freeswitch 暴力破解防范

1、freeswitch配置

autoload_configs/logfile.conf.xml

<!--日志保存位置 -->
<param name="logfile" value="/var/log/freeswitch/freeswitch.log"/>
<!-- 避免日志格式带uuid -->
<param name="uuid" value="false" />

sip_profiles/internal.xml

<param name="log-auth-failures" value="true"/>

2、fail2ban配置

jail.d/freeswitch.local

[freeswitch]
enabled = true
filter = %(known/filter)s[_pref_line='(?: [\d\.]+%%%%)?']
logpath = /var/log/freeswitch/freeswitch.log

maxretry  =   4    ; for a total of five failures
findtime  =  3600  ; based on empirical testing
bantime   =  12000  ; ban for 20 minutes

port = 10777,10888

注意filter这里,针对日志里面出现的cpu使用率进行了匹配,如果不修改,会无法进行匹配

https://github.com/fail2ban/fail2ban/issues/3143

日志大概长这样

2023-08-07 21:15:19.934499 94.93% [DEBUG] switch_core_state_machine.c:745 (sofia/internal/1186@10.0.8.4) State DESTROY going to sleep
2023-08-07 21:15:22.514509 94.53% [NOTICE] switch_channel.c:1123 New Channel sofia/internal/50008@10.0.8.4 [256f87af-b4de-412d-b104-0fe2e70de0d7]
2023-08-07 21:15:22.514509 94.53% [DEBUG] switch_core_state_machine.c:581 (sofia/internal/50008@10.0.8.4) Running State Change CS_NEW (Cur 1 Tot 3824)
2023-08-07 21:15:22.514509 94.53% [INFO] sofia.c:10453 sofia/internal/50008@10.0.8.4 receiving invite from 104.192.2.154:56336 version: 1.10.9 -release.15 64bit call-id: 1389302581-2084378217-762528399
2023-08-07 21:15:22.514509 94.53% [DEBUG] sofia.c:10547 verifying acl "domains" for ip/port 104.192.2.154:0.
2023-08-07 21:15:22.514509 94.53% [DEBUG] switch_core_state_machine.c:600 (sofia/internal/50008@10.0.8.4) State NEW
2023-08-07 21:15:22.514509 94.53% [DEBUG] sofia.c:2419 detaching session 256f87af-b4de-412d-b104-0fe2e70de0d7
2023-08-07 21:15:22.774503 94.53% [DEBUG] sofia.c:2532 Re-attaching to session 256f87af-b4de-412d-b104-0fe2e70de0d7
2023-08-07 21:15:22.774503 94.53% [INFO] sofia.c:10453 sofia/internal/50008@10.0.8.4 receiving invite from 104.192.2.154:56336 version: 1.10.9 -release.15 64bit call-id: 1389302581-2084378217-762528399
2023-08-07 21:15:22.774503 94.53% [DEBUG] sofia.c:10547 verifying acl "domains" for ip/port 104.192.2.154:0.
2023-08-07 21:15:22.814503 94.53% [ERR] switch_xml.c:1770 Error[[error near line 1]: root tag missing]
2023-08-07 21:15:22.814503 94.53% [WARNING] sofia_reg.c:3211 Can't find user [50008@10.0.8.4] from 104.192.2.154

3、启动fail2ban

systemctl restart fail2ban

# fail2ban相关命令
fail2ban-regex  # 用来测试正则是否能命中日志
fail2ban-client # 客户端用来查看jail状态实时设置参数

有个需要注意的问题,一个ip被ban到jail后,如果连接没有断开,虽然ip已经被防火墙ban了,还是可以持续访问,除非ban前的连接断开

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注