November 22, 2019

FreeSwitch and Fail2Ban

I am quite a fan of FreeSwitch with FusionPBX GUI. What I am not a fan of is random computers hammering my server, trying, in vain, to get in.

FreeSwitch and Fail2Ban

I am quite a fan of FreeSwitch with FusionPBX GUI. What I am not a fan of is random computers hammering my server, trying, in vain, to get in.

When trying to diagnose a server, logs like below can make finding the logs you need, annoying...

2019-11-22 20:27:59.014814 [WARNING] sofia_reg.c:2930 Can't find user [73816@xxx.xxx.xxx.xxx] from 163.172.198.36
You must define a domain called 'xxx.xxx.xxx.xxx' in your directory and add a user with the id="73816" attribute
and you must configure your device to use the proper domain in it's authentication credentials.
2019-11-22 20:28:50.554819 [WARNING] sofia_reg.c:2930 Can't find user [26575@xxx.xxx.xxx.xxx] from 163.172.198.36
You must define a domain called 'xxx.xxx.xxx.xxx' in your directory and add a user with the id="26575" attribute
and you must configure your device to use the proper domain in it's authentication credentials.
2019-11-22 20:29:41.454814 [WARNING] sofia_reg.c:2930 Can't find user [69227@xxx.xxx.xxx.xxx] from 163.172.198.36
You must define a domain called 'xxx.xxx.xxx.xxx' in your directory and add a user with the id="69227" attribute
and you must configure your device to use the proper domain in it's authentication credentials.
2019-11-22 20:30:33.574817 [WARNING] sofia_reg.c:2930 Can't find user [98457@xxx.xxx.xxx.xxx] from 163.172.198.36
You must define a domain called 'xxx.xxx.xxx.xxx' in your directory and add a user with the id="98457" attribute
and you must configure your device to use the proper domain in it's authentication credentials.

So, as a warning, this can fill the logs quite fast. It seems FreeSwitch/FusionPBX comes with some base rules for fail2ban, but nothing to catch this?

Anyways, here is the rule, there is probably a better regex than this, but it suits my small needs.

failregex = \[WARNING\] sofia_reg.c:\d+ Can't find user \[.*\] from < HOST >

So far working well...

fail2ban freeswitch user login