Fail2ban and fwconsole

Im running the latest release of FPBX

1. Is there a way to add an IP Address to the IDS whitelist table from the command line without logging into the GUI? I know fwconsole firewall trust x.x.x.x will add it for the trusted Networks tab but thats not the same thing from what I am reading.

2. are the whitelisted IPs stored in a DB somewhere or does the IDS tab parse the ignoreip line in jail.local?

3. is there a way to list all zones with fwconsole firewall list ? I cant find the rejected one

Thanks,
–E

Did you try that? I think the latest update does sync the trusted addresses with fail2ban. I may be wrong tho.

so adding an IP via fwconsole firewall trust x.x.x.x will put it in the networks tab under Connectivity >> Firewall in the GUI. It also throws it in the iptables under the fpbxregistrations chain with a target called fpbxknownreg as well as in the chain fpbxnets with a target called zone-trusted

It does not put it under the IDS tab.

@PitzKey

I did just find the secret tabs that I am learning to click on more and more…

So under Connectivity >> Firewall, then you click on the four bar tab on the right the click Advanced. In that view, click on Advanced Settings and scroll down to IDS Sync Firewall and enable it. I also like the /etc/hosts method as well.

Time to play!

so this is what I did and I am waiting to find out if it was a bad idea or not…my PBX is on a public IP accessible to the Internet

I have enabled Responsive Firewall

I have enabled Intrusion Detection Sync Firewall on the advanced firewall settings tab

I have also enabled the Custom Firewall Rules on the advanced firewall settings tab.

I have added the following to the custom firewall rules Advanced Custom Rules ipv4 section

-I INPUT -p udp --dport 5060 -j DROP -m comment --comment "ADDED BY YOURS TRULY"
-I INPUT -p udp --dport 5060 -j fpbxnets -m comment --comment "ADDED BY YOURS TRULY"

so the new iptables INPUT chain looks like this:

pkts bytes target     prot opt in     out     source               destination
  503 1681K fail2ban-recidive  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    1    40 fail2ban-BadBots  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
    0     0 fail2ban-FTP  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 21
  516 1683K fail2ban-apache-auth  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   93  6728 fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
  542 1688K fail2ban-SIP  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  528 1681K fail2ban-SIP  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  101 46053 fpbxnets   udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 /* ADDED BY YOURS TRULY */
   96 42336 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 /* ADDED BY YOURS TRULY */
 3915   11M fpbxfirewall  all  --  *      *       0.0.0.0/0            0.0.0.0/0

so now on the command line, I can run fwconsole firewall trust <remote.user.ip.address> which adds it to the IDS and Networks tab for whitelisting and bypassing firewalling

this should now test any packets to port 5060 by going first through the fail2ban- chains, then to my custom rules in the fpbxnets/zone-trusted chains and if the source IP is not listed there ( trusted from fwconsole command ), it will default to being dropped with the custom DROP command.

anything else not accessing via port 5060 would go to fpbxfirewall ruleset.

If you don’t enable the responsive firewall then you don’t need the custom drop rules.

Once you’ve enabled “Intrusion Detection Sync Firewall” in Firewall Advanced Settings, fail2ban config works differently than you’re used to with the legacy version. With the old settings, Intrusion Detection whitelist entries were written statically to the fail2ban config files, and required a service restart. With auto sync enabled, fail2ban service restarts are not feasible, so whitelisting is done dynamically. You can check the current fail2ban rules using the commands:

fail2ban-client status                - to get list of configured jails
fail2ban-client status <jail>         - to get list of banned ips for a specific jail
fail2ban-client get <jail> ignoreip   - to get list of whitelisted ips for specific jail

So supposing I have ID sync enabled for the trusted zone. I have one IP in the trusted zone already using the GUI, and I can get a list with:

# fwconsole firewall list trusted
All entries in zone 'trusted':
        66.185.28.100/32

And I can get a list of the fail2ban entries using:

# fail2ban-client get asterisk-iptables ignoreip
These IP addresses/networks are ignored:
|- 127.0.0.1
|- <redacted>
|- 10.8.0.1
`- 66.185.28.100/32

Now supposing I want to add a new trusted IP, 1.2.3.4. I can do this with:

# fwconsole firewall trust 1.2.3.4
Attempting to add '1.2.3.4/32' to Zone 'trusted' ... Success!

I wait a short while for the firewall daemon to sync with intrusion detection and then:

# fail2ban-client get asterisk-iptables ignoreip
These IP addresses/networks are ignored:
|- 127.0.0.1
|- <redacted>
|- 10.8.0.1
|- 66.185.28.100/32
`- 1.2.3.4/32

I understand what you’re saying and follow you, but my issue is now the linkage in function and priority.

Goal:

• port 5060 blocked to the world up above the fpbxfirewall chains; not necessarily before fail2ban.
• only allow port 5060 to trusted/whitelisted IP Addresses up front
• only have one command line command to add the IP to the whitelist table.
• all other firewalling continue to be processed as per FPBX out-of-the-box configurations.

I am thinking of disabling Responsive Firewall as I understand it to be if a registration is successful, then its gets placed into a ‘known good’ zone; which I dont want. The reason being is if an actor has the correct credentials, then that network goes freely. I also dont want to log into the GUI every time and update the allow/deny per extension as this violates the single command line rule

If I add a new site or a remote user’s home IP changed, I want to be able to run the single fwconsole firewall trust x.x.x.x command and everything keeps chugging along.

If I dont have the custom firewall rule in place, nothing out of the box is blocking port 5060 from the world if not in trusted-zone which is why I did what I did… thinking that was the solution

I am also new to FPBX and still wrapping my head around the build and the ins-and-outs of the configurations. I am not new to asterisk or centos

None of your listed goals have anything to do with fail2ban or intrusion detection. Furthermore, this line:

is not correct. Assuming a normal setup, i.e.:

• responsive is disabled
• interface(s) set to Internet zone
• internet zone disabled for SIP services

Then the PBX firewall does block SIP signaling ports by default.

Take a look at this vid if you haven’t already seen it: Open Source Pro Tips #2 - Firewall Basics

• responsive firewall is disabled.
• Interface is set to Internet Zone

how do you do this; I am searching the docs and may be overlooking this? maybe I will find it before a response… [UPDATE] I think I found it… Connectivity >> Firewall >> 4 bar tab on right >> Services >> Chan_SIP Protocol set to Reject

I would respectfully and slightly disagree. It may be true based on FPBX definitions but at the purest sense, if youre not allowed via 5060, I still want the source IP to be filtered via fail2ban chains as well as identified via the logs to be banned for other attack attempts and methods. If that has nothing to do with fail2ban than I am misinterpreting things and my understanding is lacking; which may be true.

thanks!

Now when I run
# fwconsole firewall trust 1.2.3.4/32

nothing shows up when I run the command and I have waited 5, 10, 15 minutes for the daemon to sync it.
# fail2ban-client get asterisk-iptables ignoreip

Can you show us some screenshots from your firewall settings?

please let me know which command you want me to run for the sake of misinterpreting and prolonging us getting to the core of it.

I appreciate your assistance.

Side note: I installed a new asterisk ISO and when it was activated, I never enabled responsive firewall, changed chan_sip/pjsip to reject, enabled IDS sync and same thing was happening. I still have access to both virtuals.

image1818×346 39.3 KB

image1534×362 51.4 KB

Thats the server public IP

image1809×243 18.6 KB

Thats my workstation public IP

image1776×250 22 KB

image1452×658 31.9 KB

image945×121 7.96 KB

image945×473 26.9 KB

also, found this in the docs and it doesnt work either

image1243×254 8.91 KB

when I run fwconsole firewall sync , this shows up in the cron log

image1188×133 6.53 KB

if I try to run sysadmin_manager firewall.get-dynamic-ignoreip manully, I get this as an echo back

image1355×88 5.4 KB

I am pretty sure the trust/sync is a bug at this point?

I have reinstalled from the ISO three different times and I have yet to get the sync to work from running fwconsole firewall trust x.x.x.x

Well, in your screenshot you didn’t select what it should synchronize…

@PitzKey

thanks.

so import means zone to sync when sync is enabled.

Got it. thanks

ok - another question. @PitzKey

if you adjust the bantime and find time, it reloads the jails, rescans the log files, rebuilds the iptables and ends up banning my management source IP to the box.

within 5 minutes after reload, the cron kicks off and syncs the fail2ban-client get $JAIL ignoreip with the $IPs of the trusted zone.

This does not unban the IPs from trusted-zone ( at least not for me )

I see in the cron log it tries to run the following:

image1451×195 13.2 KB

(assumptions)
you have one entry where a file doesnt exist error and it looks like this file should be the one to do the unbanning /var/www/html/admin/modules/firewall/hooks/dynamic-jails but doesnt as the IP is still banned