Fail2ban and fwconsole

fail2ban
Tags: #<Tag:0x00007f702a7da8b0>

#21

ok - another question. @PitzKey

if you adjust the bantime and find time, it reloads the jails, rescans the log files, rebuilds the iptables and ends up banning my management source IP to the box.

within 5 minutes after reload, the cron kicks off and syncs the fail2ban-client get $JAIL ignoreip with the $IPs of the trusted zone.

This does not unban the IPs from trusted-zone ( at least not for me )

I see in the cron log it tries to run the following:
image

(assumptions)
you have one entry where a file doesnt exist error and it looks like this file should be the one to do the unbanning /var/www/html/admin/modules/firewall/hooks/dynamic-jails but doesnt as the IP is still banned


#22

fail2ban has a lot of utility

fail2ban-client |grep ignoreip

will show commands to check what your version of fail2ban can set/get after all the FPBX firewall rules have done. e.g. try

fail2ban-client  get <JAIL> ignoreip 

if you can where <JAIL> is revealed by

fail2ban-client status

#23

hi @dicko- thanks for the reply!

I know the uses for fail2ban-client.

I was more specifically trying to figure out why after the fwconsole firewall sync command doesnt the trusted ip get scrubbed from the jail’s banned IPs.

/var/www/html/admin/modules/firewall/hooks/dynamic-jails gets ran via the cron as part of the sync process and has the code to scrub the IP from the jails if supplied the action = unbanip and settings[‘ip’] = whitelisted ip from trusted.

I have since created my own script that does something similar and it runs via cron but feel like this function should be included with the sync function and reload function.

unless I am missing yet another flag from the GUI which is quite possible.


#24

Sorry, I don’t use the FPBX firewall, I’m just showing you what your fail2ban is ultimately using. If the culprit network/host is in ignoreip for a particular jail then any tentative ‘bans’ from your machine or it’s subnet peers, fail2ban would otherwise show something like in it’s logs

 . . . .fail2ban.filter         [20775]: INFO    [asterisk] Ignore nnn.nnn.nnn.nnn by ip     

Perhaps add a more leniant ignoreip for the whole subnet

Also presumably the whole firewall is using iptables so iptables -L might find the REJECT/DROP yourIP in some other chain before fail2ban chains are processed