FreePBX | Register | Issues | Wiki | Portal | Support

Fail2ban does not ban wrong web logins?


#1

Hello,

I had issues with fail2ban on my system so I installed a new one to see how the default installation behaves.
I have just installed a fresh copy of FreePBX distro 6.12.65 (64Bits) without making any further updates.
System admin shows version 6.12.65.28.

I tried banning myself while trying to login to the web UI (with https). Although I tried many times and several combinations (correct username with wrong password, correct user name with blank password, wrong username & password) the fail2ban mechanism is not banning my IP. (I am connecting from a remote machine).
I then tried SIP and it does work.

I then checked the /var/log/fail2ban.log and I saw this error:
2015-07-31 08:07:00,524 fail2ban.jail : INFO Jail ‘apache-badbots’ started
2015-07-31 08:07:00,535 fail2ban.actions.action: ERROR iptables -N fail2ban-BadBots
iptables -A fail2ban-BadBots -j RETURN
iptables -I INPUT -p all -m multiport --dports http,https -j fail2ban-BadBots returned 200

and this:
2015-07-31 08:07:00,538 fail2ban.jail : INFO Jail ‘pbx-gui’ started
2015-07-31 08:07:00,538 fail2ban.filter : WARNING Unable to find a corresponding IP address for ::1

Note that I am not using ipv6 (I just did not enable it during the Network Configuration while installing the ISO.
What am I doing wrong? I obviously want to ban anyone who access the web interface (with http & https) and fails to provide correct logins.

Any help is welcome.

Thank you


(Tony Lewis) #2

What happens if you use http not https?


#3

Trying http instead of httpd makes no difference.

I also noticed that when the system has started… fail2ban (in the admin module) shows as running.
If I click restart it does not.
When this is happening the fail2ban.log shows this:

2015-07-31 22:25:04,723 fail2ban.server : INFO Stopping all jails
2015-07-31 22:25:05,153 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports http -j fail2ban-apache-auth
iptables -F fail2ban-apache-auth
iptables -X fail2ban-apache-auth returned 100
2015-07-31 22:25:05,155 fail2ban.jail : INFO Jail ‘apache-tcpwrapper’ stopped
2015-07-31 22:25:06,079 fail2ban.actions.action: ERROR iptables -D INPUT -p all -j fail2ban-recidive
iptables -F fail2ban-recidive
iptables -X fail2ban-recidive returned 100
2015-07-31 22:25:06,082 fail2ban.jail : INFO Jail ‘recidive’ stopped
2015-07-31 22:25:06,117 fail2ban.actions.action: ERROR iptables -D INPUT -p all -j fail2ban-SIP
iptables -F fail2ban-SIP
iptables -X fail2ban-SIP returned 100
2015-07-31 22:25:06,521 fail2ban.jail : INFO Jail ‘pbx-gui’ stopped
2015-07-31 22:25:07,110 fail2ban.actions.action: ERROR iptables -D INPUT -p all -m multiport --dports http,https -j fail2ban-BadBots
iptables -F fail2ban-BadBots
iptables -X fail2ban-BadBots returned 100
2015-07-31 22:25:07,340 fail2ban.jail : INFO Jail ‘apache-badbots’ stopped
2015-07-31 22:25:08,082 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-SSH
iptables -F fail2ban-SSH
iptables -X fail2ban-SSH returned 100
2015-07-31 22:25:08,120 fail2ban.jail : INFO Jail ‘ssh-iptables’ stopped
2015-07-31 22:25:09,122 fail2ban.actions.action: ERROR iptables -D INPUT -p all -j fail2ban-SIP
iptables -F fail2ban-SIP
iptables -X fail2ban-SIP returned 100
2015-07-31 22:25:09,124 fail2ban.jail : INFO Jail ‘asterisk-iptables’ stopped
2015-07-31 22:25:09,143 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ftp -j fail2ban-FTP
iptables -F fail2ban-FTP
iptables -X fail2ban-FTP returned 100
2015-07-31 22:25:10,116 fail2ban.jail : INFO Jail ‘vsftpd-iptables’ stopped
2015-07-31 22:25:10,116 fail2ban.server : INFO Exiting Fail2ban

Restarting it from the root prompt however works and failban shows this:
2015-07-31 22:31:12,625 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.8
2015-07-31 22:31:12,625 fail2ban.jail : INFO Creating new jail 'recidive’
2015-07-31 22:31:12,626 fail2ban.jail : INFO Jail ‘recidive’ uses Gamin
2015-07-31 22:31:12,686 fail2ban.jail : INFO Initiated ‘gamin’ backend
2015-07-31 22:31:12,688 fail2ban.filter : INFO Added logfile = /var/log/fail2ban.log
2015-07-31 22:31:12,688 fail2ban.filter : INFO Set maxRetry = 20
2015-07-31 22:31:12,690 fail2ban.filter : INFO Set findtime = 86400
2015-07-31 22:31:12,690 fail2ban.actions: INFO Set banTime = 604800
2015-07-31 22:31:12,698 fail2ban.jail : INFO Creating new jail 'ssh-iptables’
2015-07-31 22:31:12,699 fail2ban.jail : INFO Jail ‘ssh-iptables’ uses Gamin
2015-07-31 22:31:12,699 fail2ban.jail : INFO Initiated ‘gamin’ backend
2015-07-31 22:31:12,700 fail2ban.filter : INFO Added logfile = /var/log/secure
2015-07-31 22:31:12,700 fail2ban.filter : INFO Set maxRetry = 3
2015-07-31 22:31:12,701 fail2ban.filter : INFO Set findtime = 600
2015-07-31 22:31:12,702 fail2ban.actions: INFO Set banTime = 1800
2015-07-31 22:31:12,769 fail2ban.jail : INFO Creating new jail 'apache-badbots’
2015-07-31 22:31:12,769 fail2ban.jail : INFO Jail ‘apache-badbots’ uses Gamin
2015-07-31 22:31:12,769 fail2ban.jail : INFO Initiated ‘gamin’ backend
2015-07-31 22:31:12,770 fail2ban.filter : INFO Added logfile = /var/log/httpd/ssl_access_log
2015-07-31 22:31:12,771 fail2ban.filter : INFO Added logfile = /var/log/httpd/access_log
2015-07-31 22:31:12,771 fail2ban.filter : INFO Set maxRetry = 3
2015-07-31 22:31:12,772 fail2ban.filter : INFO Set findtime = 600
2015-07-31 22:31:12,773 fail2ban.actions: INFO Set banTime = 1800
2015-07-31 22:31:12,792 fail2ban.jail : INFO Creating new jail 'pbx-gui’
2015-07-31 22:31:12,793 fail2ban.jail : INFO Jail ‘pbx-gui’ uses Gamin
2015-07-31 22:31:12,793 fail2ban.jail : INFO Initiated ‘gamin’ backend
2015-07-31 22:31:12,794 fail2ban.filter : INFO Added logfile = /var/log/asterisk/fail2ban
2015-07-31 22:31:12,795 fail2ban.filter : INFO Set maxRetry = 3
2015-07-31 22:31:12,796 fail2ban.filter : INFO Set findtime = 600
2015-07-31 22:31:12,796 fail2ban.actions: INFO Set banTime = 1800
2015-07-31 22:31:12,803 fail2ban.jail : INFO Creating new jail 'asterisk-iptables’
2015-07-31 22:31:12,804 fail2ban.jail : INFO Jail ‘asterisk-iptables’ uses Gamin
2015-07-31 22:31:12,804 fail2ban.jail : INFO Initiated ‘gamin’ backend
2015-07-31 22:31:12,805 fail2ban.filter : INFO Added logfile = /var/log/asterisk/fail2ban
2015-07-31 22:31:12,805 fail2ban.filter : INFO Set maxRetry = 3
2015-07-31 22:31:12,806 fail2ban.filter : INFO Set findtime = 600
2015-07-31 22:31:12,807 fail2ban.actions: INFO Set banTime = 1800
2015-07-31 22:31:12,834 fail2ban.jail : INFO Creating new jail 'apache-tcpwrapper’
2015-07-31 22:31:12,834 fail2ban.jail : INFO Jail ‘apache-tcpwrapper’ uses Gamin
2015-07-31 22:31:12,834 fail2ban.jail : INFO Initiated ‘gamin’ backend
2015-07-31 22:31:12,835 fail2ban.filter : INFO Added logfile = /var/log/httpd/error_log
2015-07-31 22:31:12,836 fail2ban.filter : INFO Set maxRetry = 3
2015-07-31 22:31:12,837 fail2ban.filter : INFO Set findtime = 600
2015-07-31 22:31:12,837 fail2ban.actions: INFO Set banTime = 1800
2015-07-31 22:31:12,846 fail2ban.jail : INFO Creating new jail 'vsftpd-iptables’
2015-07-31 22:31:12,846 fail2ban.jail : INFO Jail ‘vsftpd-iptables’ uses Gamin
2015-07-31 22:31:12,847 fail2ban.jail : INFO Initiated ‘gamin’ backend
2015-07-31 22:31:12,848 fail2ban.filter : INFO Set maxRetry = 3
2015-07-31 22:31:12,849 fail2ban.filter : INFO Set findtime = 600
2015-07-31 22:31:12,849 fail2ban.actions: INFO Set banTime = 1800
2015-07-31 22:31:12,868 fail2ban.jail : INFO Jail ‘recidive’ started
2015-07-31 22:31:12,874 fail2ban.jail : INFO Jail ‘ssh-iptables’ started
2015-07-31 22:31:12,886 fail2ban.jail : INFO Jail ‘apache-badbots’ started
2015-07-31 22:31:12,889 fail2ban.filter : WARNING Unable to find a corresponding IP address for ::1
2015-07-31 22:31:12,894 fail2ban.actions.action: ERROR iptables -N fail2ban-BadBots
iptables -A fail2ban-BadBots -j RETURN
iptables -I INPUT -p all -m multiport --dports http,https -j fail2ban-BadBots returned 200
2015-07-31 22:31:12,901 fail2ban.filter : WARNING Unable to find a corresponding IP address for ::1
2015-07-31 22:31:12,903 fail2ban.jail : INFO Jail ‘pbx-gui’ started
2015-07-31 22:31:12,931 fail2ban.jail : INFO Jail ‘asterisk-iptables’ started
2015-07-31 22:31:12,947 fail2ban.jail : INFO Jail ‘apache-tcpwrapper’ started
2015-07-31 22:31:12,969 fail2ban.jail : INFO Jail ‘vsftpd-iptables’ started

Any ideas?


#4

I think I found why fail2ban is not banning failed GUI logins…
Checking the contents of /var/log/httpd/error_log shows NO failed logins at all (using either http or https).
Isn’t this the logfile that should register the failed attempts so they can be picked up from fail2ban???


#5

Update:

I confirm (again) that default setup of the ISO (64bit) with no changes other than going to the Sysadmin module in order to define the email address of fail2ban notifications is NOT working properly AT LEAST relating to banning the GUI failed logins.

Looking under the hood I discovered:

a) The jail.local file contains to wrong logfile to be inspected in the [apache-tcpwrapper] jail. It is reading the /var/log/httpd/error_log however this file is not recording the failed attempts. I changed that to /var/log/asterisk/freepbx_security.log and

b) Looking at /etc/fail2ban/filter.d/apache-auth.conf I saw the following as default:

failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01617: )?user .? authentication failure for "\S": Password Mismatch(, referer: \S+)?$
^%(_apache_error_client)s (AH01618: )?user .? not found(: )?\S(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .
?: password mismatch: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH0179[01]: |Digest: )user .*?' in realm.+’ (not found|denied by provider): \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01631: )?user .?: authorization failure for "\S":(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got .*?' but expected.+’(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm .*?' received: \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01793: )?invalid qop.?’ received: \S(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .? received - user attempted time travel(, referer: \S+)?\s$


I therefore added:

failure for . from < HOST >*

I restarted fail2ban and then the failed GUI logins are were picked up.

Problems:

  1. Any changes to sysadmin module will overwrite them so the module needs to be fixed asap.
  2. My knowledge on fail2ban and regexes is close to zero. I therefore don’t know what other changes are needed because currently are (or might not be) operational. I only tested the failed logins form the GUI. What about badbots? What about SIP? Etc

Comments?


#6

Anyone can please confirm that I am not alone in this, or maybe if this is a confirmed bug?


#7

Anyone else with this problem???


(Tony Lewis) #8

Do you have all your modules updated?


(Laurent B ) #9

Hi !

Same issue for me… Just opened a new discussion about this… All modules are updated !

Regards,
Laurent.