How to configure / deploy heplify on SIP Server

Download and install the latest Heplify release

wget https://github.com/sipcapture/heplify/releases/latest/download/heplify
chmod +x heplify
mv heplify /usr/bin/heplify

Create service file for heplify

cat > /etc/systemd/system/heplify.service <<EOF
[Unit]
Description=Captures packets from wire and sends them to Hepic
After=network.target

[Service]
Environment="HEP_ID=8888"
Environment="HEP_SERVER=homer.*****.com:9060"
Environment="HEP_PASSWORD=HEP-TOKEN-or-Password"
Environment="HEP_BUFFER_FILE=/root/HEP.dump"
Environment="HEP_LOG_LEVEL=info"
Environment="HEP_INTERFACE=any"
Environment="HEP_PORTRANGE=5060-6000"
Environment="HEP_PROM_STATS=0.0.0.0:8090"
ExecStart=/usr/bin/heplify -hep-buffer-activate -hep-buffer-file $HEP_BUFFER_FILE -l $HEP_LOG_LEVEL -sl -hi $HEP_ID -i $HEP_INTERFACE -pr $HEP_PORTRANGE -hs $HEP_SERVER -nt tcp -hp $HEP_PASSWORD -t af_packets -tcpsendretries 0 -tcpassembly -prometheus $HEP_PROM_STATS
ExecStop=/bin/kill ${MAINPID}
Restart=on-failure
RestartSec=10s
Type=simple

[Install]
WantedBy=multi-user.target
EOF

Reload unit file

systemctl daeon-reload

now start heplify as service

systemctl restart heplify

Enjoy 😉

How to create IPSec Tunnel Between Two Linux Machines

DEFAULT values

sysctl -a | grep "net.ipv4.ip_forward \|net.ipv6.conf.all.forwarding\|net.ipv4.conf.all.accept_redirects\|net.ipv4.conf.all.send_redirects"
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.ip_forward = 0
net.ipv6.conf.all.accept_redirects = 1

Update these params to the following values

sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1
sysctl net.ipv4.conf.all.accept_redirects=0
sysctl net.ipv4.conf.all.send_redirects=0

Check Values again

sysctl -a | grep "net.ipv4.ip_forward \|net.ipv6.conf.all.forwarding\|net.ipv4.conf.all.accept_redirects\|net.ipv4.conf.all.send_redirects"
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

make them persistent

sysctl -p 

install iptables

apt install iptables

GATEWAY 1:

GATEWAY PUBLIC IP 192.168.0.194

Private IP: 192.168.100.3

Private Network: 192.168.100.1/24

Add rule as per the IP scheme

iptables -t nat -A POSTROUTING -s 10.124.0.0/20  -d 192.168.100.0/24 -j MASQUERADE
iptables -t nat --list

GATEWAT 2:

Public IP: 192.168.0.173

Private IP: 10.124.0.3

Private Network: 10.124.0.0/20

Add rule as per the IP scheme

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -d 10.124.0.0/20 -j MASQUERADE
iptables -t nat --list

Strongswan configuration for the GATEWAY 1

config setup
        charondebug="all"
        uniqueids=yes
conn devgateway-to-prodgateway
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=10.20.20.1
        leftsubnet=192.168.0.101/24
        right=10.20.20.3
        rightsubnet=10.0.2.15/24
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Command

head -c 24 /dev/urandom | base64

Strongswan configuration for the GATEWAY 2

config setup
        charondebug="all"
        uniqueids=yes
conn prodgateway-to-devgateway
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=10.20.20.3
        leftsubnet=10.0.2.15/24
        right=10.20.20.1
        rightsubnet=192.168.0.101/24 
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28800s
        lifetime=3600s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Ref: https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-debian-ubuntu/

Ref: https://www.cbui.dev/setting-up-an-aws-to-digital-ocean-site-to-site-vpn-with-strongswan/

Enjoy 😉

How to Configure Fail2Ban with FreeSwitch

Install fail2ban

apt install fail2ban

create the following file

vim /etc/fail2ban/jail.d/freeswitch.local

copy the following content in the file freeswitch.local




[freeswitch-tcp]
enabled = true

maxretry = 3
findtime  =  3600
bantime   =  300

Now create the following file

vim /etc/fail2ban/jail.conf

copy the following line in jail.conf

[freeswitch-tcp]
port     = 11110,11111
protocol = tcp
filter   = freeswitch
logpath  = /var/log/freeswitch/freeswitch.log
action   = iptables-allports[name=freeswitch-tcp, protocol=all]

[freeswitch-udp]
port     = 5060,5061,5080,5081
protocol = udp
filter   = freeswitch
logpath  = /var/log/freeswitch/freeswitch.log
action   = iptables-allports[name=freeswitch-udp, protocol=all]

create the following file

cat /etc/fail2ban/filter.d/freeswitch.conf

copy the following lines

[INCLUDES]

before = common.conf

[Definition]

_daemon = freeswitch

 mode = extra


failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
            \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
            \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
            \[WARNING\] sofia_reg.c:\d+ Can\'t find user \[.*\] from <HOST>

ignoreregex =

stop fail2ban

systemctl stop fail2ban

Start fail2ban in debug mode

fail2ban-server -xf -vvv

check fail2ban logs

tail -f /var/log/fail2ban.log

Check Status

fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   freeswitch-tcp

make some fail REGISTRATIONS

fail2ban-client status freeswitch-tcp
Status for the jail: freeswitch-tcp
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/freeswitch/freeswitch.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   103.122.158.34

Comand to unban the IPs

fail2ban-client -vvv set freeswitch banip 192.0.2.0
fail2ban-client -vvv set freeswitch unbanip 192.0.2.0
fail2ban-client -d
iptables -nL

Enjoy 😉