From a33131c8be7dcb9175409be21bdeb755dc666028 Mon Sep 17 00:00:00 2001 From: emaktech Date: Sat, 2 Sep 2017 11:09:07 -0400 Subject: [PATCH] Ban on auth failure instead of challenge (#113) Default fail2ban DoS ruleset looks for auth challenges, but auth challenges can be either successful or unsuccessful. Default rule causes problems with larger environments with many registered devices as they have many successful auth challenges with short registration periods. By the time auth challenges can be made successfully in volume, it's far too late to be worrying about a DoS or brute force attempt - it's already too late. Rule change here will reduce false positives while still providing same level of useful protection. Maybe also consider reducing maxretry count or increasing findtime in jail.local to catch true failed auth brute force or DoS attempts more easily in conjunction with above change. This will be more sensitive in detection and should carry lower false positive rate. --- debian/resources/fail2ban/freeswitch-dos.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/resources/fail2ban/freeswitch-dos.conf b/debian/resources/fail2ban/freeswitch-dos.conf index 3407183..e8b65e7 100755 --- a/debian/resources/fail2ban/freeswitch-dos.conf +++ b/debian/resources/fail2ban/freeswitch-dos.conf @@ -12,7 +12,7 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip +failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored.