Fail2ban ignoring Firewall Blacklist


#1

FreePBX Version 15.0.16.75

I have the following entries in the firewall blacklist
45.143.0.0/16
45.143.223.104

Fail2ban is still seeing the IP address and reporting:
The IP 45.143.220.4 has just been banned by Fail2Ban after
7 attempts against SIP on pbx.mydomain.com

I can’t figure out why the firewall isn’t blocking this IP.


(Shahin Nazir) #2

Hi @Mike_S

Try to add your IP address ( 45.143.0.0/16 ) in PBX Firewall like TRUSTED Network.
Thanks.

Shahin


#3

Because fail2ban sees the traffic before it is sent to the fpbx firewall.


#4

I don’t see how fail2ban chains take precedence over the firewall blacklist. Fail2ban reads asterisk log files. The hacker would have to reach the SIP stack for Fail2ban to know about his attempts, which should be blocked by the blacklist.


#5

from a shell

iptables -L

will show the order of the rules.


#6

Once fail2ban knows about an IP it can be pretty persistent, particularly if the IP makes it’s way to the recidive jail.

If the IP was added to the blacklist after fail2ban is aware of it, fail2ban will continue to ban the IP before the freepbx firewall sees it.


#7
[root@pbx 5562]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SIP  all  --  anywhere             anywhere
fpbxfirewall  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SIP (1 references)
target     prot opt source               destination
REJECT     all  --  69.197.149.218       anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Chain fpbx-rtp (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpts:ndmp:dnp
ACCEPT     udp  --  anywhere             anywhere             udp dpts:terabase:hfcs-manager

Chain fpbxattacker (6 references)
target     prot opt source               destination
           all  --  anywhere             anywhere             recent: SET name: ATTACKER side: source mask: 255.255.255.255
DROP       all  --  anywhere             anywhere

Chain fpbxblacklist (1 references)
target     prot opt source               destination
REJECT     all  --  103.145.0.0/16       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  163-172-118-206.rev.poneytelecom.eu  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  173.249.0.0/16       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  ip183.ip-192-99-84.net  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  195-154-199-159.rev.poneytelecom.eu  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  207.244.92.7         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  HSI-KBW-37-49-0-0.hsi14.kabel-badenwuerttemberg.de/16  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  37.49.230.92         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  37.8.0.0/16          anywhere             reject-with icmp-port-unreachable
REJECT     all  --  37.8.31.0/24         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  45.143.0.0/16        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  45.143.223.104       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  pouet.poneytelecom.eu/16  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  62-210-28-126.rev.poneytelecom.eu  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  ecosdanoticia.net.br  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  82.205.0.0/16        anywhere             reject-with icmp-port-unreachable

Chain fpbxfirewall (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             connmark match ! 0x20 state RELATED,ESTABLISHED
A

If I understand this correctly, the fail2ban-SIP chain takes precedence over the fpbxblacklist chain. Which begs several question:

What is the purpose of the freepbxblacklist?
Why isn’t the freepbxblacklist the first chain?

When I receive a fail2ban notification I like to add the IP to the blacklist to permanently ban the IP. If I understand this correctly, ther is no way to do this.


#8

I went to Admin->System Admin-> Intrusion Detection and set the Ban Time to -1
This permanently bans the IP, although the banned IP list may not persist after a reboot.

I still believe that a “Blacklist” should Deny all traffic from an IP. Isn’t that the point of a Blacklist?


#9

How did the first line of the fpbxfirewall chain get there? It effectively disables all firewall rules other than fail2ban. I don’t know of GUI options that would create that rule.


#10

I don’t know. Custom Firewall Rules are disabled.

Clearly the firewall rules are being managed/created by FreePBX. When I turn off the firewall in the GUI, I have this:

[root@pbx services]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-recidive  all  --  anywhere             anywhere
fail2ban-BadBots  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-FTP  tcp  --  anywhere             anywhere             multiport dports ftp
fail2ban-apache-auth  all  --  anywhere             anywhere
fail2ban-SSH  tcp  --  anywhere             anywhere             multiport dports ssh
fail2ban-SIP  all  --  anywhere             anywhere
fail2ban-SIP  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-BadBots (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-FTP (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-SIP (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-auth (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-recidive (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
[root@pbx services]#

After I enable the firewall, I iptables shows

[root@pbx services]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fpbxfirewall  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fpbx-rtp (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpts:ndmp:dnp
ACCEPT     udp  --  anywhere             anywhere             udp dpts:terabase:hfcs-manager

Chain fpbxattacker (6 references)
target     prot opt source               destination
           all  --  anywhere             anywhere             recent: SET name: ATTACKER side: source mask: 255.255.255.255
DROP       all  --  anywhere             anywhere

Chain fpbxblacklist (1 references)
target     prot opt source               destination
REJECT     all  --  103.145.0.0/16       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  163-172-118-206.rev.poneytelecom.eu  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  173.249.0.0/16       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  ip183.ip-192-99-84.net  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  195-154-199-159.rev.poneytelecom.eu  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  207.244.92.7         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  HSI-KBW-37-49-0-0.hsi14.kabel-badenwuerttemberg.de/16  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  37.49.230.92         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  37.8.0.0/16          anywhere             reject-with icmp-port-unreachable
REJECT     all  --  37.8.31.0/24         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  45.143.0.0/16        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  45.143.223.104       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  pouet.poneytelecom.eu/16  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  62-210-28-126.rev.poneytelecom.eu  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  ecosdanoticia.net.br  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  82.205.0.0/16        anywhere             reject-with icmp-port-unreachable

Chain fpbxfirewall (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             connmark match ! 0x20 state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             anywhere             PKTTYPE = multicast
ACCEPT     udp  --  anywhere             anywhere             udp spts:bootps:bootpc dpts:bootps:bootpc
fpbx-rtp   all  --  anywhere             anywhere
fpbxblacklist  all  --  anywhere             anywhere
fpbxsignalling  all  --  anywhere             anywhere
fpbxsmarthosts  all  --  anywhere             anywhere
fpbxregistrations  all  --  anywhere             anywhere
fpbxnets   all  --  anywhere             anywhere
fpbxhosts  all  --  anywhere             anywhere
fpbxinterfaces  all  --  anywhere             anywhere
fpbxreject  all  --  anywhere             anywhere
fpbxrfw    all  --  anywhere             anywhere             mark match 0x2/0x2
ACCEPT     udp  --  anywhere             anywhere             state RELATED,ESTABLISHED
lefilter   tcp  --  anywhere             anywhere             match-set lefilter dst
fpbxlogdrop  all  --  anywhere             anywhere

Chain fpbxhosts (1 references)
target     prot opt source               destination
zone-trusted  all  --  pbx.mydomain.com  anywhere

Chain fpbxinterfaces (1 references)
target     prot opt source               destination
zone-external  all  --  anywhere             anywhere
zone-trusted  all  --  anywhere             anywhere

Chain fpbxknownreg (29 references)
target     prot opt source               destination
           all  --  anywhere             anywhere             recent: REMOVE name: REPEAT side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: REMOVE name: ATTACKER side: source mask: 255.255.255.255
MARK       all  --  anywhere             anywhere             MARK or 0x4
ACCEPT     all  --  anywhere             anywhere             mark match 0x1/0x1
fpbxsvc-ucp  all  --  anywhere             anywhere
fpbxsvc-zulu  all  --  anywhere             anywhere
fpbxsvc-restapps  all  --  anywhere             anywhere
fpbxsvc-restapps_ssl  all  --  anywhere             anywhere
fpbxsvc-provis  all  --  anywhere             anywhere
fpbxsvc-provis_ssl  all  --  anywhere             anywhere

Chain fpbxlogdrop (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain fpbxnets (1 references)
target     prot opt source               destination
zone-trusted  all  --  10.100.10.116        anywhere
zone-trusted  all  --  10.100.40.0/24       anywhere
zone-internal  all  --  10.0.0.0/8           anywhere

Chain fpbxratelimit (3 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             mark match 0x4/0x4
ACCEPT     all  --  anywhere             anywhere             recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             state NEW recent: SET name: REPEAT side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             state NEW recent: SET name: DISCOVERED side: source mask: 255.255.255.255
LOG        all  --  anywhere             anywhere             LOG level warning
fpbxattacker  all  --  anywhere             anywhere             recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
fpbxattacker  all  --  anywhere             anywhere             recent: CHECK seconds: 86400 hit_count: 200 name: REPEAT side: source mask: 255.255.255.255
fpbxattacker  all  --  anywhere             anywhere             recent: CHECK seconds: 300 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
fpbxshortblock  all  --  anywhere             anywhere             recent: CHECK seconds: 60 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere

Chain fpbxregistrations (1 references)
target     prot opt source               destination
fpbxknownreg  all  --  10.200.40.194        anywhere
fpbxknownreg  all  --  10.10.40.139         anywhere
fpbxknownreg  all  --  10.10.40.137         anywhere
fpbxknownreg  all  --  10.10.40.140         anywhere
fpbxknownreg  all  --  10.10.40.157         anywhere
fpbxknownreg  all  --  10.10.40.150         anywhere
fpbxknownreg  all  --  10.10.40.154         anywhere
fpbxknownreg  all  --  10.10.40.146         anywhere
fpbxknownreg  all  --  10.10.40.145         anywhere
fpbxknownreg  all  --  10.10.40.159         anywhere
fpbxknownreg  all  --  10.10.40.151         anywhere
fpbxknownreg  all  --  10.10.40.160         anywhere
fpbxknownreg  all  --  10.10.40.141         anywhere
fpbxknownreg  all  --  10.20.40.194         anywhere
fpbxknownreg  all  --  10.20.40.198         anywhere
fpbxknownreg  all  --  10.20.40.200         anywhere
fpbxknownreg  all  --  10.20.40.191         anywhere
fpbxknownreg  all  --  10.20.40.192         anywhere
fpbxknownreg  all  --  10.40.40.230         anywhere
fpbxknownreg  all  --  10.40.40.229         anywhere
fpbxknownreg  all  --  10.50.40.197         anywhere
fpbxknownreg  all  --  10.50.40.198         anywhere
fpbxknownreg  all  --  10.50.40.195         anywhere


Chain fpbxreject (1 references)
target     prot opt source               destination
rejsvc-nfs  all  --  anywhere             anywhere
rejsvc-smb  all  --  anywhere             anywhere

Chain fpbxrfw (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: SET name: REPEAT side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: SET name: DISCOVERED side: source mask: 255.255.255.255
fpbxattacker  all  --  anywhere             anywhere             recent: CHECK seconds: 10 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
fpbxattacker  all  --  anywhere             anywhere             recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
fpbxshortblock  all  --  anywhere             anywhere             recent: CHECK seconds: 60 hit_count: 10 name: SIGNALLING side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: SET name: SIGNALLING side: source mask: 255.255.255.255
fpbxattacker  all  --  anywhere             anywhere             recent: CHECK seconds: 86400 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere

Chain fpbxshortblock (2 references)
target     prot opt source               destination
           all  --  anywhere             anywhere             recent: SET name: CLAMPED side: source mask: 255.255.255.255
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain fpbxsignalling (1 references)
target     prot opt source               destination
MARK       udp  --  anywhere             anywhere             udp dpt:sip MARK set 0x3
MARK       udp  --  anywhere             anywhere             udp dpt:5160 MARK set 0x3

Chain fpbxsmarthosts (1 references)
target     prot opt source               destination
ACCEPT     all  --  10.0.0.0/8           anywhere             mark match 0x1/0x1
ACCEPT     all  --  anywhere             anywhere             mark match 0x1/0x1

Chain fpbxsvc-chansip (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:sip

Chain fpbxsvc-ftp (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp

Chain fpbxsvc-http (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:webcache

Chain fpbxsvc-https (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

Chain fpbxsvc-iax (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:iax

Chain fpbxsvc-isymphony (0 references)
target     prot opt source               destination

Chain fpbxsvc-letsencrypt (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain fpbxsvc-nfs (0 references)
target     prot opt source               destination

Chain fpbxsvc-pjsip (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:5160
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:radan-http

Chain fpbxsvc-provis (3 references)
target     prot opt source               destination
fpbxratelimit  tcp  --  anywhere             anywhere             tcp dpt:ctf

Chain fpbxsvc-provis_ssl (1 references)
target     prot opt source               destination
fpbxratelimit  tcp  --  anywhere             anywhere             tcp dpt:ies-lm

Chain fpbxsvc-restapps (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:xfer

Chain fpbxsvc-restapps_ssl (1 references)
target     prot opt source               destination

Chain fpbxsvc-smb (0 references)
target     prot opt source               destination

Chain fpbxsvc-ssh (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain fpbxsvc-tftp (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:tftp

Chain fpbxsvc-ucp (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pharos
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:vcom-tunnel
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:mcreport

Chain fpbxsvc-vpn (2 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain fpbxsvc-webrtc (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:radan-http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8089

Chain fpbxsvc-xmpp (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:xmpp-client

Chain fpbxsvc-zulu (1 references)
target     prot opt source               destination
fpbxratelimit  tcp  --  anywhere             anywhere             tcp dpt:teradataordbms

Chain lefilter (1 references)
target     prot opt source               destination
CONNMARK   all  --  anywhere             anywhere             state NEW CONNMARK set 0x20
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             STRING match  "GET /.well-known/acme-challenge/" ALGO name kmp FROM 52 TO 53
ACCEPT     all  --  anywhere             anywhere             STRING match  "GET /.freepbx-known/" ALGO name kmp FROM 52 TO 53
RETURN     all  --  anywhere             anywhere

Chain rejsvc-nfs (1 references)
target     prot opt source               destination

Chain rejsvc-smb (1 references)
target     prot opt source               destination

Chain zone-external (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK or 0x10
fpbxsvc-letsencrypt  all  --  anywhere             anywhere

Chain zone-internal (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK or 0x4
fpbxsvc-ssh  all  --  anywhere             anywhere
fpbxsvc-http  all  --  anywhere             anywhere
fpbxsvc-https  all  --  anywhere             anywhere
fpbxsvc-ucp  all  --  anywhere             anywhere
fpbxsvc-pjsip  all  --  anywhere             anywhere
fpbxsvc-chansip  all  --  anywhere             anywhere
fpbxsvc-iax  all  --  anywhere             anywhere
fpbxsvc-webrtc  all  --  anywhere             anywhere
fpbxsvc-provis  all  --  anywhere             anywhere
fpbxsvc-vpn  all  --  anywhere             anywhere
fpbxsvc-restapps  all  --  anywhere             anywhere
fpbxsvc-xmpp  all  --  anywhere             anywhere
fpbxsvc-ftp  all  --  anywhere             anywhere
fpbxsvc-tftp  all  --  anywhere             anywhere

Chain zone-other (0 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK or 0x8
fpbxsvc-provis  all  --  anywhere             anywhere
fpbxsvc-vpn  all  --  anywhere             anywhere
fpbxsvc-xmpp  all  --  anywhere             anywhere

Chain zone-trusted (4 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

I’m glad that I have an additional firewall in front of FreePBX that only allows SIP and RTP ports through.


#11

Apologies, I forgot ipables -L as @dicko suggested doesn’t show interfaces (I always suggest/use iptables -vnL). The first “accept all” rule should be for the loopback interface only, so should be OK.

So…

To drop packets before any processing. Fail2ban only blocks previously seen bad actors. The blacklist blocks the IP(s) before they can try anything. I would not expect fail2ban to fire on a blacklisted IP it had not previously seen. If fail2ban has already seen the IP before adding to the blacklist, the IP still gets blocked. Which function performs the block doesn’t really matter. Adding to the blacklist insures the IP continues to be blocked after it falls off of fail2ban’s radar.

The blacklist is first (after housekeeping rules) in the fpbxfirewall chain. Sangoma elected to have a basically stock/vanilla fail2ban install, which places it first.in the input chain, and therefore before the fpbx firewall chain or any other FreePBX generated rules. Again, for blocking it doesn’t really matter as long as the blacklisted IP is blocked by one or the other.

Much more important is defining precedence for whitelisted/trusted IPs vs fail2ban. So far fail2ban is unaware of anything marked as trusted by the firewall. There are some changes pending in git that will optionally sync the f2b whitelist with firewall trusted addresses, hopefully they will be brought forward.

Why not? Adding to the blacklist should make the ban permanent.


#12

jerrm,

Thanks for the detailed explanation.

I stated in the very first post that fail2ban continues to ban IP addresses every 10 minutes that are already in the blacklist. This is really annoying, hence the bantime = -1 solution.