如何在XSwitch系统增加fail2ban

Seven Du

发布于 2024-04-18 18:29:38

930

发布于 2024-04-18 18:29:38

Fail2ban是入侵检测软件，能检查暴力破解的攻击行为，并加以拦截。使用Python编写，有丰富的扩展模块和自定义功能，对注意的应用协议都有预置模块配置，如：HTTP/HTTPS、SSH、FTP以及SIP等。它的工作原理基本都是先扫描对应的应用日志，然后通过正则匹配到日志记录的异常来源IP和时间，再将这些通过正则取到的数据送入过滤列表。如果符合过滤列表中的某个封禁条件，会触发对应的动作，该动作可能是将其添加iptables拦截，也可以是触发自定义脚本。

安装Fail2ban

CentOS/Redhat 安装

yum install -y epel-release
yum install -y fail2ban

首先安装epel源，然后再安装fail2ban软件。

Debian/Ubuntu 安装

apt install -y fail2ban

Debian和Ubuntu系统可以直接安装，不需要使用第三方源。

安装后验证

安装后，在/etc/fail2ban/下可以看到预置的配置文件。

修改XSwitch配置

XSwitch默认有两个SIP端口的监听，一个是default的带鉴权，一个public的不带鉴权。通常带鉴权的端口会直接暴露在公网，让用户可以通过公网直接注册。而不带鉴权的端口则需要通过服务器的安全策略或ACL等规则，遵循白名单原则放行访问。因此需要防止SIP暴力攻击的也主要是defalut所配置的sip端口，这里要配合Fail2ban去拦截IP，需要先对default的profile增加一个配置，让其能将鉴权异常的IP打印的freeswitch.log日志文件内。

首先登录XSwitch后台，依次打开侧边菜单的高级--SIP，在其中查找log-auth-failures参数，将其值改为true。若无此参数，可以手动添加一个名称为：log-auth-failures，值为：true的参数，并启用它。修改配置后，要重新扫描或重启下让其配置生效

接下来我们来验证下配置是否生效，先在服务器后台，实时查看日志：

tail -f data/log/freeswitch.log

然后使用软电话将注册地址改为自己的服务器和端口，用户名和密码随意填写，点击注册后观察FS的日志，若出现类似下文SIP auth failure字样，表示配置成功。

2023-08-30 11:16:15.907763 98.10% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
2023-08-30 11:16:15.927736 98.10% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1

Fail2ban配置介绍

Fail2Ban配置文件格式INI，存于/etc/fail2ban目录：

fail2ban.conf : fail2ban 程序运行的日志和数据库等参数。
jail.conf : ban相关参数。
filter.d/*: jail.conf中filter对应的正则过滤规则。
action.d/* : jail.conf中action对应动作命令，如封禁ip、发送邮件通知等。

它们皆为安装文件，直接修改将导致后续升级，无法自动合并配置文件。Fail2Ban 提供了自定义配置文件的机制:

fail2ban.conf 可依此通过 fail2ban.d/*和 fail2ban.local 来重定义相关选项。
jail.conf 可依此通过 jail.d/* 和 jail.local 来重定义相关选项。

默认安装，/etc/fail2ban/jail.d/defaults-debian.conf 已启用 sshd 的 jail

通常，除 jail.conf 外，不需要改变配置。以下着重介绍 jail.conf 中的参数，它们不仅是默认（全局）参数（隶属于 [DEFAULT]），而且可在具体 jail 中重定义（如 [sshd]）。

常用参数：

ignoreip : 忽略不 IP 地址（CIDR 格式）或机器名，以空格分隔。
bantime : 主机被禁止时长，默认 600 秒。
maxretry : 在 findtime 时间窗口中，允许主机认证失败次数。达到最大次数，主机将被禁止。
findtime : 查找认证失败的时间窗口。不意味着每隔 findtime 时间扫描一次日志。

高版本 Fail2ban 支持 s （秒）, m （分）和 d （天）作为时间单位，如 10m 和 1d

以上部分介绍引用自：https://www.malike.net.cn/blog/2021/03/15/fail2ban-tutorial-1/

增加freeswtich的jail配置

创建/etc/fail2ban/jail.d/freeswitch.conf，并添加以下内容

[freeswitch]

enabled = true
port     = 7060,7061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
#           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log
maxretry = 5
bantime = 1d
findtime = 1m

上文中，端口和日志路径的配置可以根据自己的实际情况进行修改。

修改过滤规则

除了创建此文件，还需对默认的filter.d/freeswitch.conf文件修改过滤的正则规则，这是因为FreeSWITCH 1.10以后版本的日志文件输出格式有变换，在时间后面多了一列CPU的空闲率。

failregex = %(_pref_line)s \d+\.?\d+?%% \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
            %(_pref_line)s \d+\.?\d+?%% \[WARNING\] sofia_reg\.c:\d+ Can't find user \[[^@]+@[^\]]+\] from <HOST>$

上文修改后的配置与原规则相比，多了\d+\.?\d+?%%部分的正则匹配内容，其它部分无差异。

修改后，我们需要验证下是否能通过此过滤规则匹配到目标IP，这里可以使用fail2ban-regex命令，通过它可以验证正则匹配配置是否正确：

fail2ban-regex /home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log /etc/fail2ban/filter.d/freeswitch.conf  --print-all-matched

命令执行后，若能看到类似下文的内容，说明正则配置正确：

Lines: 18386 lines, 0 ignored, 22 matched, 18364 missed
[processed in 0.60 sec]

|- Matched line(s):
|  2023-08-02 15:27:54.392865 98.60% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 15:27:54.412905 98.60% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 15:44:46.992944 98.30% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 15:44:46.992944 98.30% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 15:44:55.292938 98.43% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 15:44:55.312868 98.43% [WARNING] sofia_reg.c:3264 Can't find user [100111@xswitch.cn] from 172.18.64.1
|  2023-08-02 15:44:55.312868 98.43% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 22:37:43.172876 98.40% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1
|  2023-08-02 22:37:43.672927 96.17% [WARNING] sofia_reg.c:3264 Can't find user [100111@xswitch.cn] from 172.18.64.1
|  2023-08-02 22:37:43.672927 96.17% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [100111@172.18.72.134] from ip 172.18.64.1
|  2023-08-26 20:10:41.203200 99.23% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-26 20:10:41.223183 99.23% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-26 20:17:41.121487 98.83% [WARNING] sofia_reg.c:1893 SIP auth challenge (INVITE) on sofia profile 'default' for [111@172.18.72.134] from ip 172.18.64.1
|  2023-08-26 20:17:41.141382 98.83% [WARNING] sofia_reg.c:3264 Can't find user [18210273894@xswitch.cn] from 172.18.64.1
|  2023-08-26 20:17:41.141382 98.83% [WARNING] sofia_reg.c:1838 SIP auth failure (INVITE) on sofia profile 'default' for [111@172.18.72.134] from ip 172.18.64.1
|  2023-08-26 20:17:47.621838 98.83% [WARNING] sofia_reg.c:1893 SIP auth challenge (INVITE) on sofia profile 'default' for [1111@172.18.72.134] from ip 172.18.64.1
|  2023-08-26 20:17:47.641442 98.83% [WARNING] sofia_reg.c:3264 Can't find user [18210273894@xswitch.cn] from 172.18.64.1
|  2023-08-26 20:17:47.641442 98.83% [WARNING] sofia_reg.c:1838 SIP auth failure (INVITE) on sofia profile 'default' for [1111@172.18.72.134] from ip 172.18.64.1
|  2023-08-30 11:16:15.907763 98.10% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-30 11:16:15.927736 98.10% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-30 13:34:22.127740 98.97% [WARNING] sofia_reg.c:1893 SIP auth challenge (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
|  2023-08-30 13:34:22.147743 98.97% [WARNING] sofia_reg.c:1838 SIP auth failure (REGISTER) on sofia profile 'default' for [1001@172.18.72.134] from ip 172.18.64.1
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 18364 lines

启用服务

编辑完配置后，使用systemctl restart fail2ban重启服务使其生效，重启后查看/var/log/fail2ban.log日志文件，会看到类似下文内容：

2023-08-30 13:23:27,442 fail2ban.filter         [28448]: INFO    Added logfile: '/home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log' (pos = 1387373, hash = 99e4ff016fc59bf966e9530dc0fdf935e18d5dd2)
2023-08-30 13:23:27,451 fail2ban.filter         [28448]: INFO      encoding: UTF-8
2023-08-30 13:23:27,451 fail2ban.filter         [28448]: INFO      maxRetry: 5
2023-08-30 13:23:27,451 fail2ban.filter         [28448]: INFO      findtime: 60
2023-08-30 13:23:27,452 fail2ban.actions        [28448]: INFO      banTime: 86400
2023-08-30 13:23:27,455 fail2ban.jail           [28448]: INFO    Jail 'sshd' started
2023-08-30 13:23:27,456 fail2ban.jail           [28448]: INFO    Jail 'freeswitch' started

启用后，可以用软电话模拟多次失败的注册，同时继续查看fail2ban.log日志，若达到fail2ban的封禁条件，会有Ban x.x.x.x的日志打印：

2023-08-30 13:23:27,455 fail2ban.jail           [28448]: INFO    Jail 'sshd' started
2023-08-30 13:23:27,456 fail2ban.jail           [28448]: INFO    Jail 'freeswitch' started
2023-08-30 13:34:22,369 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:34:22
2023-08-30 13:34:22,370 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:34:22
2023-08-30 13:45:25,647 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:25
2023-08-30 13:45:25,648 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:25
2023-08-30 13:45:47,583 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:47
2023-08-30 13:45:47,583 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:47
2023-08-30 13:45:55,595 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:55
2023-08-30 13:45:55,595 fail2ban.filter         [28448]: INFO    [freeswitch] Found 172.18.64.1 - 2023-08-30 13:45:55
2023-08-30 13:45:55,762 fail2ban.actions        [28448]: NOTICE  [freeswitch] Ban 172.18.64.1

看到封禁日志后，可以再用iptables -L -n查看下当前规则，会看到类似是下文内容：

Chain f2b-freeswitch-tcp (1 references)
target     prot opt source               destination
REJECT     all  --  172.18.64.1          0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-freeswitch-udp (1 references)
target     prot opt source               destination
REJECT     all  --  172.18.64.1          0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0

增加企业微信通知

创建企业微信机器人

在增加企业微信通知前，需要现在创建一个企业微信内部群，并在群里增加机器人。机器人添加成功后会得到https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxx-xxx的一个地址。

创建/usr/local/bin/send_wechat.sh脚本：

BOT_URL="https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxx-xxx"
function send_notify () {
    message="# Fail2ban封禁通知 \n <font color=\\\"warning\\\"> IP: $1 </font> \n "
    curl ${BOT_URL} \
        -H 'Content-Type: application/json' \
        -d '
        {
            "msgtype": "markdown",
            "markdown": {
                "content": "'"${message}"'"
            }
        }'

}
send_notify $1

将脚本添加运行权限chmod a+x /usr/local/bin/send_wechat.sh，并测试send_wechat.sh 1.1.1.1是否能正常收到企业微信的通知。

增加Action配置

创建/etc/fail2ban/action.d/wechat.conf文件，加入以下内容：

# Fail2Ban configuration file
#
# Author: Think
#
#


[Definition]

# bypass ban/unban for restored tickets
norestored = 1

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = /usr/local/bin/send_wechat.sh <ip>

[Init]

# Default name of the chain
#
name = default

此触发动作只绑定了actionban行为，如果需要actionunban的通知可以自行添加一个。

修改freeswitch的jail配置

编辑/etc/fail2ban/jail.d/freeswitch.conf文件，增加新的触发动作：

[freeswitch]

enabled = true
port     = 7060,7061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           wechat
logpath  = /home/jing/lworkspace/xswitch-community-6.0.7/data/log/freeswitch.log
maxretry = 5
bantime = 1d
findtime = 1m

修改后重启服务，然后测试。另外在测试前，先将之前封禁的本机ip解封下，命令如下：