Continued issues with fail2ban

dvsatech · July 15, 2022, 3:22pm

I continue to have issues with IP’s that are both white listed AND in my trusted networks being banned. Its definitely happening less often but it still happens. I am running both 14 and 15 pbx’s all up to date on patches. Every one in a while one of my customers IP’s will get banned causing their entire site to go down. The first thing I check now is to see if their IP is banned and that usually fixes the issue. Occasionally it because their site is DHCP, they get a new IP and its banned (even though the MAC and password are correct and I have adaptive enabled), I verified there are no “misconfigured” phones with wrong passwords and all phones are registered ATM, but I have had a few cases where the IP did not change and it still ends up banned. I though that whitelisting an IP was supposed to prevent this from being banned but clearly something is not checking the whitelist in the banning process.

One thing I did notice is a few times this happened when I changed the extension from chan_sip to pjsip. I would go in to EPM, force the phone to reboot and then change the type from chan_sip to pjsip so on the reboot it would reprovision.to the new protocol. I have been moving the phones over a few dozen at a time.(if I change the type before rebooting the phone I lose al contact with the phone, in some cases I dont have access to the remote phone directly so I have to change it back to chan_sip, then reboot it, and then change to pjsip before it gets back up)

Another note is I do have the fall2ban settings set very strict. 3 failures in a few minutes is a permanent ban…

I opened a ticket in freepbx but it was almost immediately closed as “fixed” but clearly its not.

dicko · July 15, 2022, 3:29pm

If you ever reboot your system or restart Fail2Ban, all bets are off and everything is forgotten if your fail2ban version is less that 0.9. As a ’ work-around’ you can add ‘ignoreip’ by host or network which would be “retained” in the no longer supported 0.8 version over a restart.

dvsatech · July 16, 2022, 4:31am

I cant find a version for my fail2ban. Also, when I restart my pbx, the whitelist is still there so I don’t understand why its not adhered to. In my opinion, if its on the trusted list or the whitelist it should never ban it.

dicko · July 16, 2022, 1:22pm

fail2ban-client -V
iptables -L -n

will always show the active rules no matter what generates them, fail2ban is just one player here, the order of the rules is also crucial to see what is allowed and what is not and current versions of fail2ban can insert its chains anywhere you tell it to.

dvsatech · July 16, 2022, 5:17pm

Fail2Ban v0.8.14

I have no updates to apply but my fail2ban is still old?

DJ

dicko · July 16, 2022, 6:47pm

Old and unsupported, there is apparently a problem with the closed source sysadmin being unable to work around this six year old problem, go figure . . .

dvsatech · July 24, 2022, 12:55am

so how do I update to .9?

dicko · July 24, 2022, 2:03am

https://fail2ban.org

Version 0.11 works just fine with FreePBX, but apparently you can’t use it in the ‘distro’ for some reason(s).