오픈소스 OPENSIPS 인스통 install - Fail2Ban Freeswitch How to secure

글 수 172

Fail2Ban Freeswitch How to secure

admin

https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban

About

Fail2Ban is an intrusion prevention system that works by scanning log files and then taking action based on the entries in those logs.

You can configure Fail2Ban in a way that will update iptables firewall rules when an authentication failure threshold is reached, which helps in preventing SIP brute force attacks against FS instances.

Fail2Ban scans your freeswitch log file and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

Fail2Ban is available at fail2ban.org or on their github page: https://github.com/fail2ban/fail2ban

Requirements

Fail2Ban needs a log of Authentication Attempts/Failures in order to ban IPs. There are two ways to do that:

Beta: mod_fail2ban

Enable "log-auth-failures" on each Sofia profile to monitor
to have these messages printed in log file requires a high enough loglevel on your logs : must be loglevel 4 (WARNING) or superior.
<param name="log-auth-failures" value="true"/>

Install

Debian

apt-get install fail2ban

Suse

zypper sa http://download.opensuse.org/repositories/security/SLE_11 openSUSE-security
zypper refresh
zypper up
zypper install fail2ban

FreeBSD

pkg install py27-fail2ban
... and all the files referenced later are in /usr/local/etc/ rather than /etc/

CentOS

For CentOS the easiest way to do this is to install fail2ban from the EPEL repository. See http://fedoraproject.org/wiki/EPEL/FAQ.

The EPEL repository is non-arch specific, the links to i386 are identical to x86_64.

Configure

Edit Config Files

The maintainers of Fail2Ban have taken an interest in supporting FreeSWITCH. They have asked that we use the configuration at https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf rather than specify a configuration here. If anyone wishes to submit other regular expressions that should be include, please provide samples to https://github.com/fail2ban/fail2ban/issues.

The jail.conf file may get overwritten when upgrading Fail2Ban. Create a /etc/fail2ban/jail.local file with the following data in it, setting the correct path to *your* freeswitch.log file, and adjust the email addresses if needed for your setup:

[freeswitch]
enabled  = true
port     = 5060,5061,5080,5081
filter   = freeswitch
logpath  = /var/log/freeswitch/freeswitch.log
maxretry = 10
action   = iptables-allports[name=freeswitch, protocol=all]
           sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org]

(mine are /usr/local/freeswitch/log/freeswitch.log)

Since the warnings in the log are also sometimes present for valid IP address, like your local LAN, you will want to add the following to the jail.local file:

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.2.0/24 192.168.1.0/24
bantime  = 600
maxretry = 3

Add any additional addresses that may access your system.

Restart fail2ban (/etc/init.d/fail2ban restart or service fail2ban restart) and ensure that fail2ban loads the filter. The following should be in your /var/log/fail2ban.log:

2010-02-05 10:04:23,560 fail2ban.jail   : INFO   Creating new jail 'freeswitch-udp'
2010-02-05 10:04:23,560 fail2ban.jail   : INFO   Jail 'freeswitch-udp' uses poller
2010-02-05 10:04:23,561 fail2ban.filter : INFO   Added logfile = /var/log/freeswitch/freeswitch.log
2010-02-05 10:04:23,562 fail2ban.filter : INFO   Set maxRetry = 3
2010-02-05 10:04:23,562 fail2ban.filter : INFO   Set findtime = 600
2010-02-05 10:04:23,563 fail2ban.actions: INFO   Set banTime = 600
2010-02-05 10:04:23,677 fail2ban.jail   : INFO   Creating new jail 'freeswitch-tcp'
2010-02-05 10:04:23,677 fail2ban.jail   : INFO   Jail 'freeswitch-tcp' uses poller
2010-02-05 10:04:23,678 fail2ban.filter : INFO   Added logfile = /var/log/freeswitch/freeswitch.log
2010-02-05 10:04:23,679 fail2ban.filter : INFO   Set maxRetry = 3
2010-02-05 10:04:23,680 fail2ban.filter : INFO   Set findtime = 600
2010-02-05 10:04:23,680 fail2ban.actions: INFO   Set banTime = 600
2010-02-05 10:04:23,723 fail2ban.jail   : INFO   Jail 'freeswitch-tcp' started
2010-02-05 10:04:23,723 fail2ban.jail   : INFO   Jail 'freeswitch-udp' started

Verify that the iptables rules were created:

# iptables -L f2b-freeswitch
Chain f2b-freeswitch (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Test the actual failure mode

Setup your favorite client with an invalid userid or invalid password. Try to login as many times as you have set your failure threshold in Fail2Ban. Watch Fail2Ban log:

tail -f /var/log/fail2ban.log
2010-02-05 10:13:12,070 fail2ban.actions: WARNING [freeswitch-udp] Ban 192.168.1.10
2010-02-05 10:13:12,098 fail2ban.actions: WARNING [freeswitch-tcp] Ban 192.168.1.10

Verify your client can no longer do a register (should just time out). Also verify iptables:

# iptables -n -L f2b-freeswitch
Chain fail2ban-freeswitch-tcp (1 references)
target     prot opt source               destination
DROP       all  --  192.168.1.10         0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
# iptables -n -L f2b-freeswitch
Chain fail2ban-freeswitch-udp (1 references)
target     prot opt source               destination
DROP       all  --  192.168.1.10         0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

You can then wait for Fail2Ban to clear the the block, or do it yourself:

# iptables -D f2b-freeswitch 1
# iptables -L f2b-freeswitch
RETURN     all  --  anywhere             anywhere
 
# iptables -D f2b-freeswitch 1
# iptables -L f2b-freeswitch
Chain fail2ban-freeswitch-udp (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

You might also take a look at this oreilly script

Errors

If you're seeing something like this in your Fail2Ban logfile:

2011-02-27 14:11:42,326 fail2ban.actions.action: ERROR  iptables -N fail2ban-freeswitch-tcp

add the time.sleep(0.1) to /usr/bin/fail2ban-client

def __processCmd(self, cmd, showRet = True):
	beautifier = Beautifier()
	for c in cmd:
		time.sleep(0.1)
		beautifier.setInputCmd(c)

sed -i -e s,beautifier\.setInputCmd\(c\),'time.sleep\(0\.1\)\n\t\t\tbeautifier.setInputCmd\(c\)', /usr/bin/fail2ban-client

Source: fail2ban wik

이 게시물을...

조회 수 :: 63787
등록일 :: 2017.09.12; 21:02:36 (*.160.88.18)

엮인글 :: http://webs.co.kr/index.php?document_srl=3311875&act=trackback&key=bd5

게시글 주소 :: http://webs.co.kr/index.php?document_srl=3311875

List of Articles

번호	제목	글쓴이	조회 수	날짜
82	OpenSIPS , default script , Types of Routs , Routing in SIP, Video lecture	admin	41653	2014-08-13
82
81	Configuracion de Kamailio 3.3 con NAT Traversal y XCAP.	admin	37600	2014-08-12
81
80	OpenSIPS/OpenSER-a versatile SIP Server cfg	admin	38577	2014-08-11
80
79	Kamailio Nat Traversal using RTPProxy	admin	37573	2014-08-11
79
78	MediaProxy Installation Guide	admin	40218	2014-08-10
78
77	RTPProxy 1.2.x Installation & Integration with OpenSIPS 1.5x	admin	42088	2014-08-10
77
76	Opensips Installation, How to. Good guide wiki page	admin	37435	2014-08-10
76
75	[OpenSIPS-Users] Opensips 1.10 NAT radius aaa	admin	37622	2014-08-23
75
74	OpenSIPS Consultancy Pricing module install Server 판매 또는 설치및 컨설팅 가이드	admin	42396	2014-08-23
74
73	ICE: The ultimate way of beating NAT in SIP	admin	66202	2014-08-23
73
72	MediaProxy wiki page install configuration	admin	43899	2014-08-11
72
71	Under RHEL6.5 install OpenSIPS 1.11.1 tls	admin	39491	2014-08-12
71
70	오픈소스 (사내)메신저 서버 구축, 오픈 파이어(openfire) 설치방법과 세팅	admin	104238	2014-08-11
70
69	OpenSIPS Installation Notes	admin	48355	2014-08-09
69
68	Installation and configuration process record opensips 1.9.1	admin	97190	2014-08-09
68
67	opensips 1.11.2 install Good Giide	admin	67545	2014-08-09
67
66	fusionPBX install debian wheezy	admin	39148	2014-08-09
66
65	opensips 1.11.2 install guide good 인스톨 가이드	admin	45309	2014-08-09
65
64	SigIMS IMS Platform	admin	40033	2014-05-24
64
63	2013 2012년 분야별 최고의 오픈소스 소프트웨어 124선	admin	66086	2014-04-05
63
62	Video conference server OpenMCU-ru - Introduction	admin	56848	2014-04-01
62
61	SIPSorcery	admin	45974	2014-03-18
61
60	telepresence: Open Source SIP Telepresence/MCU	admin	186361	2014-03-12
60
59	SIP PBX - OpenSIPS and Asterisk configuration	admin	167128	2014-03-12
59
58	Conference Support in Kamailio (OpenSER)	admin	89155	2014-03-12
58
57	OpenSIPS configuration for 2 or more FreeSWITCH installs	admin	77154	2014-03-12
57
56	The Impact of TLS on SIP Server Performance	admin	44471	2014-03-12
56
55	book-opensips-101 / content / 3.2. SIP TLS Secure Calling.mediawiki	admin	44742	2014-03-12
55
54	Where to check OpenSIPS does not start?	admin	45249	2014-03-09
54
53	Ekiga (formely known as GnomeMeeting) is an open source SoftPhone	admin	44557	2014-03-12
53

쓰기

첫 페이지 1 2 3 4 5 6 끝 페이지

소프트스위치