Fai2ban does not block 443 UCP after consecutive failed login attempts

Today I went through extensive firewall testing.

I found that fail2ban does not block the UCP when a user has several successive failed logins.

To recreate this error.

  1. in UCP exceed the maximum login attempts allowed by fail2ban.
  2. confirm that your IP address has been placed in a “JAIL”
  3. in chrome do a SHIFT-F5 browser refresh

The UCP login page is not blocked and it reloads. You can continue to put in bad passwords and continue your brute force attack.

Did you you check your regex rules against the logs ?


(fail2ban is not magic, it needs instruction, your regexes are exactly that )

How can I make sure fail2ban blocks the UCP?

If there is no regex to match the log line you are concerned about you wilneed to write or find one that does and add it to the asterisk jail.

Show us some log lines being ‘not caught’

I would be happy to show you logs, but I will never find something that is not happening. Ask me to show you something from a log that IS happening.

Here is a screenshot from the GUI showing the PBX-GUI being banned for a certain IP address.

and here is the GUI loading in chrome using CTRL+F5 during the banned time period.

You can continue to do repeated login attempts. During the banned time period you can use a valid username and password to login.

Once you are logged in, no UCP functions work. But the fact that you can continue a brute force attack on the username & password during the banned time period, is a HUGE problem.

Not logs from fail2ban; logs from the system that contain the information that fal2ban would need to identify the source of the attack.

as you can see from the screenshot above. Fail2ban is recognizing the attack on the UCP. However port 443 remains open for brute force password attacks.

You would need to post your PBX-GUI jail .conf for any useful comment. (It is likely in /etc/fail2ban/filter.d/)

Let me preface this by saying there is no issue with fail2ban. fail2ban lists the banned IP address in JAIL as it should. I believe the problem is Apache webserver is not respecting the JAIL and is serving up HTTPS on port 443 regardless of what is in the JAIL.

With that said, here is the info you asked for;

I dont think jail.conf is what you want to see. Its default freepbx and its mostly all commented out.

# Fail2Ban jail specifications file
# Comments: use '#' for comment lines and ';' for inline comments
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in jail.local file, e.g.:
# bantime = 3600
# [ssh-iptables]
# enabled = true

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.


# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 3600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
# yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
# warn:  if a hostname is encountered, a reverse DNS lookup will be performed, 
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn

# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

What I believe you want to see is jail.local (below), which is default freepbx, with no mods.

# Configuration automatically generated via the Sysadmin Module
# This file will be overwritten by Sysadmin on startup. If you modify
# this file, your changes will be lost. DO NOT MODIFY THIS FILE!
# generated: Sun, 15 Jan 2023 21:00:05 +0000

ignoreip = 
sendername = FreePBX Alerts
bantime = 3600
findtime = 3600
maxretry = 4
backend = auto

enabled = true
filter = asterisk
action = iptables-allports[name=SIP, protocol=all]
     sendmail[name=SIP, [email protected], [email protected]]
logpath = /var/log/asterisk/fail2ban

enabled = true
filter = freepbx
action = iptables-allports[name=PBX-GUI, protocol=all]
     sendmail[name=PBX-GUI, [email protected], [email protected]]
logpath = /var/log/asterisk/freepbx_security.log

enabled = true
filter = sshd
action = iptables-multiport[name=SSH, protocol=tcp, port=ssh]
     sendmail[name=SSH, [email protected], [email protected]]
logpath = /var/log/secure

enabled = true
filter = apache-auth
action = iptables-allports[name=apache-auth, protocol=all]
     sendmail[name=apache-auth, [email protected], [email protected]]
logpath = /var/log/httpd/error_log

enabled = true
filter = vsftpd
action = iptables-multiport[name=FTP, protocol=tcp, port=ftp]
     sendmail[name=FTP, [email protected], [email protected]]
logpath = /var/log/vsftpd.log

enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, protocol=tcp, port="http,https"]
     sendmail[name=BadBots, [email protected], [email protected]]
logpath = /var/log/httpd/*access_log

enabled = true
filter = apache-api
action = iptables-multiport[name=api, protocol=tcp, port="http,https"]
     sendmail[name=api, [email protected], [email protected]]
logpath = /var/log/httpd/*access_log

enabled = true
filter = zulu
action = iptables-allports[name=zulu, protocol=tcp]
     sendmail[name=zulu, [email protected], [email protected]]
logpath = /var/log/asterisk/zulu_out.log

enabled = true
filter = openvpn
action = iptables-multiport[name=openvpn, protocol=udp, port=1220]
     sendmail[name=openvpn, [email protected], [email protected]]
logpath = /var/log/openvpn.log

# recidivist.
#  Noun: A convicted criminal who reoffends, especially repeatedly.
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
     sendmail[name=recidive, [email protected], [email protected]]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 20

adding the following to the bottom of jail.conf fixes the problem.

This scrapes the log that the UCP GUI writes to (freepbx_security.log) and if it finds invalid login attempts i would think this should puts the IP address in the JAIL apache-api however it puts the IP address in JAIL pbx-gui

Not entirely what I expected, but the problem is solved.

enabled  = true
filter   = freepbx
action = iptables-multiport[name=api, protocol=tcp, port="http,https"] sendmail[name=api, [email protected], [email protected]]
logpath  = /var/log/asterisk/freepbx_security.log

The servers are not aware of fail2ban. fail2ban sets up iptables rules that should stop the packet getting to Apache.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.