Edit file File name : freeswitch.conf Content :# Fail2Ban configuration file # # Enable "log-auth-failures" on each Sofia profile to monitor # <param name="log-auth-failures" value="true"/> # -- this requires a high enough loglevel on your logs to save these messages. # # In the fail2ban jail.local file for this filter set ignoreip to the internal # IP addresses on your LAN. # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = freeswitch # Parameter "mode": normal, ddos or extra (default, combines all) # Usage example (for jail.local): # [freeswitch] # mode = normal # # or with rewrite filter parameters of jail: # [freeswitch-ddos] # filter = freeswitch[mode=ddos] # mode = extra # Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend _pref_line = ^%(__prefix_line)s(?:(?:\d+-)?\d+-\d+ \d+:\d+:\d+\.\d+)? prefregex = ^%(_pref_line)s \[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? <F-CONTENT>.+</F-CONTENT>$ cmnfailre = ^Can't find user \[[^@]+@[^\]]+\] from <HOST>$ mdre-normal = %(cmnfailre)s ^SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$ mdre-ddos = ^SIP auth (?:failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$ mdre-extra = %(cmnfailre)s <mdre-ddos> failregex = <mdre-<mode>> ignoreregex = datepattern = ^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)? {^LN-BEG} # Author: Rupa SChomaker, soapee01, Daniel Black, Sergey Brester aka sebres # https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban # Thanks to Jim on mailing list of samples and guidance # # No need to match the following. Its a duplicate of the SIP auth regex. # ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$ Save