Fail2Ban fails to ban


(Phil) #1

I have an issue with Fails2Ban. My settings are as follows:
Ban Time -1
Max retrys 4
Find Tme 1200

It is my understanding that -1 should equate to banned forever. I keep seeing (multiple times per day) the same ip address being banned.


(Jared Busch) #2

Unrelated to you question, but just FYI, you don’t want this setup like that.

In a few weeks after your system has hundreds or thousands of entries, it will cripple it during anything that reloads the rules.


(Phil) #3

Just a follow-up, is there a way to have Freepbx to basically shut down between certain hours? Almost all the probes happen after 9pm and before 7 am. We are closed then and there isn’t any reason for our system to be operational.


#4

Not a good idea for a real PBX, where do your calls end up?

If you are truly an ‘Internet kinda guy’, then you need to be 7/24 and the clever guys have scouts that tell the C&C guys that you are available vulnerable (they call you a ‘patsy’) and will then put on the gas at 3am on Sunday (BTDT :wink: )

(wearily, as ever if you just don’t listen on UDP/5060 your risk will go down asymptotically, fail2ban > 0.8 would help but is apparently 'impossible")


(Phil) #5

Dicko,

We are the basic old fashioned hardware store (48 years) and our customers know our hours. We have not had any v/m left after hours. I will look at the ports though (I have read some of your posts on it :). Just seems simpler to “turn off” the system (not shutting down the server). When you see the same ip addresses hitting you everyday, I figure eventually they are going to get lucky.


#6

!'m pretty sure every one of those ‘same ip’ s are hitting you on UDP/5060 , no?

(As that behavior will keep on hurting, take the doctor’s advice and just ‘stop doing that’)

Let’s look at this way, current firewalls/F2b are ‘masks’ to the problem (not fully effective, some better than others).
Not listening on UDP/5060 is a 100% guaranteed vaccine against that variant of kiddie scripts against SIp that have been going on since Sid.

Of course keep your eye out for new variants in your new environment, they occasionally popup but conntrack ing in you firewall will quickly detect them