I did several experiments in getting IPs knocking at coturn blocked, but without luck, in the end I ended up with unwanted blocks or not working apps (jitsi-meet).

Is there an official recommendation on how to failsafe via fail2ban coturn ports?
How to safeguard the ports?

Any recomms / help?

Thanks.

This would be useful for us as well. If you figure out how to get this to work please post here.

@bab5470 I probably could if I would know the "unique" errors coturn shows for just bot knocking .... maybe you can handover which "reason: ______" in the logfiles are valid ....

like coturn.log.9.gz:251402: : session 003000000000000005: closed (2nd stage), user <> realm <turn.myserver.com> origin <>, local 0.0.0.0:9273, remote 185.242.226.3:57446, reason: general

what are VALID "reason:" entries???

How did you get your coturn server to log the remote IP? Ours doesn't seem to even log the IP?

I could get you a fail2ban filter if you handover the valid reason codes OR the NOT valid codes, for the logged IP I am checking my setup,
maybe "verbose" and / or "fingerprint"?

@bab5470 can you supply the info?

what are VALID "reason:" entries or INVALID?

All the reasons coturn prints are "valid" in a sense that there is a logical reason (timeout, connection is just closed, SSL read error, UDP packet processing error, etc)
None of the reasons mean there was malicious intent that warrants blocking IP....

In general, blocking IP on this kind of service will, most probably, lead to blocking valid clients

@eakraly thx for your answer - understood, so how is/can coturn be (more) protected?

?

@eakraly if you have any input I could share a fail2ban rule ......

The most important thing is to ensure coturn cannot allocate connections into internal network (if you have such a thing) in the way you did not intend to @un99known99

@eakraly I did the following:

denied ALL then only allow the 2 servers in network:

seems that what you mentioned?