[Spce-user] Fail2Ban SPCE

Scott Fertig scottf at zstaff.wcoil.com
Tue Apr 28 09:47:18 EDT 2020 

Hi,
I just was trying to do this myself the other day and had some issues 
but seemed to of gotten it worked out. I'm using mr8.3.1, if I'm doing 
this wrong anyone feel free to correct me, everything that I did here 
came from items I found searching this list. What I had to do was edit 
/etc/ngcp-config/constants.yaml and set CT=$ct under the kamailio -> 
proxy -> log -> request section like so:

     log:
       request:
       - R=«$ru»
       - ID=«$ci»
       - CT=$ct
       - UA='$ua'

I added this to the proxy section because this is where the bad 
authentications where showing.

Then after applying the change and seeing that it is showing up in 
kamailio-proxy.log, make a fail2ban filter in 
/etc/fail2ban/filter.d/kamailio.conf

[INCLUDES]
[Definition]

# filter for kamailio messages

failregex = Authentication failed, no credentials - R=.* ID=.* 
CT=<sip:.*@<HOST>:.*>
             Authentication failed, invalid user - R=.* ID=.* 
CT=<sip:.*@<HOST>:.*>
             Consecutive Authentication Failure for '.*' UA='.*' 
IP='«<HOST>»'

It looks though that the "Consecutive Authentication Failure" failregex 
should work without any modifications, but for the other auth failures 
there was no IP showing in the log which is why I changed the 
constants.yaml file. Also my failregex may be a little rough here and 
could be improved...
Again if there is a better way to do this or this is wrong, anyone 
please feel free to let me know. But for the moment this appears to be 
working for me and banning things.



--
Scott C. Fertig
Digium Certified Asterisk Administrator (dCAA)
WCOIL Network Operations Lead
ph: 419.229.2645 x1028
fax: 419.229.5278
scottf at staff.wcoil.com

On 4/24/20 9:32 AM, cappellari at connectlife.it wrote:
> Hi everyone. Has anyone installed fail2ban with spce? I followed this 
> guide: 
> https://www.sipwise.org/news/technical/securing-your-ngcp-against-sip-attacks/
>
> the fail2ban log file does not detect the wrong logins .. If I try the 
> wrong logons, for example with ssh, the log detects them and bans the 
> ip .. any advice? Thanks
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20200428/240856d9/attachment-0002.html>

More information about the Spce-user mailing list