fail2ban/config/filter.d/freeswitch.conf

# Fail2Ban configuration file
#
# Enable "log-auth-failures" on each Sofia profile to monitor
# <param name="log-auth-failures" value="true"/>
# -- this requires a high enough loglevel on your logs to save these messages.
#
# In the fail2ban jail.local file for this filter set ignoreip to the internal
# IP addresses on your LAN.
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = freeswitch

# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend
_pref_line = ^%(__prefix_line)s(?:\d+-\d+-\d+ \d+:\d+:\d+\.\d+)?

failregex = %(_pref_line)s \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
            %(_pref_line)s \[WARNING\] sofia_reg\.c:\d+ Can't find user \[[^@]+@[^\]]+\] from <HOST>$

ignoreregex =

datepattern = {^LN-BEG}

# Author: Rupa SChomaker, soapee01, Daniel Black
# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
# Thanks to Jim on mailing list of samples and guidance
#
# No need to match the following. Its a duplicate of the SIP auth regex.
#  ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$
ENH: add filter freeswitch - as raised on mailing list 2014-01-03 02:00:37 +00:00			`# Fail2Ban configuration file`
			`#`
DOC: bit more on how to use freeswitch 2014-01-04 01:39:48 +00:00			`# Enable "log-auth-failures" on each Sofia profile to monitor`
			`# <param name="log-auth-failures" value="true"/>`
			`# -- this requires a high enough loglevel on your logs to save these messages.`
ENH: add filter freeswitch - as raised on mailing list 2014-01-03 02:00:37 +00:00			`#`
DOC: ignoreip for internal ips on freeswitch 2014-01-03 21:31:42 +00:00			`# In the fail2ban jail.local file for this filter set ignoreip to the internal`
			`# IP addresses on your LAN.`
			`#`
ENH: add filter freeswitch - as raised on mailing list 2014-01-03 02:00:37 +00:00
[temp commit] 1st try to optimize datedetector/datetemplate functionality (fix ambiguous resp. misleading date detection if several formats used in log resp. by format switch after restart of some services): * Misleading date patterns defined more precisely (using extended syntax %E[mdHMS] for exact two-digit match) * `filter.d/freeswitch.conf` - Optional prefixes (server, daemon, dual time) if systemd daemon logs used (gh-1548) - User part rewritten to accept IPv6 resp. domain after "@" (gh-1548) 2016-09-27 15:53:45 +00:00			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# common.local`
			`before = common.conf`

ENH: add filter freeswitch - as raised on mailing list 2014-01-03 02:00:37 +00:00			`[Definition]`

[temp commit] 1st try to optimize datedetector/datetemplate functionality (fix ambiguous resp. misleading date detection if several formats used in log resp. by format switch after restart of some services): * Misleading date patterns defined more precisely (using extended syntax %E[mdHMS] for exact two-digit match) * `filter.d/freeswitch.conf` - Optional prefixes (server, daemon, dual time) if systemd daemon logs used (gh-1548) - User part rewritten to accept IPv6 resp. domain after "@" (gh-1548) 2016-09-27 15:53:45 +00:00			`_daemon = freeswitch`

			`# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend`
			`_pref_line = ^%(__prefix_line)s(?:\d+-\d+-\d+ \d+:\d+:\d+\.\d+)?`

			`failregex = %(_pref_line)s \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure\|challenge) \((REGISTER\|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$`
			`%(_pref_line)s \[WARNING\] sofia_reg\.c:\d+ Can't find user \[[^@]+@[^\]]+\] from <HOST>$`
ENH: add filter freeswitch - as raised on mailing list 2014-01-03 02:00:37 +00:00
			`ignoreregex =`

added possibility to specify more precise default date pattern: - `datepattern = {^LN-BEG}` - only line-begin anchored default patterns (matches date only at begin of line, or with max distance up to 2 non-alphanumeric characters from line-begin); - `datepattern = {*WD-BEG}` - only word-begin anchored default patterns; - `datepattern = ^prefix{DATE}suffix` - exact specified default patterns (using prefix and suffix); common filter configs gets a more precise, line-begin anchored (datepattern = {^LN-BEG}) resp. custom anchoring default date-patterns; 2016-10-05 17:34:21 +00:00			`datepattern = {^LN-BEG}`

ENH: add filter freeswitch - as raised on mailing list 2014-01-03 02:00:37 +00:00			`# Author: Rupa SChomaker, soapee01, Daniel Black`
update doc url direct to confluence page. no code changes. 2016-04-25 04:35:18 +00:00			`# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban`
ENH: more filter expressions for freeswitch. Anchored existing one at end too 2014-01-03 21:21:22 +00:00			`# Thanks to Jim on mailing list of samples and guidance`
ENH: add filter freeswitch - as raised on mailing list 2014-01-03 02:00:37 +00:00			`#`
BF: catchin DEBUG messages will result in duplicates 2014-01-04 01:10:51 +00:00			`# No need to match the following. Its a duplicate of the SIP auth regex.`
			`# ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$`