mirror of https://github.com/fail2ban/fail2ban
filter.d/freeswitch.conf: provide mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)` (see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter how to set it to mode `normal`.
sebres
parent
bc2dbacc9a
commit
e995d5a0b6
|
|
@ -18,20 +18,39 @@ before = common.conf
|
|||
|
||||
_daemon = freeswitch
|
||||
|
||||
# Parameter "mode": normal, ddos or extra (default, combines all)
|
||||
# Usage example (for jail.local):
|
||||
# [freeswitch]
|
||||
# mode = normal
|
||||
# # or with rewrite filter parameters of jail:
|
||||
# [freeswitch-ddos]
|
||||
# filter = freeswitch[mode=ddos]
|
||||
#
|
||||
mode = extra
|
||||
|
||||
# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend
|
||||
_pref_line = ^%(__prefix_line)s(?:(?:\d+-)?\d+-\d+ \d+:\d+:\d+\.\d+)?
|
||||
|
||||
prefregex = ^%(_pref_line)s \[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? <F-CONTENT>.+</F-CONTENT>$
|
||||
failregex = ^SIP auth (?:failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
|
||||
^Can't find user \[[^@]+@[^\]]+\] from <HOST>$
|
||||
|
||||
cmnfailre = ^Can't find user \[[^@]+@[^\]]+\] from <HOST>$
|
||||
|
||||
mdre-normal = %(cmnfailre)s
|
||||
^SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
|
||||
|
||||
mdre-ddos = ^SIP auth (?:failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
|
||||
|
||||
mdre-extra = %(cmnfailre)s
|
||||
<mdre-ddos>
|
||||
|
||||
failregex = <mdre-<mode>>
|
||||
|
||||
ignoreregex =
|
||||
|
||||
datepattern = ^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?
|
||||
{^LN-BEG}
|
||||
|
||||
|
||||
# Author: Rupa SChomaker, soapee01, Daniel Black
|
||||
# Author: Rupa SChomaker, soapee01, Daniel Black, Sergey Brester aka sebres
|
||||
# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
|
||||
# Thanks to Jim on mailing list of samples and guidance
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,10 @@
|
|||
# filterOptions: [{}, {"mode": "ddos"}]
|
||||
|
||||
# failJSON: { "time": "2013-12-31T17:39:54", "match": true, "host": "81.94.202.251" }
|
||||
2013-12-31 17:39:54.767815 [WARNING] sofia_reg.c:1533 SIP auth challenge (INVITE) on sofia profile 'internal' for [011448708752617@192.168.2.51] from ip 81.94.202.251
|
||||
|
||||
# filterOptions: [{}, {"mode": "normal"}]
|
||||
|
||||
# failJSON: { "time": "2013-12-31T17:39:54", "match": true, "host": "5.11.47.236" }
|
||||
2013-12-31 17:39:54.767815 [WARNING] sofia_reg.c:1478 SIP auth failure (INVITE) on sofia profile 'internal' for [000972543480510@192.168.2.51] from ip 5.11.47.236
|
||||
# failJSON: { "time": "2013-12-31T17:39:54", "match": false }
|
||||
|
|
|
|||
Loading…
Reference in New Issue