Fail2ban not blocking failed sip logins

Status
Not open for further replies.

drhamel

New Member
Apr 18, 2024
4
0
1
55
I have my fusion setup properly (I think) for fail2ban. It is blocking prt 80/443 for web traffic after 3 bad passwords. Registering on SIP traffic on 5060 is not. I purposely tried inaccurate logins. I get this in in the log windows (x100) but it never blocks the IP is is coming from:
2024-11-08 03:12:17.523521 99.43% [WARNING] sofia_reg.c:3210 Can't find user [102@test] from 73.18.xx.xxx

Anything I am missing?

My jail.local file is :
[ssh]
enabled = true
port = 22
protocol = ssh
filter = sshd
logpath = /var/log/auth.log
action = iptables-allports[name=sshd, protocol=all]
maxretry = 6
findtime = 60
bantime = 86400

[freeswitch]
enabled = true
port = 5060:5091
protocol = all
filter = freeswitch
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch, protocol=all]
maxretry = 5
findtime = 60
bantime = 3600
# sendmail-whois[name=FreeSwitch, dest=root, sender=[email]fail2ban@example.org[/email]] #no smtp server installed

[freeswitch-acl]
enabled = false
port = 5060:5091
protocol = all
filter = freeswitch-acl
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-acl, protocol=all]
maxretry = 5
findtime = 60
bantime = 86400

[freeswitch-ip]
enabled = true
port = 5060:5091
protocol = all
filter = freeswitch-ip
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-ip, protocol=all]
maxretry = 1
findtime = 60
bantime = 86400

[auth-challenge-ip]
enabled = false
port = 5060:5091
protocol = all
filter = auth-challenge-ip
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=auth-challenge-ip, protocol=all]
maxretry = 1
findtime = 60
bantime = 86400

[sip-auth-challenge]
enabled = false
port = 5060:5091
protocol = all
filter = sip-auth-challenge
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=sip-auth-challenge, protocol=all]
maxretry = 5
findtime = 60
bantime = 7200

[sip-auth-failure]
enabled = false
port = 5060:5091
protocol = all
filter = sip-auth-failure
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=sip-auth-failure, protocol=all]
maxretry = 5
findtime = 60
bantime = 7200

[fusionpbx-404]
enabled = false
port = 5060:5091
protocol = all
filter = fusionpbx-404
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=fusionpbx-404, protocol=all]
maxretry = 6
findtime = 60
bantime = 86400

[fusionpbx]
enabled = true
port = 80,443
protocol = tcp
filter = fusionpbx
logpath = /var/log/auth.log
action = iptables-allports[name=fusionpbx, protocol=all]
# sendmail-whois[name=fusionpbx, dest=root, sender=[email]fail2ban@example.org[/email]] #no smtp server installed
maxretry = 3
findtime = 360
bantime = 3600

[fusionpbx-mac]
enabled = true
port = 80,443
protocol = tcp
filter = fusionpbx-mac
logpath = /var/log/syslog
action = iptables-allports[name=fusionpbx-mac, protocol=all]
# sendmail-whois[name=fusionpbx-mac, dest=root, sender=[email]fail2ban@example.org[/email]] #no smtp server installed
maxretry = 3
findtime = 360
bantime = 86400

[nginx-404]
enabled = true
port = 80,443
protocol = tcp
filter = nginx-404
logpath = /var/log/nginx/access*.log
action = iptables-allports[name=nginx-404, protocol=all]
bantime = 3600
findtime = 360
maxretry = 3

[nginx-dos]
# Based on apache-badbots but a simple IP check (any IP requesting more than
# 300 pages in 60 seconds, or 5p/s average, is suspicious)
enabled = true
port = 80,443
protocol = tcp
filter = nginx-dos
logpath = /var/log/nginx/access*.log
action = iptables-allports[name=nginx-dos, protocol=all]
findtime = 60
bantime = 86400
maxretry = 80
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,072
577
113
Well, immediately I see some of the filters are not enabled:

Code:
[sip-auth-challenge]
enabled = false <--------------------------------
port = 5060:5091
protocol = all
filter = sip-auth-challenge
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=sip-auth-challenge, protocol=all]
maxretry = 5
findtime = 60
bantime = 7200

However, I believe these may be deliberately be off as event-guard should be handling them.
 

drhamel

New Member
Apr 18, 2024
4
0
1
55
Thank you so much! I'm sorry, now do see blocked login attempts n the event guard. Does this block via IP tables will I see the blocks there?
 
Status
Not open for further replies.