BigBlueButton uses FreeSWITCH for its audio and SIP services. The log file was full of entries like the following:
2020-04-22 07:43:54.333827 [WARNING] sofia_reg.c:2929 Can't find user [7134@XXX.XXX.XXX.XXX] from YYY.YYY.YYY.YYY
You must define a domain called 'XXX.XXX.XXX.XXX' in your directory and add a user with the id="7134" attribute
and you must configure your device to use the proper domain in its authentication credentials.
After 2 days of having the server up and running, I had over 2G of log files. So I decided to use fail2ban to limit these unauthorized accesses. Fortunately fail2ban already contains a configuration for FreeSWITCH. The bbb-install.sh script installs FreeSWITCH in /opt/freeswitch, but fail2ban from the Ubuntu repositories is configured to look in /var/log/freeswitch.log. This can be fixed by the following configuration in the file /etc/fail2ban/jail.d/freeswitch.local:
[freeswitch]
enabled = true
# use freeswitch installed by bbb-install.sh
logpath = /opt/freeswitch/log/freeswitch.log
# we do not want mail, so remove that action from standard jail.conf freeswitch config
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
The change lead to lower CPU usage, disk throughput and less IOPS, due to the lower amount of writes to the log file. Also the log file is now much smaller and it is now actually usable to find any real errors. You can see the changes in the picture below. Fail2ban was installed and configured at about 07:30.
