We have a couple remote phones at a branch office and the responsive firewall keeps blocking the dynamic IP of that office. There are no genuinely malicious login attempts from the location and it’s literally one Sangoma phone and one SangomaConnect client (same extension).
OOTB Responsive Firewall settings.
How do we stop this incorrect behavior?
Hi Add the public ip of branches as trusted in firewall this prevents both firewall and fail2ban from keep banning the ip other way is to increase max retries of fail2ban or whitelist the branch ip under ignore ip list
This is not the Responsive Firewall, that is the fail2ban settings. That is completely different than the Responsive Firewall. FreePBX is logging everything, good and bad which means Fail2ban is reading those log files and is most likely seeing “false positives” in the logs.
This has been a common issue with fail2ban in FreePBX for a long time now. Which means any keep alives, subscriptions, etc are all being logged. If the phones don’t respond to a keep alive, that could add “unresponsive” entries into the logs.
Let’s been clear before a fit this thrown about coding or not checking things by Sangoma. This isn’t a FreePBX issue this is a fail2ban issue. Fail2ban just does basic REGEX checks in the log files and SIP is very, very chatty. Fail2ban also doesn’t understand SIP logic very well so when you register and the system sends back a 401 Unauthorized, it doesn’t understand that is part of the auth process. This means:
So every REGISTER and SUBSCRIBE that is authenticating with the PBX generates a 401 failure because that’s what happens. Meaning every “good” registration you have, fail2ban see one failure for it.
Again, fail2ban just looks in log files for failures with no context if it is a real failure or not. It doesn’t understand that a 401 followed by a 200 is actually a success. It just sees it as one failure and one success.
Part of the reason I don’t use fail2ban for anything SIP related, it’s not smart enough to understand SIP logic.
Did you just miss the part when the location is on a dynamic IP? So adding it to the firewall solves the issue until the dynamic IP changes then the problem returns.
You really need to be more careful in your replies, this is an ongoing pattern.
No, I didn’t miss that. Not sure what that carpy comment is about.
Not every location has a static address. My point is that the firewall shouldn’t be banning devices that are functioning correctly in standard configurations.
I wasn’t asking you if you missed what you posted.
The firewall is not doing this, fail2ban is. They are not the same thing. Fail2ban is reading the logs and seeing errors then based on the thresholds is adding things to the firewall.
What version is of FreePBX is this? Older versions may generate false positives because of the fail2ban filters.
Well fail2ban adds them as an attacker in the firewall. Which means the following attempts get seen by the firewall and end up in the attacker log. So it could be.
