I have the following entries in the firewall blacklist
45.143.0.0/16
45.143.223.104
Fail2ban is still seeing the IP address and reporting:
The IP 45.143.220.4 has just been banned by Fail2Ban after
7 attempts against SIP on pbx.mydomain.com
I can’t figure out why the firewall isn’t blocking this IP.
I don’t see how fail2ban chains take precedence over the firewall blacklist. Fail2ban reads asterisk log files. The hacker would have to reach the SIP stack for Fail2ban to know about his attempts, which should be blocked by the blacklist.
[root@pbx 5562]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SIP all -- anywhere anywhere
fpbxfirewall all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SIP (1 references)
target prot opt source destination
REJECT all -- 69.197.149.218 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
Chain fpbx-rtp (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp
ACCEPT udp -- anywhere anywhere udp dpts:terabase:hfcs-manager
Chain fpbxattacker (6 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name: ATTACKER side: source mask: 255.255.255.255
DROP all -- anywhere anywhere
Chain fpbxblacklist (1 references)
target prot opt source destination
REJECT all -- 103.145.0.0/16 anywhere reject-with icmp-port-unreachable
REJECT all -- 163-172-118-206.rev.poneytelecom.eu anywhere reject-with icmp-port-unreachable
REJECT all -- 173.249.0.0/16 anywhere reject-with icmp-port-unreachable
REJECT all -- ip183.ip-192-99-84.net anywhere reject-with icmp-port-unreachable
REJECT all -- 195-154-199-159.rev.poneytelecom.eu anywhere reject-with icmp-port-unreachable
REJECT all -- 207.244.92.7 anywhere reject-with icmp-port-unreachable
REJECT all -- HSI-KBW-37-49-0-0.hsi14.kabel-badenwuerttemberg.de/16 anywhere reject-with icmp-port-unreachable
REJECT all -- 37.49.230.92 anywhere reject-with icmp-port-unreachable
REJECT all -- 37.8.0.0/16 anywhere reject-with icmp-port-unreachable
REJECT all -- 37.8.31.0/24 anywhere reject-with icmp-port-unreachable
REJECT all -- 45.143.0.0/16 anywhere reject-with icmp-port-unreachable
REJECT all -- 45.143.223.104 anywhere reject-with icmp-port-unreachable
REJECT all -- pouet.poneytelecom.eu/16 anywhere reject-with icmp-port-unreachable
REJECT all -- 62-210-28-126.rev.poneytelecom.eu anywhere reject-with icmp-port-unreachable
REJECT all -- ecosdanoticia.net.br anywhere reject-with icmp-port-unreachable
REJECT all -- 82.205.0.0/16 anywhere reject-with icmp-port-unreachable
Chain fpbxfirewall (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere connmark match ! 0x20 state RELATED,ESTABLISHED
A
If I understand this correctly, the fail2ban-SIP chain takes precedence over the fpbxblacklist chain. Which begs several question:
What is the purpose of the freepbxblacklist?
Why isn’t the freepbxblacklist the first chain?
When I receive a fail2ban notification I like to add the IP to the blacklist to permanently ban the IP. If I understand this correctly, ther is no way to do this.
I went to Admin->System Admin-> Intrusion Detection and set the Ban Time to -1
This permanently bans the IP, although the banned IP list may not persist after a reboot.
I still believe that a “Blacklist” should Deny all traffic from an IP. Isn’t that the point of a Blacklist?
How did the first line of the fpbxfirewall chain get there? It effectively disables all firewall rules other than fail2ban. I don’t know of GUI options that would create that rule.
Apologies, I forgot ipables -L as @dicko suggested doesn’t show interfaces (I always suggest/use iptables -vnL). The first “accept all” rule should be for the loopback interface only, so should be OK.
So…
To drop packets before any processing. Fail2ban only blocks previously seen bad actors. The blacklist blocks the IP(s) before they can try anything. I would not expect fail2ban to fire on a blacklisted IP it had not previously seen. If fail2ban has already seen the IP before adding to the blacklist, the IP still gets blocked. Which function performs the block doesn’t really matter. Adding to the blacklist insures the IP continues to be blocked after it falls off of fail2ban’s radar.
The blacklist is first (after housekeeping rules) in the fpbxfirewall chain. Sangoma elected to have a basically stock/vanilla fail2ban install, which places it first.in the input chain, and therefore before the fpbx firewall chain or any other FreePBX generated rules. Again, for blocking it doesn’t really matter as long as the blacklisted IP is blocked by one or the other.
Much more important is defining precedence for whitelisted/trusted IPs vs fail2ban. So far fail2ban is unaware of anything marked as trusted by the firewall. There are some changes pending in git that will optionally sync the f2b whitelist with firewall trusted addresses, hopefully they will be brought forward.
Why not? Adding to the blacklist should make the ban permanent.
I stated in the very first post that fail2ban continues to ban IP addresses every 10 minutes that are already in the blacklist. This is really annoying, hence the bantime = -1 solution.