Fail2ban은 너무 느리고, 공격 후 금지됩니다.

Fail2ban은 너무 느리고, 공격 후 금지됩니다.

우리 VoIP 서버(freeswitch)가 "등록" 공격을 받았습니다.
로그에는 다음과 같습니다.

2019-04-25 14:35:16.137965 [WARNING] sofia_reg.c:1743 SIP auth failure (REGISTER) on sofia profile 'internal' for [[email protected]] from ip 77.247.108.59

이를 위해 10회 시도 후 IP를 차단하는 Fail2Ban이 있습니다. 그러나 이것은 작동하지 않습니다.

Fail2Ban은 로그 파일에 "발견된" 항목을 많이 기록합니다. 수천 개의 항목과 Fail2Ban으로 인해 서버 속도가 느려진 후 마지막 항목은 "Ban [ip]"였습니다.

2019-04-25 14:37:18,961 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:18,994 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,033 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,068 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,114 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,152 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,192 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,232 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,268 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,302 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,345 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,384 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,426 fail2ban.filter         [2167]: INFO    [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:20,087 fail2ban.actions        [2167]: NOTICE  [freeswitch] Ban 77.247.108.59

Fail2Ban 실패인가요, 아니면 제가 잘못 구성한 것인가요?

지역 교도소:

   [DEFAULT]
   ignoreip = [censored]
   ignorecommand = /usr/bin/php /etc/fail2ban/ignorecommands/freeswitch/check.php <ip>
   bantime  = 86400
   findtime = 3600
   maxretry = 10
   backend = auto
   usedns = warn
   banaction = iptables-multiport
   mta = sendmail
   protocol = tcp
   chain = INPUT
   action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
   action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
   action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
   action = %(action_)s

Jail.d/freeswitch.local:

[freeswitch]
enabled = true
ignoreip = [censored]
ignorecommand = /usr/bin/php /etc/fail2ban/ignorecommands/freeswitch/check.php <ip>
maxretry = 10
findtime = 3600
bantime = 3600
port     = 5060,5061,5080,5081
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/freeswitch/freeswitch.log

filter.d/freeswitch.conf

[Definition]
failregex = \[WARNING\] sofia_reg\.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
            \[WARNING\] sofia_reg\.c:\d+ SIP auth challenge \(INVITE\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
            \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
            \"FAIL2BAN_HOST=<HOST>\"
            IP <HOST> Rejected by acl

데비안 9 Fail2Ban v0.10.5.dev1

관련 정보