Let's first review a filter configuration file. This file would typically be placed in /etc/Fail2Ban/filter.d/ and named according to the particular filter you are looking for. The file would contain a filter to look for failed authentication attempts. The format is a standard regular expression. In this case we consider a failure in FreeSWITCH anytime someone tries to register or make a call using invalid credentials.
The fine people of Fail2Ban community maintains a configuration tailor made for this usage with FreeSWITCH. Is available in latest version at their repository ( https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf), save it as file /etc/Fail2Ban/filter.d/freeswitch.conf. Relevant lines at the moment of this writing are:
# Enable "log-auth-failures" on each Sofia profile to monitor # <param name="log-auth-failures" value="true"/> # -- this requires a high enough loglevel on your logs to save these messages. # # In the fail2ban jail.local file for this filter set ignoreip to the internal # IP addresses on your LAN. # [Definition] failregex = ^.d+ [WARNING] sofia_reg.c:d+ SIP auth (failure|challenge) ((REGISTER|INVITE)) on sofia profile '[^']+' for [.*] from ip <HOST>$ ^.d+ [WARNING] sofia_reg.c:d+ Can't find user [d+@d+.d+.d+.d+] from <HOST>$ ignoreregex = # Author: Rupa SChomaker, soapee01, Daniel Black # https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban # Thanks to Jim on mailing list of samples and guidance
This will watch the FreeSWITCH logs for failed REGISTER or INVITE messages.