Is there a way to add an IP Address to the IDS whitelist table from the command line without logging into the GUI? I know fwconsole firewall trust x.x.x.x will add it for the trusted Networks tab but thats not the same thing from what I am reading.
are the whitelisted IPs stored in a DB somewhere or does the IDS tab parse the ignoreip line in jail.local?
is there a way to list all zones with fwconsole firewall list ? I cant find the rejected one
so adding an IP via fwconsole firewall trust x.x.x.x will put it in the networks tab under Connectivity >> Firewall in the GUI. It also throws it in the iptables under the fpbxregistrations chain with a target called fpbxknownreg as well as in the chain fpbxnets with a target called zone-trusted
I did just find the secret tabs that I am learning to click on more and moreâŚ
So under Connectivity >> Firewall, then you click on the four bar tab on the right the click Advanced. In that view, click on Advanced Settings and scroll down to IDS Sync Firewall and enable it. I also like the /etc/hosts method as well.
so now on the command line, I can run fwconsole firewall trust <remote.user.ip.address> which adds it to the IDS and Networks tab for whitelisting and bypassing firewalling
this should now test any packets to port 5060 by going first through the fail2ban- chains, then to my custom rules in the fpbxnets/zone-trusted chains and if the source IP is not listed there ( trusted from fwconsole command ), it will default to being dropped with the custom DROP command.
anything else not accessing via port 5060 would go to fpbxfirewall ruleset.
Once youâve enabled âIntrusion Detection Sync Firewallâ in Firewall Advanced Settings, fail2ban config works differently than youâre used to with the legacy version. With the old settings, Intrusion Detection whitelist entries were written statically to the fail2ban config files, and required a service restart. With auto sync enabled, fail2ban service restarts are not feasible, so whitelisting is done dynamically. You can check the current fail2ban rules using the commands:
fail2ban-client status - to get list of configured jails
fail2ban-client status <jail> - to get list of banned ips for a specific jail
fail2ban-client get <jail> ignoreip - to get list of whitelisted ips for specific jail
So supposing I have ID sync enabled for the trusted zone. I have one IP in the trusted zone already using the GUI, and I can get a list with:
# fwconsole firewall list trusted
All entries in zone 'trusted':
66.185.28.100/32
And I can get a list of the fail2ban entries using:
# fail2ban-client get asterisk-iptables ignoreip
These IP addresses/networks are ignored:
|- 127.0.0.1
|- <redacted>
|- 10.8.0.1
`- 66.185.28.100/32
Now supposing I want to add a new trusted IP, 1.2.3.4. I can do this with:
# fwconsole firewall trust 1.2.3.4
Attempting to add '1.2.3.4/32' to Zone 'trusted' ... Success!
I wait a short while for the firewall daemon to sync with intrusion detection and then:
# fail2ban-client get asterisk-iptables ignoreip
These IP addresses/networks are ignored:
|- 127.0.0.1
|- <redacted>
|- 10.8.0.1
|- 66.185.28.100/32
`- 1.2.3.4/32
I understand what youâre saying and follow you, but my issue is now the linkage in function and priority.
Goal:
port 5060 blocked to the world up above the fpbxfirewall chains; not necessarily before fail2ban.
only allow port 5060 to trusted/whitelisted IP Addresses up front
only have one command line command to add the IP to the whitelist table.
all other firewalling continue to be processed as per FPBX out-of-the-box configurations.
I am thinking of disabling Responsive Firewall as I understand it to be if a registration is successful, then its gets placed into a âknown goodâ zone; which I dont want. The reason being is if an actor has the correct credentials, then that network goes freely. I also dont want to log into the GUI every time and update the allow/deny per extension as this violates the single command line rule
If I add a new site or a remote userâs home IP changed, I want to be able to run the single fwconsole firewall trust x.x.x.x command and everything keeps chugging along.
If I dont have the custom firewall rule in place, nothing out of the box is blocking port 5060 from the world if not in trusted-zone which is why I did what I did⌠thinking that was the solution
I am also new to FPBX and still wrapping my head around the build and the ins-and-outs of the configurations. I am not new to asterisk or centos
how do you do this; I am searching the docs and may be overlooking this? maybe I will find it before a response⌠[UPDATE] I think I found it⌠Connectivity >> Firewall >> 4 bar tab on right >> Services >> Chan_SIP Protocol set to Reject
I would respectfully and slightly disagree. It may be true based on FPBX definitions but at the purest sense, if youre not allowed via 5060, I still want the source IP to be filtered via fail2ban chains as well as identified via the logs to be banned for other attack attempts and methods. If that has nothing to do with fail2ban than I am misinterpreting things and my understanding is lacking; which may be true.
Now when I run # fwconsole firewall trust 1.2.3.4/32
nothing shows up when I run the command and I have waited 5, 10, 15 minutes for the daemon to sync it. # fail2ban-client get asterisk-iptables ignoreip
please let me know which command you want me to run for the sake of misinterpreting and prolonging us getting to the core of it.
I appreciate your assistance.
Side note: I installed a new asterisk ISO and when it was activated, I never enabled responsive firewall, changed chan_sip/pjsip to reject, enabled IDS sync and same thing was happening. I still have access to both virtuals.
if you adjust the bantime and find time, it reloads the jails, rescans the log files, rebuilds the iptables and ends up banning my management source IP to the box.
within 5 minutes after reload, the cron kicks off and syncs the fail2ban-client get $JAIL ignoreip with the $IPs of the trusted zone.
This does not unban the IPs from trusted-zone ( at least not for me )
I see in the cron log it tries to run the following:
(assumptions)
you have one entry where a file doesnt exist error and it looks like this file should be the one to do the unbanning /var/www/html/admin/modules/firewall/hooks/dynamic-jails but doesnt as the IP is still banned