HTTP/HTTPS、SSH、FTP以及SIP等。它的工作原理基本都是先扫描对应的应用日志,然后通过正则匹配到日志记录的异常来源IP和时间,再将这些通过正则取到的数据送入过滤列表。如果符合过滤列表中的某个封禁条件,会触发对应的动作,该动作可能是将其添加iptables拦截,也可以是触发自定义脚本。安装Fail2ban
- CentOS/Redhat 安装
yum install -y epel-release
yum install -y fail2ban首先安装epel源,然后再安装fail2ban软件。
- Debian/Ubuntu 安装
apt install -y fail2banDebian和Ubuntu系统可以直接安装,不需要使用第三方源。
- 安装后验证
安装后,在/etc/fail2ban/下可以看到预置的配置文件。
修改XSwitch配置
XSwitch默认有两个SIP端口的监听,一个是default的带鉴权,一个public的不带鉴权。通常带鉴权的端口会直接暴露在公网,让用户可以通过公网直接注册。而不带鉴权的端口则需要通过服务器的安全策略或ACL等规则,遵循白名单原则放行访问。因此需要防止SIP暴力攻击的也主要是defalut所配置的sip端口,这里要配合Fail2ban去拦截IP,需要先对default的profile增加一个配置,让其能将鉴权异常的IP打印的freeswitch.log日志文件内。
首先登录XSwitch后台,依次打开侧边菜单的高级--SIP,在其中查找log-auth-failures参数,将其值改为true。若无此参数,可以手动添加一个名称为:log-auth-failures,值为:true的参数,并启用它。修改配置后,要重新扫描或重启下让其配置生效
接下来我们来验证下配置是否生效,先在服务器后台,实时查看日志:
代码语言:javascript复制tail -f data/log/freeswitch.log然后使用软电话将注册地址改为自己的服务器和端口,用户名和密码随意填写,点击注册后观察FS的日志,若出现类似下文SIP auth failure字样,表示配置成功。
2023-08-30 11:16:15.907763 98.10% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
2023-08-30 11:16:15.927736 98.10% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1Fail2ban配置介绍
Fail2Ban配置文件格式INI,存于/etc/fail2ban目录:
- fail2ban.conf : fail2ban 程序运行的日志和数据库等参数。
- jail.conf : ban相关参数。
- filter.d/*: jail.conf中
filter对应的正则过滤规则。 - action.d/* : jail.conf中
action对应动作命令,如封禁ip、发送邮件通知等。
它们皆为安装文件,直接修改将导致后续升级,无法自动合并配置文件。Fail2Ban 提供了自定义配置文件的机制:
- fail2ban.conf 可依此通过 fail2ban.d/*和 fail2ban.local 来重定义相关选项。
- jail.conf 可依此通过 jail.d/* 和 jail.local 来重定义相关选项。
默认安装,/etc/fail2ban/jail.d/defaults-debian.conf 已启用 sshd 的 jail
通常,除 jail.conf 外,不需要改变配置。以下着重介绍 jail.conf 中的参数,它们不仅是默认(全局)参数(隶属于 [DEFAULT]),而且可在具体 jail 中重定义(如 [sshd])。
常用参数:
- ignoreip : 忽略不 IP 地址(CIDR 格式)或机器名,以空格分隔。
- bantime : 主机被禁止时长,默认 600 秒。
- maxretry : 在 findtime 时间窗口中,允许主机认证失败次数。达到最大次数,主机将被禁止。
- findtime : 查找认证失败的时间窗口。不意味 着每隔 findtime 时间扫描一次日志。
高版本 Fail2ban 支持 s (秒), m (分)和 d (天)作为时间单位,如 10m 和 1d
以上部分介绍引用自:https://www.malike.net.cn/blog/2021/03/15/fail2ban-tutorial-1/
- 增加freeswtich的jail配置
创建/etc/fail2ban/jail.d/freeswitch.conf,并添加以下内容
[freeswitch]
enabled = true
port = 7060,7061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
# %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log
maxretry = 5
bantime = 1d
findtime = 1m上文中,端口和日志路径的配置可以根据自己的实际情况进行修改。
- 修改过滤规则
除了创建此文件,还需对默认的filter.d/freeswitch.conf文件修改过滤的正则规则,这是因为FreeSWITCH 1.10以后版本的日志文件输出格式有变换,在时间后面多了一列CPU的空闲率。
failregex = %(_pref_line)s d .?d ?%% [WARNING] sofia_reg.c:d SIP auth (failure|challenge) ((REGISTER|INVITE)) on sofia profile '[^'] ' for [[^]]*] from ip <HOST>$
%(_pref_line)s d .?d ?%% [WARNING] sofia_reg.c:d Can't find user [[^@] @[^]] ] from <HOST>$上文修改后的配置与原规则相比,多了d .?d ?%%部分的正则匹配内容,其它部分无差异。
修改后,我们需要验证下是否能通过此过滤规则匹配到目标IP,这里可以使用fail2ban-regex命令,通过它可以验证正则匹配配置是否正确:
fail2ban-regex /home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log /etc/fail2ban/filter.d/freeswitch.conf --print-all-matched命令执行后,若能看到类似下文的内容,说明正则配置正确 :
代码语言:javascript复制Lines: 18386 lines, 0 ignored, 22 matched, 18364 missed
[processed in 0.60 sec]
|- Matched line(s):
| 2023-08-02 15:27:54.392865 98.60% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
| 2023-08-02 15:27:54.412905 98.60% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
| 2023-08-02 15:44:46.992944 98.30% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
| 2023-08-02 15:44:46.992944 98.30% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
| 2023-08-02 15:44:55.292938 98.43% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1
| 2023-08-02 15:44:55.312868 98.43% [WARNING] sofia_reg.c:3264 Can't find user [100111@xswitch.cn] from 172.18.64.1
| 2023-08-02 15:44:55.312868 98.43% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1
| 2023-08-02 22:37:43.172876 98.40% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1
| 2023-08-02 22:37:43.672927 96.17% [WARNING] sofia_reg.c:3264 Can't find user [100111@xswitch.cn] from 172.18.64.1
| 2023-08-02 22:37:43.672927 96.17% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1
| 2023-08-26 20:10:41.203200 99.23% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
| 2023-08-26 20:10:41.223183 99.23% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
| 2023-08-26 20:17:41.121487 98.83% [WARNING] sofia_reg.c:1893 SIP auth challenge (INVITE) on sofia profile 'default' for [111@172.18.72.134] from ip 172.18.64.1
| 2023-08-26 20:17:41.141382 98.83% [WARNING] sofia_reg.c:3264 Can't find user [18210273894@xswitch.cn] from 172.18.64.1
| 2023-08-26 20:17:41.141382 98.83% [WARNING] sofia_reg.c:1838 SIP auth failure (INVITE) on sofia profile 'default' for [111@172.18.72.134] from ip 172.18.64.1
| 2023-08-26 20:17:47.621838 98.83% [WARNING] sofia_reg.c:1893 SIP auth challenge (INVITE) on sofia profile 'default' for [1111@172.18.72.134] from ip 172.18.64.1
| 2023-08-26 20:17:47.641442 98.83% [WARNING] sofia_reg.c:3264 Can't find user [18210273894@xswitch.cn] from 172.18.64.1
| 2023-08-26 20:17:47.641442 98.83% [WARNING] sofia_reg.c:1838 SIP auth failure (INVITE) on sofia profile 'default' for [1111@172.18.72.134] from ip 172.18.64.1
| 2023-08-30 11:16:15.907763 98.10% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
| 2023-08-30 11:16:15.927736 98.10% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
| 2023-08-30 13:34:22.127740 98.97% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
| 2023-08-30 13:34:22.147743 98.97% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
`-
Missed line(s): too many to print. Use --print-all-missed to print all 18364 lines- 启用服务
编辑完配置后,使用systemctl restart fail2ban重启服务使其生效,重启后查看/var/log/fail2ban.log日志文件,会看到类似下文内容:
2023-08-30 13:23:27,442 fail2ban.filter [28448]: INFO Added logfile: '/home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log' (pos = 1387373, hash = 99e4ff016fc59bf966e9530dc0fdf935e18d5dd2)
2023-08-30 13:23:27,451 fail2ban.filter [28448]: INFO encoding: UTF-8
2023-08-30 13:23:27,451 fail2ban.filter [28448]: INFO maxRetry: 5
2023-08-30 13:23:27,451 fail2ban.filter [28448]: INFO findtime: 60
2023-08-30 13:23:27,452 fail2ban.actions [28448]: INFO banTime: 86400
2023-08-30 13:23:27,455 fail2ban.jail [28448]: INFO Jail 'sshd' started
2023-08-30 13:23:27,456 fail2ban.jail [28448]: INFO Jail 'freeswitch' started启用后,可以用软电话模拟多次失败的注册,同时继续查看fail2ban.log日志,若达到fail2ban的封禁条件,会有Ban x.x.x.x的日志打印:
2023-08-30 13:23:27,455 fail2ban.jail [28448]: INFO Jail 'sshd' started
2023-08-30 13:23:27,456 fail2ban.jail [28448]: INFO Jail 'freeswitch' started
2023-08-30 13:34:22,369 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:34:22
2023-08-30 13:34:22,370 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:34:22
2023-08-30 13:45:25,647 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:25
2023-08-30 13:45:25,648 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:25
2023-08-30 13:45:47,583 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:47
2023-08-30 13:45:47,583 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:47
2023-08-30 13:45:55,595 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:55
2023-08-30 13:45:55,595 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:55
2023-08-30 13:45:55,762 fail2ban.actions [28448]: NOTICE [freeswitch] Ban 172.18.64.1看到封禁日志后,可以再用iptables -L -n查看下当前规则,会看到类似是下文内容:
Chain f2b-freeswitch-tcp (1 references)
target prot opt source destination
REJECT all -- 172.18.64.1 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-freeswitch-udp (1 references)
target prot opt source destination
REJECT all -- 172.18.64.1 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0增加企业微信通知
- 创建企业微信机器人
在增加企业微信通知前,需要现在创建一个企业微信内部群,并在群里增加机器人。机器人添加成功后会得到https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxx-xxx的一个地址。
创建/usr/local/bin/send_wechat.sh脚本:
BOT_URL="https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxx-xxx"
function send_notify () {
message="# Fail2ban封禁通知 n <font color=\"warning\"> IP: $1 </font> n "
curl ${BOT_URL}
-H 'Content-Type: application/json'
-d '
{
"msgtype": "markdown",
"markdown": {
"content": "'"${message}"'"
}
}'
}
send_notify $1将脚本添加运行权限chmod a x /usr/local/bin/send_wechat.sh,并测试send_wechat.sh 1.1.1.1是否能正常收到企业微信的通知。
- 增加Action配置
创建/etc/fail2ban/action.d/wechat.conf文件,加入以下内容:
# Fail2Ban configuration file
#
# Author: Think
#
#
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = /usr/local/bin/send_wechat.sh <ip>
[Init]
# Default name of the chain
#
name = default此触发动作只绑定了actionban行为,如果需要actionunban的通知可以自行添加一个。
- 修改freeswitch的jail配置
编辑/etc/fail2ban/jail.d/freeswitch.conf文件,增加新的触发动作:
[freeswitch]
enabled = true
port = 7060,7061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
wechat
logpath = /home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log
maxretry = 5
bantime = 1d
findtime = 1m修改后重启服务,然后测试。另外在测试前,先将之前封禁的本机ip解封下,命令如下:
代码语言:javascript复制fail2ban-client unban 172.18.64.1
