Changed network and all IP phones except one works

Cliffster · March 2, 2010, 2:49pm

This one has me stumped…

PBX in a Flash Version 1.3
Operating system CentOS Linux 5.2
FreePBX Base Version: 2.7.0.0

PROBLEM:

We are adjusting the network, and I had to change from one network range to another for FreePBX Server and all of the IP phones. All went pretty well, except one of the IP phones will not re-register. I compared FreePBX Extension settings for the one that works next to the one that doesn’t and compared Grandstream phone settings next to the one that doesn’t.

More oddities. When I left work yesterday, there were two extensions set up on FreePBX and on the phone that doesn’t work. The Account 2 finally started working, an hour after I left.

Every hour the other phone is logging this.

[2010-03-02 03:06:47] NOTICE[5085] chan_sip.c: Registration from ‘sip:[email protected];user=phone’ failed for ‘192.168.20.24’ - Wrong password

I quadruple-checked the passwords.

I tried both User ID is phone number: Yes and No. It is Yes on mine.

ANY IDEAS ARE WELCOME

More system info:

Asterisk (Ver. 1.4.21.2):

Asterisk Source Version : 1.4.21.2
Zaptel Source Version : 1.4.12.1
Libpri Source Version : 1.4.7
Addons Source Version : 1.4.7

MySQL client version: 5.0.45
phpMyAdmin - 2.11.0
Server version: 5.0.45
Protocol version: 10

Webmin version 1.420

Apache version 2.2.3

Flash Operator Panel op_server.pl version 0.30

Hardware:

CPU & Companion Chips VIA C7 1.5GHz + CN700

Memory 1GB DDRII (SO-DIMM)

Digium Wildcard 4-port TDM PCI TDM410P

Grandstream phones: Product Model: GXP2000 (HW1.2B)
Software Version: Program-- 1.1.6.16 Bootloader-- 1.1.6.5

Cliffster · March 2, 2010, 3:14pm

Discovered this in the mail log.

The IP 192.168.20.24 has just been banned by Fail2Ban after 6 attempts against ASTERISK.

Now I just have to figure out how to unban it.

mag · March 2, 2010, 3:24pm

You should add your new local network/subnet to the /etc/fail2ban/jail.conf ignoreip parameter, then restart fail2ban - service fail2ban restart.

Cliffster · March 2, 2010, 4:49pm

root@pbx:~ $ service fail2ban restart
Stopping fail2ban: <---- never gets past this so I Ctrl/z

fail2ban-client status <---- never does anything so I Ctrl/z

[1]+ Stopped service fail2ban restart
root@pbx:~ $ fail2ban-client status <---- never does anything so I Ctrl/z

[2]+ Stopped fail2ban-client status <---- never does anything so I Ctrl/z

root@pbx:~ $ fail2ban-client start <---- never does anything so I Ctrl/z

[3]+ Stopped fail2ban-client start
root@pbx:~ $ status <---- never does anything so I am lost.

Cliffster · March 2, 2010, 5:36pm

After adding my new local network/subnet to the /etc/fail2ban/jail.conf ignoreip parameter and after deleting the IP address from the jail

root@pbx:/var/spool/mail $ iptables -D fail2ban-ASTERISK 1
root@pbx:/var/spool/mail $ iptables -nvL fail2ban-ASTERISK
Chain fail2ban-ASTERISK (1 references)
pkts bytes target prot opt in out source destination
106K 17M RETURN all – * * 0.0.0.0/0 0.0.0.0/0

(I am a bit confused as to why all of the others worked).

I deleted the Account 2 that was working, since it was not the extension she uses.

And then since fail2ban never seemed to shutdown… I tried amportal restart to no avail and then shutdown -r now… and Account 1 is working now.

I am trying to re-add Account 2 again, but still no luck.

Cliffster · March 2, 2010, 5:37pm

Thanks!

blanchae · March 2, 2010, 5:46pm

Last week, I started writing a bash script called unban that would check the jails on fail2ban and report the IP addresses banned then give you the option to unban them. Unfortunately, I could never get fail2ban to stop and restart properly or iptables to sync with fail2ban. From the fail2ban site, it looks like we’ll have to wait until version 0.90 for fail2ban-client to be able to unban IP addresses. Currently we are at version 0.84.

Here’s the script:

#!/bin/bash
COUNTER=0
while [ $COUNTER = 0]; do
clear
ech0
echo "1 - View fail2ban jail list"
echo
echo "2 - View apache-tcpwrapper jail"
echo
echo "3 - View apache-badbots jail"
echo
echo "4 - View ssh-iptables jail"
echo
echo "5 - View asterisk-iptables jail"
echo
echo "6 - View vsftpd-iptables jail"
echo
echo "7 - Unban IP address"
echo
echo "Q - Quit"
echo
read -p "Enter your choice " choice

if [ $choice = "1"]; then
	clear
	echo
	echo "Displaying fail2ban jail list:"
	echo
	fail2ban-client status
	echo
	read -p "Press enter to continue"

elseif [ $choice = "2"]; then
	clear
	echo
	echo "Displaying apache-tcpwrapper jail:"
	echo
	fail2ban-client status apache-tcpwrapper
	echo
	read -p "Press enter to continue"

elseif [ $choice = "3"]; then
	clear
	echo
	echo "Displaying apache-badbots jail:"
	echo
	fail2ban-client status apache-badbots
	echo
	read -p "Press enter to continue"

elseif [ $choice = "4"]; then
	clear
	echo
	echo "Displaying ssh-iptables jail:"
	echo
	fail2ban-client status ssh-iptables
	echo
	read -p "Press enter to continue"

elseif [ $choice = "5"]; then
	clear
	echo
	echo "Displaying asterisk-iptables jail:"
	echo
	fail2ban-client status asterisk-iptables
	echo
	read -p "Press enter to continue"

elseif [ $choice = "6"]; then
	clear
	echo
	echo "Displaying vsftpd-iptables jail:"
	echo
	fail2ban-client status vsftpd-iptables
	echo
	read -p "Press enter to continue"

elseif [ $choice = "7"]; then
	clear
	echo
	echo "Unban an IP address:"
	echo  
	read -p "Enter the IP that you wish to unban:" banned_IP
	iptables -D fail2ban-SSH -s $banned_IP -j DROP
	echo $banned_IP will be unbanned
	echo
	read -p "Press enter to continue"

elseif [ $choice = "Q"]; then
	echo "Bye"
	exit
fi

done

Cliffster · March 2, 2010, 7:23pm

Or that I am not alone in this.

At this point all is up and running except the nefarious second Account 2. Eventually I will get that going.

Cliffster · March 2, 2010, 9:51pm

Forgot to set that Account 2 back to active.

All’s well now. Thanks all.