セキュリティ
event_guard は使わずにホストの iptables(ip6tables) と fail2ban で対応。
iptables(ip6tables)
$ sudo apt-get install -y iptables-persistent
$ sudo apt-get install -y ip6tables-persistent
$ sudo nano iptables-setup.sh
$ sudo nano ip6tables-setup.sh
$ sudo chmod +x ./iptables-setup.sh
$ sudo chmod +x ./ip6tables-setup.sh
$ sudo ./iptables-setup.sh
$ sudo ./ip6tables-setup.sh
$ sudo iptables-save > /etc/iptables/rules.v4
$ sudo ip6tables-save > /etc/iptables/rules.v6
iptables-setup.sh
#!/bin/bash
# iptables-setup.sh
# Firewall rules for VoIP + Web + SSH (IPv4)
# Reset existing rules
iptables -F
iptables -t mangle -F
iptables -X
iptables -t mangle -X
# Basic rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop known SIP scanners by string matching
for proto in tcp udp; do
for pattern in "friendly-scanner" "sipcli/" "VaxSIPUserAgent/" "pplsip" "system " "exec." "multipart/mixed;boundary"; do
iptables -A INPUT -p $proto --dport 5060:5091 -m string --string "$pattern" --algo bm --icase -j DROP
done
done
# Allow ports
iptables -A INPUT -p tcp --dport 22 -s 192.168.xx.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 7443 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# DSCP marks (QoS)
iptables -t mangle -A OUTPUT -p udp --sport 16384:32768 -j DSCP --set-dscp 46
iptables -t mangle -A OUTPUT -p udp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -t mangle -A OUTPUT -p tcp --sport 5060:5091 -j DSCP --set-dscp 26
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
ip6tables-setup.sh
#!/bin/bash
# ip6tables-setup.sh
# Firewall rules for VoIP + Web + SSH (IPv6)
# Reset existing rules
ip6tables -F
ip6tables -t mangle -F
ip6tables -X
ip6tables -t mangle -X
# Basic rules
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop known SIP scanners by string matching
for proto in tcp udp; do
for pattern in "friendly-scanner" "sipcli/" "VaxSIPUserAgent/" "pplsip" "system " "exec." "multipart/mixed;boundary"; do
ip6tables -A INPUT -p $proto --dport 5060:5091 -m string --string "$pattern" --algo bm --icase -j DROP
done
done
# Allow ports
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 7443 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT
ip6tables -A INPUT -p udp --dport 5060:5091 -j ACCEPT
ip6tables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
# DSCP marks (QoS)
ip6tables -t mangle -A OUTPUT -p udp --sport 16384:32768 -j DSCP --set-dscp 46
ip6tables -t mangle -A OUTPUT -p udp --sport 5060:5091 -j DSCP --set-dscp 26
ip6tables -t mangle -A OUTPUT -p tcp --sport 5060:5091 -j DSCP --set-dscp 26
# Default policies
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
fail2ban
$ sudo apt-get install -y fail2ban rsyslog
設定ファイルをコピーしてfail2banを再起動するスクリプトを作成
fail2ban.sh
#!/bin/sh
#send a message
verbose "copy Fail2ban config"
#move the filters
cp fail2ban/freeswitch.conf /etc/fail2ban/filter.d/freeswitch.conf
cp fail2ban/freeswitch-acl.conf /etc/fail2ban/filter.d/freeswitch-acl.conf
cp fail2ban/sip-auth-failure.conf /etc/fail2ban/filter.d/sip-auth-failure.conf
cp fail2ban/sip-auth-challenge.conf /etc/fail2ban/filter.d/sip-auth-challenge.conf
cp fail2ban/auth-challenge-ip.conf /etc/fail2ban/filter.d/auth-challenge-ip.conf
cp fail2ban/freeswitch-ip.conf /etc/fail2ban/filter.d/freeswitch-ip.conf
cp fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf
cp fail2ban/fusionpbx-mac.conf /etc/fail2ban/filter.d/fusionpbx-mac.conf
cp fail2ban/fusionpbx-404.conf /etc/fail2ban/filter.d/fusionpbx-404.conf
cp fail2ban/nginx-404.conf /etc/fail2ban/filter.d/nginx-404.conf
cp fail2ban/nginx-dos.conf /etc/fail2ban/filter.d/nginx-dos.conf
cp fail2ban/jail.local /etc/fail2ban/jail.local
#update config if source is being used
#if [ .$switch_source = .true ]; then
# sed 's#var/log/freeswitch#usr/local/freeswitch/log#g' -i /etc/fail2ban/jail.local
#fi
#restart fail2ban
/usr/sbin/service fail2ban restart
$ sudo chmod +x ./fail2ban.sh
$ sudo ./fail2ban.sh
ログローテーションの設定
以下参照