ancosgrove
commented
4 years ago I would suggest rethinking banning based on invalid extensions tried. You'll potentially ban legitimate users that make a mistake. There are already example configurations to ban the ones who don't bother changing their user agent string (friendly scanner, etc.).
There are other methods to dealing with "script kiddies". You could insert a rule into iptables that will throttle the rate of incoming packets after crossing a threshold. So if say some attacker from India were to send 10 INVITEs on port 5060/udp in a span of 2 seconds from the same IP then the traffic wouldn't pass through. Fail2ban of course could keep track of these incidents and do a perma-ban if 'x' attempts were made.
If you still want to ban by invalid extension then you would need to customize the regex used within filter.d/freeswitch.local. In your dialplan you would need an extension with a catch-all condition as the last entry after everything else has been tried.
<extension name="catch-all">
<condition field="destination_number" expression="^.*$">
<action application="log" data="NOTICE INVALID / BAD EXTENSION from ${sip_contact_host}"/>
</condition>
</extension>Adjust fail2ban regex to look for the "INVALID" text and get the IP from the variable. Look at this confluence page for more info: https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
Hello.
I want to set up fail2ban to ban users who tries to dial invalid extensions. For example, I have 10-digits extensions only, and very annoyed by SIP scanners trying to call some random extensions. How should I set up fail2ban to ban (permanently) every IP who tried to dial non-10-digit extension?
Thank you.