《FreeSWITCH 1.2 Network level protection》

To ensure that a warning is generated when FreeSWITCH receives an invalid authentication attempt, you can modify your SIP profiles and include the following setting:

    <param name="log-auth-failures" value="true"/>

A log line will be generated for authentication attempts that looks as follows:[WARNING] SIP auth challenge (REGISTER) on sofia profile 'customer_access' for [user_rdkj7h@2600hz.com] from ip 184.106.157.100These warnings can be counted automatically and are used to ban the IP address184.106.157.100in the previous example.

Fail2Ban is a third-party program that runs in the background and monitors logs. When specific loglines such as the authentication challenge line shown previously, are seen a certain number of times, Fail2Ban takes an action. It can be programmed to e-mail you with an alert or automatically use IPTables to block an offending IP address after too many invalid attempts occur within a certain period of time.

This book is not intended to be a complete guide for using Fail2Ban. However some sample scripts are given later in the chapter.To configure Fail2Ban you will need to create several files which instruct Fail2Ban what to look for in your logs and what to do when it finds a match.For filters, Fail2Ban has by default, a folder where you can place filters. These filters contain strings which can be used to match against your logs. You can have as many filters as you want to look for different types of traffic in your logs. When combined with FreeSWITCH's error log which shows invalid login attempts, this can become a useful filter mechanism.The second file, known as the jail configuration file applies the filters to rules such as how often an error is allowed to occur and what action to take after that threshold has been exceeded. The jail configuration file effectively specifies how to react (when filters match).

Filter configurations Let's first review afilterconfiguration file. This file would typically be placed in/etc/Fail2Ban/filter.d/ and named according to the particular filter you are looking for. In this case we might call the file freeswitch-auth.conf. The file would contain a filter to look for failed authentication attempts. The format is a standard regular expression. In this case we consider a failure in FreeSWITCH anytime someone tries to register or make a call using invalid credentials. The file would look like the following:

# freeswitch-auth.conf Fail2Ban filter configuration file
[Definition]
failregex = SIP auth failure \((?:[REGISTER|INVITE])\) on sofiaprofile \'[^']+\' for \[.*\] from ip <HOST>

This will watch the FreeSWITCH logs for failed REGISTER or INVITE messages.

Jail configurations

Now, combine this filter with a jail entry which blocks an IP address if too many failed INVITEs or REGISTERs are received within a certain period of time. To do this edit/etc/Fail2Ban/jail.conf and add the following entry:

[freeswitch-auth]
enabled  = true
# place your custom port entries in here if needed (per the Sofia settings above)
port     = 5060
filter   = freeswitch-auth
logpath  = /var/log/freeswitch/freeswitch.log
maxretry = 50
findtime = 30
bantime  = 6000
action   = iptables-allports[name=freeswitch, protocol=all]

The earlier settings indicate the use of freeswitch-auth filter and after 50 failed INVITE or REGISTER authorization attempts (maxretry) within a 30 second period, blocks the IP address of the offender. If the filter is met (meaning 50 failed INVITE or REGISTER authorization attempts occur) within a 30 second period, the IP address will be banned in full for 6000 seconds.

Other considerationsThe Fail2Ban script must be tuned so that a large site is not accidentally kicked offline just because they are busy. For example, if you have a rate limit Fail2Ban entry, you would not want to set up Fail2Ban to block IP addresses if they happen to send 50 authentication requests in a 5 second period, because if the site has 50phones and their power goes out, when their power comes back on all phones will attempt to register at once, resulting in them being banned. This is not the intent.

Care must be taken when setting up Fail2Ban to test for edge case scenarios like the power outage scenario just described.

Encryption

Keeping voice communication secure is essential to any communications platform. This is especially critical for PSTN communication routed over the Internet because end-users often assume secure lines when speaking about confidential matters or conducting financial transactions.

VoIP encryption is based on two concepts – encrypting signaling and encrypting media (audio/video)communication. Like any standard encryption mechanism, VoIP encryption utilizes standard cryptography libraries and involves key exchanges and password negotiation to securely transmit and receive information. The two main encryption algorithms used in VoIP (which are detailed later) are very similar to SSL over the web and key exchange is used when connecting to remote servers via SSH.  In either exchange, the main goal is to end up with an encryption algorithm and a common encryption secret between the two parties that only they know, which can be used to encrypt and decrypt the actual content – the phone call.

Many people toss around the terms TLS, SSL, and SRTP without fully understanding them. It should be understood that in order to fully protect communications it is recommended to choose both an encryption strategy for signaling and an encryption strategy for audio encryption.In the following sections, we'll review each cryptography strategy in more detail.

# freeswitch-auth.conf Fail2Ban filter configuration file
[Definition]
failregex = SIP auth failure \((?:[REGISTER|INVITE])\) on sofiaprofile \'[^']+\' for \[.*\] from ip <HOST>

[freeswitch-auth]
enabled  = true
# place your custom port entries in here if needed (per the Sofia settings above)
port     = 5060
filter   = freeswitch-auth
logpath  = /var/log/freeswitch/freeswitch.log
maxretry = 50
findtime = 30
bantime  = 6000
action   = iptables-allports[name=freeswitch, protocol=all]

Fail2Ban是一个用于防止恶意攻击的开源软件。它可以监控系统日志文件，检测到恶意行为后自动封禁攻击者的IP地址。在FreeSWITCH中使用Fail2Ban可以有效地保护系统免受SIP攻击。

以下是使用Fail2Ban防止SIP攻击的步骤：

1. 安装Fail2Ban：根据操作系统的不同，可以使用包管理器安装Fail2Ban。例如，在Ubuntu上可以使用以下命令进行安装：

sudo apt-get install fail2ban

2. 配置Fail2Ban：Fail2Ban的配置文件位于`/etc/fail2ban`目录下。可以根据需要进行自定义配置。主要的配置文件是`jail.conf`，其中包含了各种服务的配置选项。

3. 配置FreeSWITCH的Fail2Ban规则：在Fail2Ban的配置文件中，可以添加针对FreeSWITCH的规则。例如，在`jail.conf`文件中添加以下内容：

[FreeSWITCH]
enabled = true
filter = freeswitch
action = iptables-allports[name=FreeSWITCH]
logpath = /usr/local/freeswitch/log/freeswitch.log
maxretry = 5
bantime = 3600


[freeswitch-auth]
enabled = true
# place your custom port entries in here if needed (per the Sofia settings above)
port = 5060,5066,7443
filter = freeswitch-auth
logpath = /usr/local/freeswitch/log/freeswitch.log
maxretry = 4 #最大的重试次数
findtime = 180 #指定了查找时间为180秒。系统会在180秒内查找用户的重试次数，如果达到了设定的最大重试次数，就会采取相应的动作。
bantime = -1 #用于指定禁止IP的持续时间，负数值表示永久禁止
action = iptables-allports[name=freeswitch, protocol=all]

这个配置将监视FreeSWITCH的日志文件`/usr/local/freeswitch/log/freeswitch.log`，如果同一个IP地址在5分钟内出现5次失败的登录尝试，Fail2Ban将使用iptables封禁该IP地址1小时。

4. 创建Fail2Ban过滤器：在Fail2Ban的配置文件中，可以创建一个过滤器来匹配SIP攻击的日志。例如，在`/etc/fail2ban/filter.d`目录下创建一个名为`freeswitch.conf`的文件，并添加以下内容：

[Definition]
failregex = REGISTER sip:.*?@<HOST> SIP/2.0
ignoreregex =

这个过滤器将匹配以`REGISTER sip:`开头的日志行，并提取出IP地址。

5. 重启Fail2Ban服务：完成以上配置后，需要重启Fail2Ban服务使配置生效。可以使用以下命令重启Fail2Ban：

sudo service fail2ban restart
sudo service fail2ban status

通过以上步骤，Fail2Ban将会监控FreeSWITCH的日志文件，检测到SIP攻击后自动封禁攻击者的IP地址。

查看被fail2ban屏蔽掉的ip

sudo fail2ban-client status
sudo fail2ban-client status freeswitch-auth

这个命令将显示fail2ban的状态信息，其中包括被屏蔽的IP地址列表。

手动解除ip

fail2ban-client set <modole_name> unbanip ip
fail2ban-client set freeswitch-auth unbanip 220.250.41.154

受攻击日志

[WARNING] sofia_reg.c:1842 SIP auth challenge (REGISTER) on sofia profile 'internal' for [215@10.0.8.5] from ip 108.181.22.221

[WARNING] sofia_reg.c:1842 SIP auth challenge (INVITE) on sofia profile 'internal' for [6448303320@10.0.8.5] from ip 51.161.13.200

[WARNING] sofia_reg.c:1842 SIP auth challenge (REGISTER) on sofia profile 'internal' for [1011@10.0.8.5] from ip 108.181.2.123

[WARNING] sofia_reg.c:1842 SIP auth challenge (INVITE) on sofia profile 'internal' for [001546850780336@10.0.8.5] from ip 85.114.130.232

failregex = SIP auth failure \((?:[REGISTER|INVITE])\) on sofiaprofile \'[^']+\' for \[.*\] from ip <HOST>`
failregex = SIP auth challenge \(INVITE\) on sofia profile 'internal' for \[.*\] from ip <HOST>
 

failregex = SIP auth (failure|challenge) \((?:REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>'

FreeSWITCH mod_cti模块 结合 fail2ban 实现封堵恶意IP（SIP安全，防攻击）_fail2ban freeswitch非法呼叫-CSDN博客