Now, combine this filter with a jail entry which blocks an IP address if too many failed INVITEs or REGISTERs are received within a certain period of time.
The /etc/jail.conf file may get overwritten when upgrading Fail2Ban. Create a /etc/fail2ban/jail.local file with the following data in it, setting the correct path to *your* freeswitch.log file (maybe yours is in /usr/local/freeswitch/log/freeswitch.log), and adjust the sender email address to your setup:
[freeswitch] enabled = true port = 5060,5061,5080,5081 filter = freeswitch logpath = /var/log/freeswitch/freeswitch.log action = iptables-allports[name=freeswitch, protocol=all] sendmail-whois[name=FreeSwitch, dest=root, [email protected]] maxretry = 10 findtime = 60 bantime = 600 # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 192.168.2.0/24 192.168.1.0/24
The earlier settings indicate the use of freeswitch filter and after 10 failed INVITE or REGISTER authorization attempts (maxretry) within a 60 second period, blocks the IP address of the offender and send an alert mail. If the filter is met (meaning 10 failed INVITE or REGISTER authorization attempts occur) within a 60 seconds period, the offending IP address will be banned in full for 600 seconds (ten minutes) and an alert mail will be sent to the configured administrator address.