우리 VoIP 서버(freeswitch)가 "등록" 공격을 받았습니다.
로그에는 다음과 같습니다.
2019-04-25 14:35:16.137965 [WARNING] sofia_reg.c:1743 SIP auth failure (REGISTER) on sofia profile 'internal' for [[email protected]] from ip 77.247.108.59
이를 위해 10회 시도 후 IP를 차단하는 Fail2Ban이 있습니다. 그러나 이것은 작동하지 않습니다.
Fail2Ban은 로그 파일에 "발견된" 항목을 많이 기록합니다. 수천 개의 항목과 Fail2Ban으로 인해 서버 속도가 느려진 후 마지막 항목은 "Ban [ip]"였습니다.
2019-04-25 14:37:18,961 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:18,994 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,033 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,068 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,114 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,152 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,192 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,232 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,268 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,302 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,345 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,384 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,426 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:20,087 fail2ban.actions [2167]: NOTICE [freeswitch] Ban 77.247.108.59
Fail2Ban 실패인가요, 아니면 제가 잘못 구성한 것인가요?
지역 교도소:
[DEFAULT]
ignoreip = [censored]
ignorecommand = /usr/bin/php /etc/fail2ban/ignorecommands/freeswitch/check.php <ip>
bantime = 86400
findtime = 3600
maxretry = 10
backend = auto
usedns = warn
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
action = %(action_)s
Jail.d/freeswitch.local:
[freeswitch]
enabled = true
ignoreip = [censored]
ignorecommand = /usr/bin/php /etc/fail2ban/ignorecommands/freeswitch/check.php <ip>
maxretry = 10
findtime = 3600
bantime = 3600
port = 5060,5061,5080,5081
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/freeswitch/freeswitch.log
filter.d/freeswitch.conf
[Definition]
failregex = \[WARNING\] sofia_reg\.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
\[WARNING\] sofia_reg\.c:\d+ SIP auth challenge \(INVITE\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
\[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
\"FAIL2BAN_HOST=<HOST>\"
IP <HOST> Rejected by acl
데비안 9 Fail2Ban v0.10.5.dev1