如何在XSwitch系统增加fail2ban

2024-04-18 18:29:38 浏览数 (2)

Fail2ban是入侵检测软件,能检查暴力破解的攻击行为,并加以拦截。使用Python编写,有丰富的扩展模块和自定义功能,对注意的应用协议都有预置模块配置,如:HTTP/HTTPSSSHFTP以及SIP等。它的工作原理基本都是先扫描对应的应用日志,然后通过正则匹配到日志记录的异常来源IP和时间,再将这些通过正则取到的数据送入过滤列表。如果符合过滤列表中的某个封禁条件,会触发对应的动作,该动作可能是将其添加iptables拦截,也可以是触发自定义脚本。

安装Fail2ban

  • CentOS/Redhat 安装
代码语言:javascript复制
yum install -y epel-release
yum install -y fail2ban

首先安装epel源,然后再安装fail2ban软件。

  • Debian/Ubuntu 安装
代码语言:javascript复制
apt install -y fail2ban

Debian和Ubuntu系统可以直接安装,不需要使用第三方源。

  • 安装后验证

安装后,在/etc/fail2ban/下可以看到预置的配置文件。

修改XSwitch配置

XSwitch默认有两个SIP端口的监听,一个是default的带鉴权,一个public的不带鉴权。通常带鉴权的端口会直接暴露在公网,让用户可以通过公网直接注册。而不带鉴权的端口则需要通过服务器的安全策略或ACL等规则,遵循白名单原则放行访问。因此需要防止SIP暴力攻击的也主要是defalut所配置的sip端口,这里要配合Fail2ban去拦截IP,需要先对default的profile增加一个配置,让其能将鉴权异常的IP打印的freeswitch.log日志文件内。

首先登录XSwitch后台,依次打开侧边菜单的高级--SIP,在其中查找log-auth-failures参数,将其值改为true。若无此参数,可以手动添加一个名称为:log-auth-failures,值为:true的参数,并启用它。修改配置后,要重新扫描或重启下让其配置生效

接下来我们来验证下配置是否生效,先在服务器后台,实时查看日志:

代码语言:javascript复制
tail -f data/log/freeswitch.log

然后使用软电话将注册地址改为自己的服务器和端口,用户名和密码随意填写,点击注册后观察FS的日志,若出现类似下文SIP auth failure字样,表示配置成功。

代码语言:javascript复制
2023-08-30 11:16:15.907763 98.10% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
2023-08-30 11:16:15.927736 98.10% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1

Fail2ban配置介绍

Fail2Ban配置文件格式INI,存于/etc/fail2ban目录:

  • fail2ban.conf : fail2ban 程序运行的日志和数据库等参数。
  • jail.conf : ban相关参数。
  • filter.d/*: jail.conf中filter对应的正则过滤规则。
  • action.d/* : jail.conf中action对应动作命令,如封禁ip、发送邮件通知等。

它们皆为安装文件,直接修改将导致后续升级,无法自动合并配置文件。Fail2Ban 提供了自定义配置文件的机制:

  • fail2ban.conf 可依此通过 fail2ban.d/*和 fail2ban.local 来重定义相关选项。
  • jail.conf 可依此通过 jail.d/* 和 jail.local 来重定义相关选项。

默认安装,/etc/fail2ban/jail.d/defaults-debian.conf 已启用 sshd 的 jail

通常,除 jail.conf 外,不需要改变配置。以下着重介绍 jail.conf 中的参数,它们不仅是默认(全局)参数(隶属于 [DEFAULT]),而且可在具体 jail 中重定义(如 [sshd])。

常用参数:

  • ignoreip : 忽略不 IP 地址(CIDR 格式)或机器名,以空格分隔。
  • bantime : 主机被禁止时长,默认 600 秒。
  • maxretry : 在 findtime 时间窗口中,允许主机认证失败次数。达到最大次数,主机将被禁止。
  • findtime : 查找认证失败的时间窗口。不意味 着每隔 findtime 时间扫描一次日志。

高版本 Fail2ban 支持 s (秒), m (分)和 d (天)作为时间单位,如 10m 和 1d

以上部分介绍引用自:https://www.malike.net.cn/blog/2021/03/15/fail2ban-tutorial-1/

  • 增加freeswtich的jail配置

创建/etc/fail2ban/jail.d/freeswitch.conf,并添加以下内容

代码语言:javascript复制
[freeswitch]

enabled = true
port     = 7060,7061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
#           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log
maxretry = 5
bantime = 1d
findtime = 1m

上文中,端口和日志路径的配置可以根据自己的实际情况进行修改。

  • 修改过滤规则

除了创建此文件,还需对默认的filter.d/freeswitch.conf文件修改过滤的正则规则,这是因为FreeSWITCH 1.10以后版本的日志文件输出格式有变换,在时间后面多了一列CPU的空闲率。

代码语言:javascript复制
failregex = %(_pref_line)s d .?d ?%% [WARNING] sofia_reg.c:d  SIP auth (failure|challenge) ((REGISTER|INVITE)) on sofia profile '[^'] ' for [[^]]*] from ip <HOST>$
            %(_pref_line)s d .?d ?%% [WARNING] sofia_reg.c:d  Can't find user [[^@] @[^]] ] from <HOST>$

上文修改后的配置与原规则相比,多了d .?d ?%%部分的正则匹配内容,其它部分无差异。

修改后,我们需要验证下是否能通过此过滤规则匹配到目标IP,这里可以使用fail2ban-regex命令,通过它可以验证正则匹配配置是否正确:

代码语言:javascript复制
fail2ban-regex /home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log /etc/fail2ban/filter.d/freeswitch.conf  --print-all-matched

命令执行后,若能看到类似下文的内容,说明正则配置正确 :

代码语言:javascript复制
Lines: 18386 lines, 0 ignored, 22 matched, 18364 missed
[processed in 0.60 sec]

|- Matched line(s):
|  2023-08-02 15:27:54.392865 98.60% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 15:27:54.412905 98.60% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 15:44:46.992944 98.30% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 15:44:46.992944 98.30% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 15:44:55.292938 98.43% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 15:44:55.312868 98.43% [WARNING] sofia_reg.c:3264 Can't find user [100111@xswitch.cn] from 172.18.64.1
|  2023-08-02 15:44:55.312868 98.43% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 22:37:43.172876 98.40% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 22:37:43.672927 96.17% [WARNING] sofia_reg.c:3264 Can't find user [100111@xswitch.cn] from 172.18.64.1
|  2023-08-02 22:37:43.672927 96.17% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1
|  2023-08-26 20:10:41.203200 99.23% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-26 20:10:41.223183 99.23% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-26 20:17:41.121487 98.83% [WARNING] sofia_reg.c:1893 SIP auth challenge (INVITE) on sofia profile 'default' for [111@172.18.72.134] from ip 172.18.64.1
|  2023-08-26 20:17:41.141382 98.83% [WARNING] sofia_reg.c:3264 Can't find user [18210273894@xswitch.cn] from 172.18.64.1
|  2023-08-26 20:17:41.141382 98.83% [WARNING] sofia_reg.c:1838 SIP auth failure (INVITE) on sofia profile 'default' for [111@172.18.72.134] from ip 172.18.64.1
|  2023-08-26 20:17:47.621838 98.83% [WARNING] sofia_reg.c:1893 SIP auth challenge (INVITE) on sofia profile 'default' for [1111@172.18.72.134] from ip 172.18.64.1
|  2023-08-26 20:17:47.641442 98.83% [WARNING] sofia_reg.c:3264 Can't find user [18210273894@xswitch.cn] from 172.18.64.1
|  2023-08-26 20:17:47.641442 98.83% [WARNING] sofia_reg.c:1838 SIP auth failure (INVITE) on sofia profile 'default' for [1111@172.18.72.134] from ip 172.18.64.1
|  2023-08-30 11:16:15.907763 98.10% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-30 11:16:15.927736 98.10% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-30 13:34:22.127740 98.97% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-30 13:34:22.147743 98.97% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 18364 lines
  • 启用服务

编辑完配置后,使用systemctl restart fail2ban重启服务使其生效,重启后查看/var/log/fail2ban.log日志文件,会看到类似下文内容:

代码语言:javascript复制
2023-08-30 13:23:27,442 fail2ban.filter         [28448]: INFO    Added logfile: '/home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log' (pos = 1387373, hash = 99e4ff016fc59bf966e9530dc0fdf935e18d5dd2)
2023-08-30 13:23:27,451 fail2ban.filter         [28448]: INFO      encoding: UTF-8
2023-08-30 13:23:27,451 fail2ban.filter         [28448]: INFO      maxRetry: 5
2023-08-30 13:23:27,451 fail2ban.filter         [28448]: INFO      findtime: 60
2023-08-30 13:23:27,452 fail2ban.actions        [28448]: INFO      banTime: 86400
2023-08-30 13:23:27,455 fail2ban.jail           [28448]: INFO    Jail 'sshd' started
2023-08-30 13:23:27,456 fail2ban.jail           [28448]: INFO    Jail 'freeswitch' started

启用后,可以用软电话模拟多次失败的注册,同时继续查看fail2ban.log日志,若达到fail2ban的封禁条件,会有Ban x.x.x.x的日志打印:

代码语言:javascript复制
2023-08-30 13:23:27,455 fail2ban.jail           [28448]: INFO    Jail 'sshd' started
2023-08-30 13:23:27,456 fail2ban.jail           [28448]: INFO    Jail 'freeswitch' started
2023-08-30 13:34:22,369 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:34:22
2023-08-30 13:34:22,370 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:34:22
2023-08-30 13:45:25,647 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:25
2023-08-30 13:45:25,648 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:25
2023-08-30 13:45:47,583 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:47
2023-08-30 13:45:47,583 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:47
2023-08-30 13:45:55,595 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:55
2023-08-30 13:45:55,595 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:55
2023-08-30 13:45:55,762 fail2ban.actions        [28448]: NOTICE  [freeswitch] Ban 172.18.64.1

看到封禁日志后,可以再用iptables -L -n查看下当前规则,会看到类似是下文内容:

代码语言:javascript复制
Chain f2b-freeswitch-tcp (1 references)
target     prot opt source               destination
REJECT     all  --  172.18.64.1          0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-freeswitch-udp (1 references)
target     prot opt source               destination
REJECT     all  --  172.18.64.1          0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0

增加企业微信通知

  • 创建企业微信机器人

在增加企业微信通知前,需要现在创建一个企业微信内部群,并在群里增加机器人。机器人添加成功后会得到https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxx-xxx的一个地址。

创建/usr/local/bin/send_wechat.sh脚本:

代码语言:javascript复制
BOT_URL="https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxx-xxx"
function send_notify () {
    message="# Fail2ban封禁通知 n <font color=\"warning\"> IP: $1 </font> n "
    curl ${BOT_URL} 
        -H 'Content-Type: application/json' 
        -d '
        {
            "msgtype": "markdown",
            "markdown": {
                "content": "'"${message}"'"
            }
        }'

}
send_notify $1

将脚本添加运行权限chmod a x /usr/local/bin/send_wechat.sh,并测试send_wechat.sh 1.1.1.1是否能正常收到企业微信的通知。

  • 增加Action配置

创建/etc/fail2ban/action.d/wechat.conf文件,加入以下内容:

代码语言:javascript复制
# Fail2Ban configuration file
#
# Author: Think
#
#


[Definition]

# bypass ban/unban for restored tickets
norestored = 1

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = /usr/local/bin/send_wechat.sh <ip>

[Init]

# Default name of the chain
#
name = default

此触发动作只绑定了actionban行为,如果需要actionunban的通知可以自行添加一个。

  • 修改freeswitch的jail配置

编辑/etc/fail2ban/jail.d/freeswitch.conf文件,增加新的触发动作:

代码语言:javascript复制
[freeswitch]

enabled = true
port     = 7060,7061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           wechat
logpath  = /home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log
maxretry = 5
bantime = 1d
findtime = 1m

修改后重启服务,然后测试。另外在测试前,先将之前封禁的本机ip解封下,命令如下:

代码语言:javascript复制
fail2ban-client unban 172.18.64.1

0 人点赞