Configuring fail2ban for FreeSWITCH on BigBlueButton

BigBlueButton uses FreeSWITCH for its audio and SIP services. The log file was full of entries like the following:

2020-04-22 07:43:54.333827 [WARNING] sofia_reg.c:2929 Can't find user [7134@XXX.XXX.XXX.XXX] from YYY.YYY.YYY.YYY
You must define a domain called 'XXX.XXX.XXX.XXX' in your directory and add a user with the id="7134" attribute
and you must configure your device to use the proper domain in its authentication credentials.

After 2 days of having the server up and running, I had over 2G of log files. So I decided to use fail2ban to limit these unauthorized accesses. Fortunately fail2ban already contains a configuration for FreeSWITCH. The script installs FreeSWITCH in /opt/freeswitch, but fail2ban from the Ubuntu repositories is configured to look in /var/log/freeswitch.log. This can be fixed by the following configuration in the file /etc/fail2ban/jail.d/freeswitch.local:

enabled = true

# use freeswitch installed by
logpath  = /opt/freeswitch/log/freeswitch.log

# we do not want mail, so remove that action from standard jail.conf freeswitch config
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

The change lead to lower CPU usage, disk throughput and less IOPS, due to the lower amount of writes to the log file. Also the log file is now much smaller and it is now actually usable to find any real errors. You can see the changes in the picture below. Fail2ban was installed and configured at about 07:30.

Display of CPU Usage, Disk Througput and IOPS before and after activating fail2ban for FreeSWITCH
Display of CPU Usage, Disk Througput and IOPS before and after activating fail2ban for FreeSWITCH


Using 1und1 sip with FreeSWITCH

As we are currently in Corona times, I wanted to set up an instance of BigBlueButton (BBB) for our marching band, so that we can have board meetings without meeting in person.

Due to the limited internet access in some villages in the area here, I also wanted to provide a phone dial-in, so board members with slow internet connections could also join the meetings.

BBB uses FreeSWITCH internally for audio routing and it supports connecting a SIP account for dial-in. I am using 1und1* for my internet and phone service, so I wanted to use one of my numbers as dial-in number for BBB. Unfortunately 1und1 is a bit picky with the SIP settings it supports, just using my phone number and password was not enough. I would always get the following error message:

"403: Contact User und Anrufernummer verschieden"

Searching the net for the error message lead me to this old mail from 2012, with no solution. But it had the helpful information, that the contact-user header was not properly set for 1und1. Searching a bit more I found the correct configuration:

  <gateway name="">
    <param name="proxy" value=""/>
    <param name="username" value="4929719000000"/>
    <param name="password" value="YourSuperSecretPassword"/>
    <param name="register" value="true"/>
    <param name="extension" value="4929719000000"/>
    <param name="extension-in-contact" value="true"/>

The important part is, that you need to specify your phone number in international format, both as username and as extension and set the extension-in-contact property to true. This configures FreeSWITCH to send the messages in a way that 1und1 expects.

I have a fully working dial-in to BBB now with one of my existing phone numbers, without any additional cost.

* Affiliation link, supporting our marching band