Filter configurations

Let's first review a filter configuration file. This file would typically be placed in /etc/Fail2Ban/filter.d/ and named according to the particular filter you are looking for. The file would contain a filter to look for failed authentication attempts. The format is a standard regular expression. In this case we consider a failure in FreeSWITCH anytime someone tries to register or make a call using invalid credentials.

The fine people of Fail2Ban community maintains a configuration tailor made for this usage with FreeSWITCH. Is available in latest version at their repository ( https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/freeswitch.conf), save it as file /etc/Fail2Ban/filter.d/freeswitch.conf. Relevant lines at the moment of this writing are:

    # Enable "log-auth-failures" on each Sofia profile to monitor
    # <param name="log-auth-failures" value="true"/>
    # -- this requires a high enough loglevel on your logs to save these messages.
    #
    # In the fail2ban jail.local file for this filter set ignoreip to the internal
    # IP addresses on your LAN.
    #
    
    [Definition]
    
    failregex = ^.d+ [WARNING] sofia_reg.c:d+ SIP auth (failure|challenge) ((REGISTER|INVITE)) on sofia profile '[^']+' for [.*] from ip <HOST>$
    ^.d+ [WARNING] sofia_reg.c:d+ Can't find user [d+@d+.d+.d+.d+] from <HOST>$
    
    ignoreregex =
    
    # Author: Rupa SChomaker, soapee01, Daniel Black
    # https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
    # Thanks to Jim on mailing list of samples and guidance

This will watch the FreeSWITCH logs for failed REGISTER or INVITE messages.

Table of Contents for Filter configurations

Create new playlist

Sign In

Sign Up

Table of Contents for
Filter configurations