fail2ban fails 2 start

I have updated through yum and the web gui and fail2ban no longer starts.

service fail2ban start
Starting fail2ban: WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
ERROR  Found no accessible config files for 'filter.d/asterisk-security' under /etc/fail2ban
ERROR  Unable to read the filter
ERROR  Errors in jail 'asterisk-iptables'. Skipping...
                                                           [FAILED]

I poked around and it looks like either the name of the file was changed or the name of the file in jail.local was changed. On my system is was just asterisk not asterisk-security so I changed it in the jail.local file and fail2ban started up. It still has that error about ignoreregex and the system status says it can’t tell if fail2ban is running, but when I manually start the service it no longer gives an error.

Is this fixed or not? I don’t know.

Have you done a yum clean all and yum update fail2ban. This was already resolved today.

@ganda you should probably wait a little, Bryan is still working on a resolution.

http://issues.freepbx.org/browse/FREEPBX-9581

Mon Jun 29 17:44:04 MST 2015
service fail2ban restart
Stopping fail2ban: [ OK ]
Starting fail2ban: WARNING ‘ignoreregex’ not defined in ‘Definition’. Using default one: ‘’

(the various rpms are all named fail2ban-0.8.14-1.shmz65.1.8.noarch.rpm, the md5sum is not yet stable)

@ganda,
We pushed out a fix for the issue you are experiencing earlier today. Please do a yum clean all and yum update fail2ban as @tonyclewis suggested above.

Now to address the warning everyone is seeing when they restart fail2ban. That warning is exactly that, it’s a warning that is letting the end user know an ignoreregex is not actually being defined in a filter.d file. As a result it is defaulting to ‘’. This is actually happening in a file we don’t modify but we will be modifying in a future update to prevent any further confusion. However without this fix fail2ban should continue to run as it normally would as the option is still being set behind the scenes.

And finally I understand that dashboard is showing that is unable to detect the service status for fail2ban. We are aware of the issue and we will be looking at pushing a fix to the module that perform the fail2ban status checks sometime tomorrow.

I hope this helps explain the issue a little more for everyone that is seeing them as well as the plan of attack. If you happen to notice any other issues we didn’t catch, please let us know.

I have noticed that although you have tcp/5038 open you do not seem to have a regex to catch the AMI attempts , did you catch the missing pjsip rgexes yet ? The ones at

https://github.com/fail2ban/fail2ban/tarball/master

work fine for me.

As I said in the original post I had updated by both yum and through the web gui. I ran yum again this morning and there was another fail2ban update, but the system status page still doesn’t see it even though it is running.

@dicko, We actually use the asterisk filters from the 0.8 branch of fail2ban as when I looked at building 0.8.14 the filters had come a long way from earlier versions. I’d much rather prefer to use things from upstream whenever possible as it means we don’t have to touch as many moving pieces making upgrades and future releases easier for us.

@ganda, I understand. What I was trying to point out is that you most likely pulled the rpm before the newest rpm hit our yum servers, which is why I asked you to rerun it. As for the system status page, I touched on that above. We understand that there is an issue with the system status page and will be pushing out a FreePBX Module update later today to address it.

1 Like

@GameGamer43

And the 0.9 track gets quicker attention yet. Saturday morning three days ago for me. There is a mailing list that is active and not too noisy to catch the appropriate updates as they are committed. For the Asterisk fileter June 27 v. January 09 .

You might also want to look at your apache error logs and see if the noscript and nohome jails could be appropriately enabled

FYI the AMI events that need attention look like

SECURITY[1918] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1435677997-293779",Severity="Error",Service="AMI",EventVersion="1",AccountID="manager",SessionID="0x7f4c3c7ceac0",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/58.252.4.117/35995",SessionTV="0-0"
SECURITY[2188] res_security_log.c: SecurityEvent="FailedACL",EventTV="1435495355-169186",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7f47c00020b8",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/58.252.4.117/40738",SessionTV="0-0"

I believe covered by current fail2ban regex in asterisk.conf:-

^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?(,SessionTV="[\d-]+")$

(should also cover the latest asterisk 13 PJSIP stuff)

replace gamin with pynotify and watch it sing :slight_smile:

This morning, AFTER pulling an update to the System Admin module (http://issues.freepbx.org/browse/FREEPBX-9581), I went and did yum update, which pulled the fail2ban update - after which it is faling to start, whereas it did work before;

Additionally, the status page shows me the fire icon and advice that it should be running, but the System Admin page shows it /is/ running.

Status:running

shows on intrusion detection no matter if I click Stop or Restart.

Doing it from console/ssh says:

[root@pbx ~]# service fail2ban restart
Stopping fail2ban: ERROR  Unable to contact server. Is it running?
                                                           [FAILED]
Starting fail2ban: WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
ERROR  Found no accessible config files for 'filter.d/asterisk-security' under /etc/fail2ban
ERROR  Unable to read the filter
ERROR  Errors in jail 'asterisk-iptables'. Skipping...
                                                           [FAILED]


[root@pbx ~]# yum info fail2ban
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
Installed Packages
Name        : fail2ban
Arch        : noarch
Version     : 0.8.14
Release     : 1.shmz65.1.8
Size        : 850 k
Repo        : installed
From repo   : schmooze-commercial
Summary     : Scan logfiles and ban ip addresses with too many password failures
URL         : http://fail2ban.sourceforge.net/
License     : GPL
Description : Fail2Ban monitors log files like /var/log/pwdfail or
            : /var/log/apache/error_log and bans failure-prone addresses. It
            : updates firewall rules to reject the IP address or executes user
            : defined commands.

Downgrading to previous version:

Removed:
  fail2ban.noarch 0:0.8.14-1.shmz65.1.8                                                                                           

Installed:
  fail2ban.noarch 0:0.8.14-1.shmz65.1.7 

still the same, does not start (same error as above).

HTH.

EDIT:
by doing

cp /etc/fail2ban/filter.d/asterisk.conf /etc/fail2ban/filter.d/asterisk-security.conf

(iow. renaming the asterisk.conf filter file to astersk-security.conf filter),

seems to have fixed fail2ban, it is now starting

[root@pbx filter.d]# ls -l asterisk*
-rw-r--r-- 1 root root 2270 Aug 19  2014 asterisk.conf
-rw-r--r-- 1 root root 2270 Aug 19  2014 asterisk-security.conf
[root@pbx filter.d]# pwd
/etc/fail2ban/filter.d

then system overview is not showing the fail2ban error any more

EDIT2: system admin module still shows fail2ban status wrong (shows running all the time)

the update released yesterday has the system status page working again for me.

In this environment you have to be aware of the so called “Security Theater” that has popped up here in these fora in the past, if you rely on an IDS it needs to actually detect those vectors, I am concerned that the current FreePBX “potted” fail2ban solution at this point in time is in fact “Theatrical” (i.e. not particularly effective), I am sure that many would love that I be proven wrong :wink: