b54-4c00-9d6c-7ffd3e016af2
2018-10-02 18:21:16.279098 [WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [27027000@18.x.x.x] from ip 62.210.146.36
69766d54-0b54-4c00-9d6c-7ffd3e016af2 2018-10-02 18:21:16.279098 [DEBUG] switch_core_state_machine.c:603 (sofia/internal/100@18.x.x.x) State NEW
 

markjcrane

Active Member
Staff member
Jul 22, 2018
447
162
43
49
After you make changes to fail2ban you would then need to re-load its configuration.
service fail2ban restart
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
You will still get the odd one come in on the log before they get banned, check with iptables -L or use the command posted by someone else yesterday to check the jails.
 

Allen

New Member
Jan 14, 2018
2
0
1
41
The failregex entry posted here and on another post in this forum has an error. It starts with ^\.
  • ^ Matches the start of a string without consuming any characters.
  • \. A period (special character) needs to be escaped by a \
So the regex statement is expecting a literal dot (period) at the very start of the line but the freeswitch log entry starts with date / time:
Code:
2019-08-23 01:22:18.550479 [WARNING] sofia_reg.c:1792 SIP auth challenge (REGISTER) on sofia profile 'internal' for [86199@198.205.55.242] from ip 5.62.41.160
The following works correctly and is faster as it excludes everything in front of [WARNING] :
Code:
\[WARNING\] sofia_reg.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'(internal|external)\' for \[.*\@\d*.\d+.\d*.\d*\] from ip <HOST>
You can also simply drop the ^ from the original post and it will work ok.

You can check your regex statement against a test string from the freeswitch log at: https://regex101.com/
 
Status
Not open for further replies.