samwiseetc/fail2ban/filter.d/freeswitch.conf

# Fail2Ban configuration file
#
# Enable "log-auth-failures" on each Sofia profile to monitor
# <param name="log-auth-failures" value="true"/>
# -- this requires a high enough loglevel on your logs to save these messages.
#
# In the fail2ban jail.local file for this filter set ignoreip to the internal
# IP addresses on your LAN.
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = freeswitch

# Parameter "mode": normal, ddos or extra (default, combines all)
# Usage example (for jail.local):
#   [freeswitch]
#   mode = normal
#   # or with rewrite filter parameters of jail:
#   [freeswitch-ddos]
#   filter = freeswitch[mode=ddos]
#
mode = extra
              
# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend
_pref_line = ^%(__prefix_line)s(?:(?:\d+-)?\d+-\d+ \d+:\d+:\d+\.\d+)?

prefregex = ^%(_pref_line)s \[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? <F-CONTENT>.+</F-CONTENT>$

cmnfailre = ^Can't find user \[[^@]+@[^\]]+\] from <HOST>$

mdre-normal = %(cmnfailre)s
              ^SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$

mdre-ddos   = ^SIP auth (?:failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$

mdre-extra  = %(cmnfailre)s
              <mdre-ddos>

failregex = <mdre-<mode>>

ignoreregex =

datepattern = ^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?
              {^LN-BEG}

# Author: Rupa SChomaker, soapee01, Daniel Black, Sergey Brester aka sebres
# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
# Thanks to Jim on mailing list of samples and guidance
#
# No need to match the following. Its a duplicate of the SIP auth regex.
#  ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$
Initial recommit 2 years ago			`# Fail2Ban configuration file`
			`#`
			`# Enable "log-auth-failures" on each Sofia profile to monitor`
			`# <param name="log-auth-failures" value="true"/>`
			`# -- this requires a high enough loglevel on your logs to save these messages.`
			`#`
			`# In the fail2ban jail.local file for this filter set ignoreip to the internal`
			`# IP addresses on your LAN.`
			`#`

			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# common.local`
			`before = common.conf`

			`[Definition]`

			`_daemon = freeswitch`

			`# Parameter "mode": normal, ddos or extra (default, combines all)`
			`# Usage example (for jail.local):`
			`# [freeswitch]`
			`# mode = normal`
			`# # or with rewrite filter parameters of jail:`
			`# [freeswitch-ddos]`
			`# filter = freeswitch[mode=ddos]`
			`#`
			`mode = extra`

			`# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend`
			`_pref_line = ^%(__prefix_line)s(?:(?:\d+-)?\d+-\d+ \d+:\d+:\d+\.\d+)?`

			`prefregex = ^%(_pref_line)s \[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? <F-CONTENT>.+</F-CONTENT>$`

			`cmnfailre = ^Can't find user \[[^@]+@[^\]]+\] from <HOST>$`

			`mdre-normal = %(cmnfailre)s`
			`^SIP auth failure \((REGISTER\|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$`

			`mdre-ddos = ^SIP auth (?:failure\|challenge) \((REGISTER\|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$`

			`mdre-extra = %(cmnfailre)s`
			`<mdre-ddos>`

			`failregex = <mdre-<mode>>`

			`ignoreregex =`

			`datepattern = ^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?`
			`{^LN-BEG}`

			`# Author: Rupa SChomaker, soapee01, Daniel Black, Sergey Brester aka sebres`
			`# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban`
			`# Thanks to Jim on mailing list of samples and guidance`
			`#`
			`# No need to match the following. Its a duplicate of the SIP auth regex.`
			`# ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$`