[Fail2Ban] block all

afonsolaw2020 · March 21, 2022, 11:40pm

I get a few emails a day such as The IP 20.127.13.80 has just been banned by Fail2Ban after
3 attempts against SIP on. Is there a way for all non white list IP’s to be blocked? Is there a way to automatically add these IP’s to the BLACKLIST in freepbx?

Does fail2ban have a setting to reject all instead of accept all?

Many thanks.

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-recidive all – anywhere anywhere
fail2ban-openvpn udp – anywhere anywhere multiport d ports openvpn
fail2ban-api tcp – anywhere anywhere multiport dport s http,https
fail2ban-BadBots tcp – anywhere anywhere multiport d ports http,https
fail2ban-FTP tcp – anywhere anywhere multiport dport s ftp
fail2ban-apache-auth all – anywhere anywhere
fail2ban-SSH tcp – anywhere anywhere multiport dport s ssh
fail2ban-PBX-GUI all – anywhere anywhere
fail2ban-SIP all – anywhere anywhere
fpbxfirewall all – anywhere anywhere
REJECT all – anywhere 95.0.0.0.static.ttnet.com.tr/8 reject- with icmp-port-unreachable
REJECT all – anywhere 185.0.0.0/8 reject-with icmp-p ort-unreachable
REJECT all – anywhere 193.0.0.0/8 reject-with icmp-p ort-unreachable
REJECT all – anywhere 193.0.0.0/8 reject-with icmp-p ort-unreachable
REJECT all – anywhere ip-195-0-0-0.dsl.scarlet.be/8 reject-w

adell4444 · March 21, 2022, 11:44pm

You can block all by default on INPUT by:

iptables -P INPUT DROP

Then you will need to add IPs to the whitelist:

iptables -A INPUT -s ip.ad.dr.ess -j ACCEPT

Keep in mind that this is pretty static and will require you to know the IP of anything that you want connecting to your server.

dicko · March 21, 2022, 11:47pm

Chasing hosts that try against UDP/5060 is a waste of time for example your suspect host is one in a /10 network that belongs to Microsoft.

whois -h whois.cymru.com ' -v -f 20.127.13.80'   
8075    | 20.127.13.80     | 20.64.0.0/10        | US | arin     | 2017-10-18 | MICROSOFT-CORP-MSN-AS-BLOCK, US

One solution is to only allow connections to UDP/5060 from every address your extensions might ever come from, this will probably take lots of net-filter rules

Another one, Just don’t listen on UDP/5060. Mostly just one net-filter rule.

But No, Fail2ban passively parses log files, on discovery of an interloper it will by default add that IP to your net filter if it fails other persistence and frequency filters. You could set your jail’s 'action’s to ban the whole sub-net but that soon becomes a nightmare.

Best not to stand in the middle of the freeway if you don’t want to get run-over.

PitzKey · March 22, 2022, 7:43am

Why not use the built-in FreePBX firewall?

system · April 21, 2022, 7:44am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.