Fail2Ban, DHCP and IPTables Un-Registering Phones

Good morning,

I’m having a bit of an issue with the above. I just installed at a client’s site this past weekend and first thing Monday morning, their phones are down. Most likely their IP address changed and while their phone were trying to re-register they were locked out via Fail2Ban and IPTables.

I have the Sysadmin module activated with the FreePBX distro. I also have it set to ban IP addresses after 2 attempts. Is that too strict? What would be the best way to prevent clients who do not have a static IP address from getting blocked? I have one client who is blocked almost everyday and it is quite frustrating.

Any thoughts would be appreciate!

They must have a phone programmed with the wrong credentials so the IP is banned.

I suggest you check the logs and see what error triggered the bad.

Your web site shows you are a carrier, you sell SIP trunks, hosted extensions etc. You do the all off unmodified FreePBX sitting on the Internet?

“Most likely”??

I doubt it. Fail2Ban is only going to ban someone who tries to connect using incorrect usernames and passwords.

is ur clients router capable of DDNS. if yes set it up then maybe a cron job that runs a script which pings the DDNS extracts the current IP address and adds it to the whitelist of fail2ban?

Fail2ban doesn’t work that way,

It operates on by watching various logs for connections attempted to the defined services/jails you have set it to monitor, (not just SIP)

For SIP any connection apparently coming “From” your external IP address will be bogus,

To extend that, ANY service/logfile that Fail2ban monitors would generally NEVER have a connection apparently originating from your external IP, they would always come from the original host :wink: . So if fail2ban is banning your external IP then you need to explore the fail2ban logs for “why”

(Think about it . . .)

Wow, that was ALOT of responses! Thank you so much, really wasn’t expecting that! I did find out that one of the extensions did have a bad password. It was rectified.

@SkykingOH could you further explain your question? Your web site shows you are a carrier, you sell SIP trunks, hosted extensions etc. You do the all off unmodified FreePBX sitting on the Internet? I didn’t quite understand it. Thanks!

I knew that was the issue. Since the extensions were using NAT they all had the same IP. One bad apple spoils the bushel.

My question seems self explanatory? You mentioned a colo. I assume you have FreePBX servers sitting on someone else’s network. You didn’t secure them and you seem to be new to this. Rather dangerous and audacious to charge people for this service.

You sent me a PM… Moderators don’t provide free private help but I will answer your question in public. My company partners with Sangoma and the FreePBX team. The hosted systems we provided are built from custom templates however no modifications to Asterisk or FreePBX have been made.

We do allow hosted customers to use a public IP if they choose and then they are responsible for security.

All of our managed clients are either on a private fiber connection, an MPLS connection or a VPN. These are the only way to truly secure a system.

We also peer with most of our downstream SIP providers and they all go through a proxy. Hacking is not a problem because the proxy doesn’t have a route to connect an inbound to an outbound. Hackers can send all the SIP traffic they want it just gets discarded.

We also have Juniper Intrusion Detection and other carrier class security tools.

Lastly our IP backbone in multi homed BGP. We have out own AS and can diversify the network at class C granularity.

Does that answer your question?

1 Like