Yes .06. All I did was click on System Admin and I got a big prompt about how the Firewall is now on. I hit abort after the second config screen and suddenly all of our phones lost connection.
PBX’s don’t need software firewalls, at least not in general. This should be a disabled module by default and only turned on as needed. If we’re using this thing in enterprise we have our own firewalls, vlans, etc. Those who absolutely need a software firewall should learn iptables anyway.
Also the big nag red text about the system firewall being off on the dashboard is absolutely not needed either.
It also started banning Integra SIP switch, as well. Very randomly, as well. What the heck is going on???
I don’t see it under intrusion detection (“Banned IP’s No Banned IP’s”), but I do see it in fail2ban.log.
Also, under intrusion detection, I have it in the whitelist there, as well as in ignore ip in the jail.conf file. In addition, it’s an IP that is allowed in iptables chain.
I have piaf servers that aren’t doing this, it seems it’s only the freepbx distro that this is happening to (as far as I can tell).
That’s interesting. There’s nothing in the code, anywhere, that turns on firewall until you click Yes. Line 21 (not highlighted) is triggered when you click abort, and as you can see, it doesn’t turn on the firewall.
That’s the explicit piece of code there. So I’m guessing that you had already turned it on, and had forgotten about it.
That’s wrong.
That’s right. Sort of. It’s not active, but it’s enabled. There’s a difference.
That’s 100% incorrect, and you’re only saying that because you’re not in IRC trying to help people with firewall problems every. single. day.
That’s because you’ve installed the Firewall module. If you don’t want it to complain about it not being active, then you should uninstall the module.
Fail2ban is really dumb. It looks for failed authorization attempts from remote hosts, and then bans them. So I’m guessing that, for some reason, they’re trying to authenticate to you with invalid credentials, fail2ban is picking that up, and blocking them.
Firewall is much smarter, and doesn’t do that. Sadly, fail2ban is really annoying about jumping in front of Firewall and blocking things that it shouldn’t. It’s on my list of things to care about.
I understand. The thing I’m wondering is that I added chains to accept 5060 only from my sip provider’s proxy. Since doing that it seems that fail2ban started blocking them (vitelity in one case, integra in the other). It’s odd to me, also, that fail2ban’s chain would override the accept chain that I configured in /etc/sysconfig/iptables
the chains it builds are dynamically updated in iptables as intrusions are detected, those rules are constrained to the fail2ban chains, the rest of iptables is untouched, the order iptables processes packets ARE without doubt done in the order that iptables -L lists them, if you have rules in place before fail2ban is started then they should be honored, if you add them after fail2bans chains are started then they might conflict The order is important.
So get your iptables based firewall working as you want THEN start fail2ban, if you have a “perfect” firewall then nothing will ever get to fail2ban as it appends it’s chains to the extant ones, if you have used it to fully protect all your services then it can probably catch those clever bastards permitted by the “imperfect” firewall.
I have no idea why at this point. I had to whitelist vitelity in fail2ban. I suspected that some hacker was spoofing an ip address to attack my server.
Ah, but your white list is working? Where did you put the whitelist? From within freepbx or in jail.conf? It wasn’t working for me to even use ignoreip=, but since I’ve reinstalled fail2ban from this script: Fail2Ban With Asterisk
Yeah the whitelist is working. I put the address in through the fpbx gui. Not that it helps if it is an attack attempt from a spoofed ip. The system works but maybe a hacker will get in.