Hi all,
I've been testing FusionPBX for a couple months and hoping to move into production soon for public use, I have 5 test users who use deskphones and Zoiper/Linphone. This means I have to be somewhat liberal with security, I have to allow access from any public IP.
My server resides behind a NAT firewall which performs 1-to-1 NAT to it's public IP and my sip profiles are configured with their ext-sip IP's. Everything works relatively well except that I have to get most desk phones(at customer premises) to register every 90 seconds, if I have them set for longer periods then either the users firewall or my firewall/pfsense closes the previously opened state-full ports. If I set phone registrations higher then at times when calling one of my subscribers you get their voicemail.
I want to still have fail2ban working to stop possible attacks but obviously with registrations happening so often, especially when a user has two devices registering from the same IP(multi-reg), then their IP gets banned.
I want to either lower the log level of freeswitch or change fail2ban behaviour for registrations but still keep it's effectiveness...while still allowing users to roam and hence access from ever changing public IP's.
My config files:
Fail2ban
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>
\[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>
maxretry = 20
bantime = 10000000
findtime = 600
Freeswitch logging:
<param name="loglevel" value="debug"/>
What would be the best way to tweak my settings to obtain the desired goal, should I lower the log level so that I'm not seeing the constant registrations?
Or (not likely I'd imagine) remove the "failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>"?
Or do I need to find a different method to deploy my server? I.E have the FusionPBX hanging straight on the public network?
Change my NAT options on my SIP profile?
I have on my sip profile:
ext-sip-ip autonat:9.9.9.9(obviously my actual public IP)
Nat-options-ping True
Aggressive-nat-detection true
Looking for any advice here please.
I've been testing FusionPBX for a couple months and hoping to move into production soon for public use, I have 5 test users who use deskphones and Zoiper/Linphone. This means I have to be somewhat liberal with security, I have to allow access from any public IP.
My server resides behind a NAT firewall which performs 1-to-1 NAT to it's public IP and my sip profiles are configured with their ext-sip IP's. Everything works relatively well except that I have to get most desk phones(at customer premises) to register every 90 seconds, if I have them set for longer periods then either the users firewall or my firewall/pfsense closes the previously opened state-full ports. If I set phone registrations higher then at times when calling one of my subscribers you get their voicemail.
I want to still have fail2ban working to stop possible attacks but obviously with registrations happening so often, especially when a user has two devices registering from the same IP(multi-reg), then their IP gets banned.
I want to either lower the log level of freeswitch or change fail2ban behaviour for registrations but still keep it's effectiveness...while still allowing users to roam and hence access from ever changing public IP's.
My config files:
Fail2ban
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>
\[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>
maxretry = 20
bantime = 10000000
findtime = 600
Freeswitch logging:
<param name="loglevel" value="debug"/>
What would be the best way to tweak my settings to obtain the desired goal, should I lower the log level so that I'm not seeing the constant registrations?
Or (not likely I'd imagine) remove the "failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>"?
Or do I need to find a different method to deploy my server? I.E have the FusionPBX hanging straight on the public network?
Change my NAT options on my SIP profile?
I have on my sip profile:
ext-sip-ip autonat:9.9.9.9(obviously my actual public IP)
Nat-options-ping True
Aggressive-nat-detection true
Looking for any advice here please.