Fail2ban是入侵检测软件,能检查暴力破解的攻击行为,并加以拦截。使用Python编写,有丰富的扩展模块和自定义功能,对注意的应用协议都有预置模块配置,如:HTTP/HTTPS、SSH、FTP以及SIP等。它的工作原理基本都是先扫描对应的应用日志,然后通过正则匹配到日志记录的异常来源IP和时间,再将这些通过正则取到的数据送入过滤列表。如果符合过滤列表中的某个封禁条件,会触发对应的动作,该动作可能是将其添加iptables拦截,也可以是触发自定义脚本。
安装Fail2ban
CentOS/Redhat 安装
yum install -y epel-releaseyum install -y fail2ban
首先安装epel源,然后再安装fail2ban软件。
Debian/Ubuntu 安装
apt install -y fail2banDebian和Ubuntu系统可以直接安装,不需要使用第三方源。
安装后验证
安装后,在/etc/fail2ban/下可以看到预置的配置文件。
修改XSwitch配置
XSwitch默认有两个SIP端口的监听,一个是default的带鉴权,一个public的不带鉴权。通常带鉴权的端口会直接暴露在公网,让用户可以通过公网直接注册。而不带鉴权的端口则需要通过服务器的安全策略或ACL等规则,遵循白名单原则放行访问。因此需要防止SIP暴力攻击的也主要是defalut所配置的sip端口,这里要配合Fail2ban去拦截IP,需要先对default的profile增加一个配置,让其能将鉴权异常的IP打印的freeswitch.log日志文件内。
首先登录XSwitch后台,依次打开侧边菜单的高级--SIP,在其中查找log-auth-failures参数,将其值改为true。若无此参数,可以手动添加一个名称为:log-auth-failures,值为:true的参数,并启用它。修改配置后,要重新扫描或重启下让其配置生效
接下来我们来验证下配置是否生效,先在服务器后台,实时查看日志:
tail -f data/log/freeswitch.log然后使用软电话将注册地址改为自己的服务器和端口,用户名和密码随意填写,点击注册后观察FS的日志,若出现类似下文SIP auth failure字样,表示配置成功。
2023-08-30 11:16:15.907763 98.10% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.12023-08-30 11:16:15.927736 98.10% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
Fail2ban配置介绍
Fail2Ban配置文件格式INI,存于/etc/fail2ban目录:
fail2ban.conf : fail2ban 程序运行的日志和数据库等参数。
jail.conf : ban相关参数。
filter.d/*: jail.conf中
filter对应的正则过滤规则。action.d/* : jail.conf中
action对应动作命令,如封禁ip、发送邮件通知等。
它们皆为安装文件,直接修改将导致后续升级,无法自动合并配置文件。Fail2Ban 提供了自定义配置文件的机制:
fail2ban.conf 可依此通过 fail2ban.d/*和 fail2ban.local 来重定义相关选项。
jail.conf 可依此通过 jail.d/* 和 jail.local 来重定义相关选项。
默认安装,/etc/fail2ban/jail.d/defaults-debian.conf 已启用 sshd 的 jail
通常,除 jail.conf 外,不需要改变配置。以下着重介绍 jail.conf 中的参数,它们不仅是默认(全局)参数(隶属于 [DEFAULT]),而且可在具体 jail 中重定义(如 [sshd])。
常用参数:
ignoreip : 忽略不 IP 地址(CIDR 格式)或机器名,以空格分隔。
bantime : 主机被禁止时长,默认 600 秒。
maxretry : 在 findtime 时间窗口中,允许主机认证失败次数。达到最大次数,主机将被禁止。
findtime : 查找认证失败的时间窗口。不意味 着每隔 findtime 时间扫描一次日志。
高版本 Fail2ban 支持 s (秒), m (分)和 d (天)作为时间单位,如 10m 和 1d
以上部分介绍引用自:https://www.malike.net.cn/blog/2021/03/15/fail2ban-tutorial-1/
增加freeswtich的jail配置
创建/etc/fail2ban/jail.d/freeswitch.conf,并添加以下内容
[freeswitch]enabled = trueport = 7060,7061action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]# %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]logpath = /home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.logmaxretry = 5bantime = 1dfindtime = 1m
上文中,端口和日志路径的配置可以根据自己的实际情况进行修改。
修改过滤规则
除了创建此文件,还需对默认的filter.d/freeswitch.conf文件修改过滤的正则规则,这是因为FreeSWITCH 1.10以后版本的日志文件输出格式有变换,在时间后面多了一列CPU的空闲率。
failregex = %(_pref_line)s \d+\.?\d+?%% \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$%(_pref_line)s \d+\.?\d+?%% \[WARNING\] sofia_reg\.c:\d+ Can't find user \[[^@]+@[^\]]+\] from <HOST>$
上文修改后的配置与原规则相比,多了\d+\.?\d+?%%部分的正则匹配内容,其它部分无差异。
修改后,我们需要验证下是否能通过此过滤规则匹配到目标IP,这里可以使用fail2ban-regex命令,通过它可以验证正则匹配配置是否正确:
fail2ban-regex /home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log /etc/fail2ban/filter.d/freeswitch.conf --print-all-matched命令执行后,若能看到类似下文的内容,说明正则配置正确 :
Lines: 18386 lines, 0 ignored, 22 matched, 18364 missed[processed in 0.60 sec]|- Matched line(s):| 2023-08-02 15:27:54.392865 98.60% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1| 2023-08-02 15:27:54.412905 98.60% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1| 2023-08-02 15:44:46.992944 98.30% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1| 2023-08-02 15:44:46.992944 98.30% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1| 2023-08-02 15:44:55.292938 98.43% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1| 2023-08-02 15:44:55.312868 98.43% [WARNING] sofia_reg.c:3264 Can't find user [100111@xswitch.cn] from 172.18.64.1| 2023-08-02 15:44:55.312868 98.43% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1| 2023-08-02 22:37:43.172876 98.40% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1| 2023-08-02 22:37:43.672927 96.17% [WARNING] sofia_reg.c:3264 Can't find user [100111@xswitch.cn] from 172.18.64.1| 2023-08-02 22:37:43.672927 96.17% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1| 2023-08-26 20:10:41.203200 99.23% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1| 2023-08-26 20:10:41.223183 99.23% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1| 2023-08-26 20:17:41.121487 98.83% [WARNING] sofia_reg.c:1893 SIP auth challenge (INVITE) on sofia profile 'default' for [111@172.18.72.134] from ip 172.18.64.1| 2023-08-26 20:17:41.141382 98.83% [WARNING] sofia_reg.c:3264 Can't find user [18210273894@xswitch.cn] from 172.18.64.1| 2023-08-26 20:17:41.141382 98.83% [WARNING] sofia_reg.c:1838 SIP auth failure (INVITE) on sofia profile 'default' for [111@172.18.72.134] from ip 172.18.64.1| 2023-08-26 20:17:47.621838 98.83% [WARNING] sofia_reg.c:1893 SIP auth challenge (INVITE) on sofia profile 'default' for [1111@172.18.72.134] from ip 172.18.64.1| 2023-08-26 20:17:47.641442 98.83% [WARNING] sofia_reg.c:3264 Can't find user [18210273894@xswitch.cn] from 172.18.64.1| 2023-08-26 20:17:47.641442 98.83% [WARNING] sofia_reg.c:1838 SIP auth failure (INVITE) on sofia profile 'default' for [1111@172.18.72.134] from ip 172.18.64.1| 2023-08-30 11:16:15.907763 98.10% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1| 2023-08-30 11:16:15.927736 98.10% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1| 2023-08-30 13:34:22.127740 98.97% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1| 2023-08-30 13:34:22.147743 98.97% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1`-Missed line(s): too many to print. Use --print-all-missed to print all 18364 lines
启用服务
编辑完配置后,使用systemctl restart fail2ban重启服务使其生效,重启后查看/var/log/fail2ban.log日志文件,会看到类似下文内容:
2023-08-30 13:23:27,442 fail2ban.filter [28448]: INFO Added logfile: '/home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log' (pos = 1387373, hash = 99e4ff016fc59bf966e9530dc0fdf935e18d5dd2)2023-08-30 13:23:27,451 fail2ban.filter [28448]: INFO encoding: UTF-82023-08-30 13:23:27,451 fail2ban.filter [28448]: INFO maxRetry: 52023-08-30 13:23:27,451 fail2ban.filter [28448]: INFO findtime: 602023-08-30 13:23:27,452 fail2ban.actions [28448]: INFO banTime: 864002023-08-30 13:23:27,455 fail2ban.jail [28448]: INFO Jail 'sshd' started2023-08-30 13:23:27,456 fail2ban.jail [28448]: INFO Jail 'freeswitch' started
启用后,可以用软电话模拟多次失败的注册,同时继续查看fail2ban.log日志,若达到fail2ban的封禁条件,会有Ban x.x.x.x的日志打印:
2023-08-30 13:23:27,455 fail2ban.jail [28448]: INFO Jail 'sshd' started2023-08-30 13:23:27,456 fail2ban.jail [28448]: INFO Jail 'freeswitch' started2023-08-30 13:34:22,369 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:34:222023-08-30 13:34:22,370 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:34:222023-08-30 13:45:25,647 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:252023-08-30 13:45:25,648 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:252023-08-30 13:45:47,583 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:472023-08-30 13:45:47,583 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:472023-08-30 13:45:55,595 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:552023-08-30 13:45:55,595 fail2ban.filter [28448]: INFO [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:552023-08-30 13:45:55,762 fail2ban.actions [28448]: NOTICE [freeswitch] Ban 172.18.64.1
看到封禁日志后,可以再用iptables -L -n查看下当前规则,会看到类似是下文内容:
Chain f2b-freeswitch-tcp (1 references)target prot opt source destinationREJECT all -- 172.18.64.1 0.0.0.0/0 reject-with icmp-port-unreachableRETURN all -- 0.0.0.0/0 0.0.0.0/0Chain f2b-freeswitch-udp (1 references)target prot opt source destinationREJECT all -- 172.18.64.1 0.0.0.0/0 reject-with icmp-port-unreachableRETURN all -- 0.0.0.0/0
增加企业微信通知
创建企业微信机器人
在增加企业微信通知前,需要现在创建一个企业微信内部群,并在群里增加机器人。机器人添加成功后会得到https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxx-xxx的一个地址。
创建/usr/local/bin/send_wechat.sh脚本:
BOT_URL="https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxx-xxx"function send_notify () {message="# Fail2ban封禁通知 \n <font color=\\\"warning\\\"> IP: $1 </font> \n "curl ${BOT_URL} \-H 'Content-Type: application/json' \-d '{"msgtype": "markdown","markdown": {"content": "'"${message}"'"}}'}send_notify $1
将脚本添加运行权限chmod a+x /usr/local/bin/send_wechat.sh,并测试send_wechat.sh 1.1.1.1是否能正常收到企业微信的通知。
增加Action配置
创建/etc/fail2ban/action.d/wechat.conf文件,加入以下内容:
# Fail2Ban configuration file## Author: Think##[Definition]# bypass ban/unban for restored ticketsnorestored = 1# Option: actionban# Notes.: command executed when banning an IP. Take care that the# command is executed with Fail2Ban user rights.# Tags: See jail.conf(5) man page# Values: CMD#actionban = /usr/local/bin/send_wechat.sh <ip>[Init]# Default name of the chain#name = default
此触发动作只绑定了actionban行为,如果需要actionunban的通知可以自行添加一个。
修改freeswitch的jail配置
编辑/etc/fail2ban/jail.d/freeswitch.conf文件,增加新的触发动作:
[freeswitch]enabled = trueport = 7060,7061action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]logpath = /home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.logmaxretry = 5bantime = 1dfindtime = 1m
修改后重启服务,然后测试。另外在测试前,先将之前封禁的本机ip解封下,命令如下:
fail2ban-client unban 172.18.64.1如果您想试用我们的XSwitch,可后台私信xswitch获取demo版本账号和密码,demo版本网址:https://demo.xswitch.cn/#/