centos配置Fail2Ban防止sip攻击`FreeSWITCH`
<div class="cnblogs_code"><pre><span style="color: rgba(0, 0, 0, 1)"># 使用`Fail2Ban`防止sip攻击`FreeSWITCH`
`FreeSWITCH`在公网运行容易遭受sip攻击,解决的办法有很多种,而`Fail2Ban`安装配置以及调试比较简单,不失为一种好的选择。
`Fail2Ban`版本很多,配置方式略有差别。
本次测试是基于`Fail2Ban </span><span style="color: rgba(128, 0, 128, 1)">0.9</span>.<span style="color: rgba(128, 0, 128, 1)">6</span><span style="color: rgba(0, 0, 0, 1)">`版本,其他相关信息如下:
</span>-<span style="color: rgba(0, 0, 0, 1)"> Debian9
</span>- FreeSWITCH <span style="color: rgba(128, 0, 128, 1)">1.10</span>.<span style="color: rgba(128, 0, 128, 1)">3</span>,`base_dir`是`/usr/local/<span style="color: rgba(0, 0, 0, 1)">freeswitch`
## 安装`Fail2Ban`
```shell
cd </span>/usr/src; git clone https:<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">github.com/fail2ban/fail2ban.git -b 0.9.6</span>
cd /usr/src/<span style="color: rgba(0, 0, 0, 1)">fail2ban; python3 setup.py install
#配置成服务
cp files</span>/debian-initd /etc/init.d/<span style="color: rgba(0, 0, 0, 1)">fail2ban<br>#centos <br><br></span>cp files/redhat-initd /etc/init.d/fail2ban</pre>
<pre><span style="color: rgba(0, 0, 0, 1)">https://github.com/fail2ban/fail2ban/blob/0.11/files/redhat-initd
update</span>-<span style="color: rgba(0, 0, 0, 1)">rc.d fail2ban defaults
service fail2ban start
```
## 配置`iptables`
```shell
iptables </span>-A INPUT -i lo -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-A INPUT -m state --state ESTABLISHED,RELATED -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-A INPUT -p tcp --dport <span style="color: rgba(128, 0, 128, 1)">22</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-A INPUT -p tcp --dport <span style="color: rgba(128, 0, 128, 1)">80</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-A INPUT -p tcp --dport <span style="color: rgba(128, 0, 128, 1)">443</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-A INPUT -p tcp --dport <span style="color: rgba(128, 0, 128, 1)">5066</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-A INPUT -p tcp --dport <span style="color: rgba(128, 0, 128, 1)">7443</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-A INPUT -p tcp --dport <span style="color: rgba(128, 0, 128, 1)">5060</span>:<span style="color: rgba(128, 0, 128, 1)">5061</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-A INPUT -p udp --dport <span style="color: rgba(128, 0, 128, 1)">5060</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-A INPUT -p tcp --dport <span style="color: rgba(128, 0, 128, 1)">5080</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-A INPUT -p udp --dport <span style="color: rgba(128, 0, 128, 1)">5080</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-A INPUT -p udp --dport <span style="color: rgba(128, 0, 128, 1)">16384</span>:<span style="color: rgba(128, 0, 128, 1)">32768</span> -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-A INPUT -p icmp --icmp-type echo-request -<span style="color: rgba(0, 0, 0, 1)">j ACCEPT
iptables </span>-<span style="color: rgba(0, 0, 0, 1)">P INPUT DROP
iptables </span>-<span style="color: rgba(0, 0, 0, 1)">P FORWARD DROP
iptables </span>-<span style="color: rgba(0, 0, 0, 1)">P OUTPUT ACCEPT
```
## 配置 `FreeSWITCH`
</span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">. sip_profiles/internal.xml
```
</span><param name=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">log-auth-failures</span><span style="color: rgba(128, 0, 0, 1)">"</span> value=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">true</span><span style="color: rgba(128, 0, 0, 1)">"</span>/><span style="color: rgba(0, 0, 0, 1)">
```
</span><span style="color: rgba(128, 0, 128, 1)">2</span>. autoload_configs/<span style="color: rgba(0, 0, 255, 1)">switch</span><span style="color: rgba(0, 0, 0, 1)">.conf.xml 要修改一个配置项目
```
</span><param name=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">threaded-system-exec</span><span style="color: rgba(128, 0, 0, 1)">"</span> value=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">true</span><span style="color: rgba(128, 0, 0, 1)">"</span>/><span style="color: rgba(0, 0, 0, 1)">
```
## 配置 fail2ban
### 配置 freeswitch jail
找到 `</span>/etc/fail2ban/<span style="color: rgba(0, 0, 0, 1)">jail.conf` 的 freeswitch 段,修改成下面这样:
```
enabled </span>= <span style="color: rgba(0, 0, 255, 1)">true</span><span style="color: rgba(0, 0, 0, 1)">
port </span>= <span style="color: rgba(128, 0, 128, 1)">5060</span>,<span style="color: rgba(128, 0, 128, 1)">5061</span>,<span style="color: rgba(128, 0, 128, 1)">5080</span><span style="color: rgba(0, 0, 0, 1)">
action </span>= iptables-allports
logpath</span>= /usr/local/freeswitch/log/<span style="color: rgba(0, 0, 0, 1)">freeswitch.log
filter </span>=<span style="color: rgba(0, 0, 0, 1)"> freeswitch
maxretry </span>= <span style="color: rgba(128, 0, 128, 1)">5</span><span style="color: rgba(0, 0, 0, 1)">
bantime</span>= -<span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">
findtime </span>= <span style="color: rgba(128, 0, 128, 1)">3600</span><span style="color: rgba(0, 0, 0, 1)">
ignoreip </span>= <span style="color: rgba(128, 0, 128, 1)">127.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.1</span>/<span style="color: rgba(128, 0, 128, 1)">8</span> <span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">16</span> <span style="color: rgba(128, 0, 128, 1)">10.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">8</span> <span style="color: rgba(128, 0, 128, 1)">172.16</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">16</span><span style="color: rgba(0, 0, 0, 1)">
```
其中:
</span>* port = <span style="color: rgba(128, 0, 128, 1)">5060</span>,<span style="color: rgba(128, 0, 128, 1)">5061</span>,<span style="color: rgba(128, 0, 128, 1)">5080</span><span style="color: rgba(0, 0, 0, 1)"> # sip profile 的端口
</span>* action = iptables-allports# 这里不用改动
</span>* logpath= /usr/local/freeswitch/log/<span style="color: rgba(0, 0, 0, 1)">freeswitch.log # freeswitch.log的全路径
</span>* filter =<span style="color: rgba(0, 0, 0, 1)"> freeswitch #这里不用改动
</span>* maxretry = <span style="color: rgba(128, 0, 128, 1)">5</span><span style="color: rgba(0, 0, 0, 1)"> # 尝试次数
</span>* bantime= -<span style="color: rgba(128, 0, 128, 1)">1</span> # -<span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)"> 永久 ban(禁止)
</span>* findtime = <span style="color: rgba(128, 0, 128, 1)">3600</span> # 发现的时间,这几个参数合起来的意思就是,如果 <span style="color: rgba(128, 0, 128, 1)">1</span> 小时内检查到 哪个 IP 地址,做了 <span style="color: rgba(128, 0, 128, 1)">5</span><span style="color: rgba(0, 0, 0, 1)"> 次尝试,那么永久禁止他
</span>* ignoreip = <span style="color: rgba(128, 0, 128, 1)">127.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.1</span>/<span style="color: rgba(128, 0, 128, 1)">8</span> <span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">16</span> <span style="color: rgba(128, 0, 128, 1)">10.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">8</span> <span style="color: rgba(128, 0, 128, 1)">172.16</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">16</span><span style="color: rgba(0, 0, 0, 1)"># ip 白名单
### 配置 freeswitch filter
修改`</span>/etc/fail2ban/filter.d/<span style="color: rgba(0, 0, 0, 1)">freeswitch.conf`,改成下面这样:
```
# Fail2Ban configuration file
#
# Enable </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">log-auth-failures</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)"> on each Sofia profile to monitor
# </span><param name=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">log-auth-failures</span><span style="color: rgba(128, 0, 0, 1)">"</span> value=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">true</span><span style="color: rgba(128, 0, 0, 1)">"</span>/><span style="color: rgba(0, 0, 0, 1)">
# </span>-- <span style="color: rgba(0, 0, 255, 1)">this</span><span style="color: rgba(0, 0, 0, 1)"> requires a high enough loglevel on your logs to save these messages.
#
# In the fail2ban jail.local file </span><span style="color: rgba(0, 0, 255, 1)">for</span> <span style="color: rgba(0, 0, 255, 1)">this</span> filter <span style="color: rgba(0, 0, 255, 1)">set</span> ignoreip to the <span style="color: rgba(0, 0, 255, 1)">internal</span><span style="color: rgba(0, 0, 0, 1)">
# IP addresses on your LAN.
#
#failregex </span>= ^\.\d+ \ sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \<span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">[^</span><span style="color: rgba(128, 0, 0, 1)">'</span>]+\<span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)"> for \[.*\] from ip <HOST>$</span>
# ^\.\d+ \ sofia_reg\.c:\d+ Can<span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">t find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$</span>
<span style="color: rgba(0, 0, 0, 1)">
failregex </span>= ^\.\d+ \ sofia_reg\.c:\d+ SIP auth failure \((REGISTER|INVITE)\) on sofia profile \<span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">[^</span><span style="color: rgba(128, 0, 0, 1)">'</span>]+\<span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)"> for \[.*\] from ip <HOST>$</span>
^\.\d+ \ sofia_reg\.c:\d+ Can<span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">t find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$</span>
<span style="color: rgba(0, 0, 0, 1)">
ignoreregex </span>=<span style="color: rgba(0, 0, 0, 1)">
# Author: Rupa SChomaker, soapee01, Daniel Black
# https:</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">freeswitch.org/confluence/display/FREESWITCH/Fail2Ban</span>
<span style="color: rgba(0, 0, 0, 1)"># Thanks to Jim on mailing list of samples and guidance
#
# No need to match the following. Its a duplicate of the SIP auth regex.
#</span>^\.\d+ \ sofia\.c:\d+ IP <HOST> Rejected by acl <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">\S+</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">\. Falling back to Digest auth\.$
```
现在运行`systemctl restart fail2ban`重启服务
再运行 `fail2ban</span>-<span style="color: rgba(0, 0, 0, 1)">client status`,输出如下:
```
Status
</span>|- Number of jail: <span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">
`</span>-<span style="color: rgba(0, 0, 0, 1)"> Jail list: freeswitch
```
运行`fail2ban</span>-<span style="color: rgba(0, 0, 0, 1)">client status freeswitch`,输出如下:
```
Status </span><span style="color: rgba(0, 0, 255, 1)">for</span><span style="color: rgba(0, 0, 0, 1)"> the jail: freeswitch
</span>|-<span style="color: rgba(0, 0, 0, 1)"> Filter
</span>||- Currently failed: <span style="color: rgba(128, 0, 128, 1)">0</span>
||- Total failed: <span style="color: rgba(128, 0, 128, 1)">0</span>
|`- File list: /usr/local/freeswitch/log/<span style="color: rgba(0, 0, 0, 1)">freeswitch.log
`</span>-<span style="color: rgba(0, 0, 0, 1)"> Actions
</span>|- Currently banned: <span style="color: rgba(128, 0, 128, 1)">0</span>
|- Total banned: <span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">
`</span>-<span style="color: rgba(0, 0, 0, 1)"> Banned IP list:
```
现在试着ban一个ip,执行这个命令:
```
fail2ban</span>-client <span style="color: rgba(0, 0, 255, 1)">set</span> freeswitch banip <span style="color: rgba(128, 0, 128, 1)">113.113</span>.<span style="color: rgba(128, 0, 128, 1)">113.113</span><span style="color: rgba(0, 0, 0, 1)">
```
然后用`fail2ban</span>-<span style="color: rgba(0, 0, 0, 1)">client status freeswitch`查看
```
Status </span><span style="color: rgba(0, 0, 255, 1)">for</span><span style="color: rgba(0, 0, 0, 1)"> the jail: freeswitch
</span>|-<span style="color: rgba(0, 0, 0, 1)"> Filter
</span>||- Currently failed: <span style="color: rgba(128, 0, 128, 1)">0</span>
||- Total failed: <span style="color: rgba(128, 0, 128, 1)">0</span>
|`- File list: /usr/local/freeswitch/log/<span style="color: rgba(0, 0, 0, 1)">freeswitch.log
`</span>-<span style="color: rgba(0, 0, 0, 1)"> Actions
</span>|- Currently banned: <span style="color: rgba(128, 0, 128, 1)">1</span>
|- Total banned: <span style="color: rgba(128, 0, 128, 1)">3</span><span style="color: rgba(0, 0, 0, 1)">
`</span>- Banned IP list: <span style="color: rgba(128, 0, 128, 1)">113.113</span>.<span style="color: rgba(128, 0, 128, 1)">113.113</span><span style="color: rgba(0, 0, 0, 1)">
```
可以看到, `</span><span style="color: rgba(128, 0, 128, 1)">113.113</span>.<span style="color: rgba(128, 0, 128, 1)">113.113</span><span style="color: rgba(0, 0, 0, 1)">` 这个地址已经被ban
执行这个命令`iptables </span>-nvL --line-<span style="color: rgba(0, 0, 0, 1)">numbers`
输出如下:
```
Chain INPUT (policy DROP </span><span style="color: rgba(128, 0, 128, 1)">9</span> packets, <span style="color: rgba(128, 0, 128, 1)">2952</span><span style="color: rgba(0, 0, 0, 1)"> bytes)
num pkts bytes target prot opt </span><span style="color: rgba(0, 0, 255, 1)">in</span> <span style="color: rgba(0, 0, 255, 1)">out</span><span style="color: rgba(0, 0, 0, 1)"> source destination
</span><span style="color: rgba(128, 0, 128, 1)">1</span> <span style="color: rgba(128, 0, 128, 1)">1057</span>132K f2b-freeswitchall--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span>
<span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> ACCEPT all--lo * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span>
<span style="color: rgba(128, 0, 128, 1)">3</span> <span style="color: rgba(128, 0, 128, 1)">13</span> <span style="color: rgba(128, 0, 128, 1)">808</span> ACCEPT all--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)"> state RELATED,ESTABLISHED
</span><span style="color: rgba(128, 0, 128, 1)">4</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> ACCEPT tcp--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> tcp dpt:<span style="color: rgba(128, 0, 128, 1)">22</span>
<span style="color: rgba(128, 0, 128, 1)">5</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> ACCEPT tcp--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> tcp dpt:<span style="color: rgba(128, 0, 128, 1)">80</span>
<span style="color: rgba(128, 0, 128, 1)">6</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> ACCEPT tcp--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> tcp dpt:<span style="color: rgba(128, 0, 128, 1)">443</span>
<span style="color: rgba(128, 0, 128, 1)">7</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> ACCEPT tcp--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> tcp dpt:<span style="color: rgba(128, 0, 128, 1)">5066</span>
<span style="color: rgba(128, 0, 128, 1)">8</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> ACCEPT tcp--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> tcp dpt:<span style="color: rgba(128, 0, 128, 1)">7443</span>
<span style="color: rgba(128, 0, 128, 1)">9</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> ACCEPT tcp--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> tcp dpts:<span style="color: rgba(128, 0, 128, 1)">5060</span>:<span style="color: rgba(128, 0, 128, 1)">5061</span>
<span style="color: rgba(128, 0, 128, 1)">10</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> ACCEPT udp--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> udp dpt:<span style="color: rgba(128, 0, 128, 1)">5060</span>
<span style="color: rgba(128, 0, 128, 1)">11</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> ACCEPT tcp--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> tcp dpt:<span style="color: rgba(128, 0, 128, 1)">5080</span>
<span style="color: rgba(128, 0, 128, 1)">12</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> ACCEPT udp--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> udp dpt:<span style="color: rgba(128, 0, 128, 1)">5080</span>
<span style="color: rgba(128, 0, 128, 1)">13</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> ACCEPT udp--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> udp dpts:<span style="color: rgba(128, 0, 128, 1)">16384</span>:<span style="color: rgba(128, 0, 128, 1)">32768</span>
<span style="color: rgba(128, 0, 128, 1)">14</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> ACCEPT icmp --* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> icmptype <span style="color: rgba(128, 0, 128, 1)">8</span><span style="color: rgba(0, 0, 0, 1)">
Chain FORWARD (policy DROP </span><span style="color: rgba(128, 0, 128, 1)">0</span> packets, <span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)"> bytes)
num pkts bytes target prot opt </span><span style="color: rgba(0, 0, 255, 1)">in</span> <span style="color: rgba(0, 0, 255, 1)">out</span><span style="color: rgba(0, 0, 0, 1)"> source destination
Chain OUTPUT (policy ACCEPT </span><span style="color: rgba(128, 0, 128, 1)">6</span> packets, <span style="color: rgba(128, 0, 128, 1)">496</span><span style="color: rgba(0, 0, 0, 1)"> bytes)
num pkts bytes target prot opt </span><span style="color: rgba(0, 0, 255, 1)">in</span> <span style="color: rgba(0, 0, 255, 1)">out</span><span style="color: rgba(0, 0, 0, 1)"> source destination
Chain f2b</span>-freeswitch (<span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)"> references)
num pkts bytes target prot opt </span><span style="color: rgba(0, 0, 255, 1)">in</span> <span style="color: rgba(0, 0, 255, 1)">out</span><span style="color: rgba(0, 0, 0, 1)"> source destination
</span><span style="color: rgba(128, 0, 128, 1)">1</span> <span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0</span> REJECT all--* * <span style="color: rgba(128, 0, 128, 1)">113.113</span>.<span style="color: rgba(128, 0, 128, 1)">113.113</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> reject-with icmp-port-<span style="color: rgba(0, 0, 0, 1)">unreachable
</span><span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">1057</span>132K RETURN all--* * <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span><span style="color: rgba(0, 0, 0, 1)">
```
用这个命令解除,`fail2ban</span>-client <span style="color: rgba(0, 0, 255, 1)">set</span> freeswitch unbanip <span style="color: rgba(128, 0, 128, 1)">113.113</span>.<span style="color: rgba(128, 0, 128, 1)">113.113</span><span style="color: rgba(0, 0, 0, 1)">`
## 把 FreeSWITCH 运行起来,运行`tail </span>-f /<span style="color: rgba(0, 0, 255, 1)">var</span>/log/fail2ban.log`进行观察,再结合`/usr/local/freeswitch/log/<span style="color: rgba(0, 0, 0, 1)">freeswitch.log`的日志内容,进行调试,不断优化。
## fail2ban.lua
一般情况下`Fail2Ban`工作的很好,但还是有特殊的呼叫流程`Fail2Ban`抓不到。为此,笔者写了个`fail2ban.lua`,弥补`Fail2Ban`的不足
</span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">. 修改`lua.conf.xml`,增加下面俩个配置项目:
```
</span><hook <span style="color: rgba(0, 0, 255, 1)">event</span>=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">CUSTOM</span><span style="color: rgba(128, 0, 0, 1)">"</span> subclass=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">sofia::wrong_call_state</span><span style="color: rgba(128, 0, 0, 1)">"</span> script=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">fail2ban.lua</span><span style="color: rgba(128, 0, 0, 1)">"</span>/>
<hook <span style="color: rgba(0, 0, 255, 1)">event</span>=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">CUSTOM</span><span style="color: rgba(128, 0, 0, 1)">"</span> subclass=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">sofia::register_failure</span><span style="color: rgba(128, 0, 0, 1)">"</span> script=<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">fail2ban.lua</span><span style="color: rgba(128, 0, 0, 1)">"</span>/><span style="color: rgba(0, 0, 0, 1)">
```
下面是`fail2ban.lua`的内容(代码比较简单,不再解释了):
```
function OnEvent(e)
local subclass </span>= e:getHeader(<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Event-Subclass</span><span style="color: rgba(128, 0, 0, 1)">"</span>) or <span style="color: rgba(128, 0, 0, 1)">""</span>
<span style="color: rgba(0, 0, 255, 1)">if</span> <span style="color: rgba(0, 0, 255, 1)">string</span>.find(subclass, <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">sofia::</span><span style="color: rgba(128, 0, 0, 1)">"</span>) ~= <span style="color: rgba(128, 0, 128, 1)">1</span> then <span style="color: rgba(0, 0, 255, 1)">return</span><span style="color: rgba(0, 0, 0, 1)"> end
local ip </span>= e:getHeader(<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">network_ip</span><span style="color: rgba(128, 0, 0, 1)">"</span>) or e:getHeader(<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">network-ip</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">)
</span><span style="color: rgba(0, 0, 255, 1)">if</span> not ip then <span style="color: rgba(0, 0, 255, 1)">return</span><span style="color: rgba(0, 0, 0, 1)"> end
local ua </span>= e:getHeader(<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">user-agent</span><span style="color: rgba(128, 0, 0, 1)">"</span>) or <span style="color: rgba(128, 0, 0, 1)">""</span><span style="color: rgba(0, 0, 0, 1)">
local to_user </span>= e:getHeader(<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">to-user</span><span style="color: rgba(128, 0, 0, 1)">"</span>) or <span style="color: rgba(128, 0, 0, 1)">""</span><span style="color: rgba(0, 0, 0, 1)">
local from_user </span>= e:getHeader(<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">from-user</span><span style="color: rgba(128, 0, 0, 1)">"</span>) or <span style="color: rgba(128, 0, 0, 1)">""</span><span style="color: rgba(0, 0, 0, 1)">
local auth_result </span>= e:getHeader(<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">auth-result</span><span style="color: rgba(128, 0, 0, 1)">"</span>) or <span style="color: rgba(128, 0, 0, 1)">""</span><span style="color: rgba(0, 0, 0, 1)">
local registration_type </span>= e:getHeader(<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">registration-type</span><span style="color: rgba(128, 0, 0, 1)">"</span>) or <span style="color: rgba(128, 0, 0, 1)">""</span><span style="color: rgba(0, 0, 0, 1)">
local s </span>= <span style="color: rgba(0, 0, 255, 1)">string</span>.format(<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">*** %s, ip = %s, ua = %s, to = %s, from = %s, result = %s, type = %s\n</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">, subclass, ip, ua, to_user, from_user, auth_result, registration_type)
freeswitch.consoleLog(</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">NOTICE</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">, s)
</span><span style="color: rgba(0, 0, 255, 1)">if</span> subclass == <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">sofia::wrong_call_state</span><span style="color: rgba(128, 0, 0, 1)">"</span> or subclass == <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">sofia::register_failure</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)"> then
local cmd </span>= <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">fail2ban-client set freeswitch banip </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)"> .. ip
freeswitch.consoleLog(</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">ERR</span><span style="color: rgba(128, 0, 0, 1)">"</span>, cmd .. <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">\n</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">)
os.execute(cmd)
end
end
freeswitch.consoleLog(</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">INFO</span><span style="color: rgba(128, 0, 0, 1)">"</span>, <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">fail2ban.lua, ===\n</span><span style="color: rgba(128, 0, 0, 1)">"</span> .. <span style="color: rgba(0, 0, 255, 1)">event</span>:serialize() .. <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">===\n</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">)
OnEvent(</span><span style="color: rgba(0, 0, 255, 1)">event</span><span style="color: rgba(0, 0, 0, 1)">)
```
## 参考资料:
</span><https:<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">docs.fusionpbx.com/en/latest/firewall/fail2ban.html></span>
<https:<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">docs.fusionpbx.com/en/latest/firewall/iptables.html></span>
<https:<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">freeswitch.org/confluence/display/FREESWITCH/Fail2Ban><br><br><br><br></span></pre>
<pre>https://blog.csdn.net/weixin_43103905/article/details/95060220</pre>
<pre>注意:<br>如果遇到报错“no directory /var/run/fail2ban to contain the socket file /var/run/fail2ban/fail2ban.sock”, 请手动创建相关文件夹:<br>mkdir /var/run/fail2ban</pre>
</div>
<p>#开机启动 </p>
<p>$ systemctl enable fail2ban<br>$ systemctl start fail2ban</p>
<pre><span>redhat-initd<br><br><br><br></span></pre><br><br>
来源:https://www.cnblogs.com/jasonzeng/p/13632444.html
頁:
[1]