0

Now I want to block an ip (or drop packets sourcing from an ip) if the ip hits my host for say 5 request in a min. How to do so? Can you point me to what tool or command to read about in regard to the stated issue?

After searching, I came across iptables with -m limit module. But this doesn't consider IP address. Meaning, if I set the limit to 5 on port 22 for 5 hits per 60 seconds, this will prevent connections if 5 hits hit the server regardless the source ip (whether that a single ip or 5 different machines). I also came across tc to shape the traffic bandwidth but I wasn't sure if it's the tool I should be looking at.

Please help me out by posting links along with your solution. I always love to read more.

Thanks in advance.

UPDATE: I can't use fail2ban here as fail2ban requires the existence of date and time in some known format in the logs. This is not the case for the logs of freeswitch.

joker
  • 423
  • 5
  • 8
  • Fail2ban does something like that. – mikewhatever Apr 16 '17 at 17:10
  • Yes it does. But the thing is, I'm working with freeswitch (a tool for VoIP operations). The log file of freeswitch is a bit odd and it is really hard to use fail2ban to cease attackers from abusing the open ports. That's why I am trying to find another solution other than fail2ban. – joker Apr 16 '17 at 18:32
  • 1
    You are exactly correct, and most seem to miss the point that the limit stuff is not IP specific. Furthermore it can actually make it more difficult for legitimate traffic, because the bad people can get all the available connections. See if this helps, or this much more complicated one. – Doug Smythies Apr 16 '17 at 19:23

1 Answers1

0

Okay, I was able to find an answer to my question and I'm sharing this here for others to benefit from (even though the number of views doesn't say so :) ).

My solution utilizes iptables and fail2ban to solve the issue in question.

  1. Get your firewall up and running. Don't forget to open the ports required by freeswitch to carry out successful VoIP operations:

    firewall-cmd --add-port=5080-5081/tcp --add-port=5060-5061/tcp --add-port=5066/tcp --add-port=8080-8082/tcp --add-port=7443/tcp --add-port=16384-32768/udp

This step alone filters out lots of attacks as most of them are over udp on the tcp-expected ports.

  1. Ask iptables to store the tcp connections related info when connecting to the signaling ports:

    iptables -I INPUT 5 -i eth0 -p tcp -m multiport --dports 5080,5081,5060,5061,7443,5066,8080:8082 -m recent --set --name FREESWITCH_BADGUY -j ACCEP
iptables -I INPUT 5 -i eth0 -p tcp -m recent --update --hitcount 1 --seconds 120 --name FREESWITCH_BADGUY -j LOG --log-prefix "FREESWITCH BAD: " --log-level info

Note the index/order 5 in the INPUT chain. I used 5 because it was just before the rules to accept connections on the listed ports (from the commands in the first step). So, you should put them anywhere before the rules from the first step but after the fail2ban ssh rules.

  1. Create a new fail2ban filter at /etc/fail2ban/filter.d/freeswitch-customized.conf:

    [Definition]

failregex = FREESWITCH BAD.*SRC=<HOST>

ignoreregex =

  2. Add the following to /etc/fail2ban/jail.local: (Change the logpath to the system log file. Mine was /var/log/messages. But it can be in your case, for example, /var/log/syslog).

    [freeswitch-customized]

enabled = true
port = 5060,5061,5080,5081,7443,5066
logpath = /var/log/messages
filter = freeswitch-customzied

  3. Restart fail2ban:

    systemctl restart fail2ban

This worked for me.

joker
  • 423
  • 5
  • 8