diff --git a/devuan/resources/fail2ban.sh b/devuan/resources/fail2ban.sh index 6a55ebf..9e5cdaf 100755 --- a/devuan/resources/fail2ban.sh +++ b/devuan/resources/fail2ban.sh @@ -15,20 +15,23 @@ verbose "Installing Fail2ban" apt-get -q -y install fail2ban #move the filters -cp fail2ban/freeswitch-dos.conf /etc/fail2ban/filter.d/freeswitch-dos.conf -cp fail2ban/freeswitch-ip.conf /etc/fail2ban/filter.d/freeswitch-ip.conf -cp fail2ban/freeswitch-404.conf /etc/fail2ban/filter.d/freeswitch-404.conf cp fail2ban/freeswitch.conf /etc/fail2ban/filter.d/freeswitch.conf +cp fail2ban/freeswitch-acl.conf /etc/fail2ban/filter.d/freeswitch-acl.conf +cp fail2ban/sip-auth-failure.conf /etc/fail2ban/filter.d/sip-auth-failure.conf +cp fail2ban/sip-auth-challenge.conf /etc/fail2ban/filter.d/sip-auth-challenge.conf +cp fail2ban/auth-challenge-ip.conf /etc/fail2ban/filter.d/auth-challenge-ip.conf +cp fail2ban/freeswitch-ip.conf /etc/fail2ban/filter.d/freeswitch-ip.conf cp fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf +cp fail2ban/fusionpbx-mac.conf /etc/fail2ban/filter.d/fusionpbx-mac.conf +cp fail2ban/fusionpbx-404.conf /etc/fail2ban/filter.d/fusionpbx-404.conf cp fail2ban/nginx-404.conf /etc/fail2ban/filter.d/nginx-404.conf cp fail2ban/nginx-dos.conf /etc/fail2ban/filter.d/nginx-dos.conf cp fail2ban/jail.local /etc/fail2ban/jail.local #update config if source is being used -if [ .$switch_source = .true ]; then - sed 's#var/log/freeswitch#usr/local/freeswitch/log#g' -i /etc/fail2ban/jail.local -fi +#if [ .$switch_source = .true ]; then +# sed 's#var/log/freeswitch#usr/local/freeswitch/log#g' -i /etc/fail2ban/jail.local +#fi +#restart fail2ban /usr/sbin/service fail2ban restart - -# missing log file will show error diff --git a/devuan/resources/fail2ban/auth-challenge-ip.conf b/devuan/resources/fail2ban/auth-challenge-ip.conf new file mode 100644 index 0000000..dab8f7b --- /dev/null +++ b/devuan/resources/fail2ban/auth-challenge-ip.conf @@ -0,0 +1,21 @@ +# Fail2Ban configuration file +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +#[WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [+972592277524@xxx.xxx.xxx.xxx] from ip 209.160.120.12 +failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \((INVITE|REGISTER)\) on sofia profile \'.*\' for \[.*@\d+.\d+.\d+.\d+\] from ip + + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/devuan/resources/fail2ban/freeswitch-acl.conf b/devuan/resources/fail2ban/freeswitch-acl.conf new file mode 100644 index 0000000..9fe8e4e --- /dev/null +++ b/devuan/resources/fail2ban/freeswitch-acl.conf @@ -0,0 +1,20 @@ +# Fail2Ban configuration file +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +#2021-02-03 16:27:57.292697 [WARNING] sofia_reg.c:2353 IP 62.210.78.91 Rejected by register acl "domains" +failregex = \[WARNING\] sofia_reg.c:\d+ IP Rejected by register acl + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/devuan/resources/fail2ban/freeswitch-404.conf b/devuan/resources/fail2ban/fusionpbx-404.conf similarity index 100% rename from devuan/resources/fail2ban/freeswitch-404.conf rename to devuan/resources/fail2ban/fusionpbx-404.conf diff --git a/devuan/resources/fail2ban/fusionpbx-mac.conf b/devuan/resources/fail2ban/fusionpbx-mac.conf new file mode 100644 index 0000000..3bdff68 --- /dev/null +++ b/devuan/resources/fail2ban/fusionpbx-mac.conf @@ -0,0 +1,20 @@ +# Fail2Ban configuration file +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +#Oct 9 02:56:16 m1 fusionpbx-provision[28628]: [10.0.0.1] invalid mac address 000000000000 +failregex = \[\] invalid mac address + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/devuan/resources/fail2ban/jail.local b/devuan/resources/fail2ban/jail.local index 5762aa0..726854c 100755 --- a/devuan/resources/fail2ban/jail.local +++ b/devuan/resources/fail2ban/jail.local @@ -1,80 +1,97 @@ -[freeswitch-udp] +[ssh] enabled = true -port = 5060,5061,5080,5081 +port = 22 +protocol = ssh +filter = sshd +logpath = /var/log/auth.log +action = iptables-allports[name=sshd, protocol=all] +maxretry = 6 +findtime = 60 +bantime = 86400 + +[freeswitch] +enabled = true +port = 5060:5091 protocol = all filter = freeswitch logpath = /var/log/freeswitch/freeswitch.log -action = iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp] -maxretry = 5 -findtime = 600 -bantime = 600 +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=freeswitch, protocol=all] +maxretry = 10 +findtime = 60 +bantime = 3600 # sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed -[freeswitch-tcp] +[freeswitch-acl] enabled = true -port = 5060,5061,5080,5081 +port = 5060:5091 protocol = all -filter = freeswitch +filter = freeswitch-acl logpath = /var/log/freeswitch/freeswitch.log -action = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp] -maxretry = 5 -findtime = 600 -bantime = 600 -# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=freeswitch-acl, protocol=all] +maxretry = 900 +findtime = 60 +bantime = 86400 -[freeswitch-ip-tcp] +[freeswitch-ip] enabled = false -port = 5060,5061,5080,5081 +port = 5060:5091 protocol = all filter = freeswitch-ip logpath = /var/log/freeswitch/freeswitch.log -action = iptables-multiport[name=freeswitch-ip-tcp, port="5060,5061,5080,5081", protocol=tcp] +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=freeswitch-ip, protocol=all] maxretry = 1 -findtime = 30 +findtime = 60 bantime = 86400 -[freeswitch-ip-udp] +[auth-challenge-ip] enabled = false -port = 5060,5061,5080,5081 +port = 5060:5091 protocol = all -filter = freeswitch-ip +filter = auth-challenge-ip logpath = /var/log/freeswitch/freeswitch.log -action = iptables-multiport[name=freeswitch-ip-udp, port="5060,5061,5080,5081", protocol=udp] +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=auth-challenge-ip, protocol=all] maxretry = 1 -findtime = 30 +findtime = 60 bantime = 86400 -[freeswitch-dos-udp] -enabled = true -port = 5060,5061,5080,5081 -protocol = all -filter = freeswitch-dos -logpath = /var/log/freeswitch/freeswitch.log -action = iptables-multiport[name=freeswitch-dos-udp, port="5060,5061,5080,5081", protocol=udp] -maxretry = 50 -findtime = 30 -bantime = 6000 - -[freeswitch-dos-tcp] -enabled = true -port = 5060,5061,5080,5081 -protocol = all -filter = freeswitch-dos -logpath = /var/log/freeswitch/freeswitch.log -action = iptables-multiport[name=freeswitch-dos-tcp, port="5060,5061,5080,5081", protocol=tcp] -maxretry = 50 -findtime = 30 -bantime = 6000 - -[freeswitch-404] +[sip-auth-challenge] enabled = false -port = 5060,5061,5080,5081 +port = 5060:5091 protocol = all -filter = freeswitch-404 +filter = sip-auth-challenge logpath = /var/log/freeswitch/freeswitch.log -action = iptables-allports[name=freeswitch-404, protocol=all] -maxretry = 3 -findtime = 300 +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=sip-auth-challenge, protocol=all] +maxretry = 100 +findtime = 60 +bantime = 7200 + +[sip-auth-failure] +enabled = true +port = 5060:5091 +protocol = all +filter = sip-auth-failure +logpath = /var/log/freeswitch/freeswitch.log +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=sip-auth-failure, protocol=all] +maxretry = 6 +findtime = 60 +bantime = 7200 + +[fusionpbx-404] +enabled = false +port = 5060:5091 +protocol = all +filter = fusionpbx-404 +logpath = /var/log/freeswitch/freeswitch.log +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = iptables-allports[name=fusionpbx-404, protocol=all] +maxretry = 6 +findtime = 60 bantime = 86400 [fusionpbx] @@ -83,11 +100,23 @@ port = 80,443 protocol = tcp filter = fusionpbx logpath = /var/log/auth.log -action = iptables-multiport[name=fusionpbx, port="http,https", protocol=tcp] +action = iptables-allports[name=fusionpbx, protocol=all] # sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed +maxretry = 20 +findtime = 60 +bantime = 3600 + +[fusionpbx-mac] +enabled = true +port = 80,443 +protocol = tcp +filter = fusionpbx-mac +logpath = /var/log/syslog +action = iptables-allports[name=fusionpbx-mac, protocol=all] +# sendmail-whois[name=fusionpbx-mac, dest=root, sender=fail2ban@example.org] #no smtp server installed maxretry = 10 -findtime = 600 -bantime = 600 +findtime = 60 +bantime = 86400 [nginx-404] enabled = true @@ -95,19 +124,20 @@ port = 80,443 protocol = tcp filter = nginx-404 logpath = /var/log/nginx/access*.log +action = iptables-allports[name=nginx-404, protocol=all] bantime = 3600 findtime = 60 -maxretry = 120 +maxretry = 300 [nginx-dos] # Based on apache-badbots but a simple IP check (any IP requesting more than # 300 pages in 60 seconds, or 5p/s average, is suspicious) -# Block for two full days. enabled = true port = 80,443 protocol = tcp filter = nginx-dos logpath = /var/log/nginx/access*.log +action = iptables-allports[name=nginx-dos, protocol=all] findtime = 60 bantime = 86400 -maxretry = 300 +maxretry = 800 diff --git a/devuan/resources/fail2ban/freeswitch-dos.conf b/devuan/resources/fail2ban/sip-auth-challenge.conf old mode 100755 new mode 100644 similarity index 100% rename from devuan/resources/fail2ban/freeswitch-dos.conf rename to devuan/resources/fail2ban/sip-auth-challenge.conf diff --git a/devuan/resources/fail2ban/sip-auth-failure.conf b/devuan/resources/fail2ban/sip-auth-failure.conf new file mode 100755 index 0000000..0d4ee23 --- /dev/null +++ b/devuan/resources/fail2ban/sip-auth-failure.conf @@ -0,0 +1,21 @@ +# Fail2Ban configuration file +# +# Author: soapee01 +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex =