I have two systems Both are Fpbx distro 16.0.40.13 with Fail2Ban version 0.8.14. They are banning a whitelisted IP, They are both in the cloud and both are banning the WAN address of the site where the phones are. The only way I can get the phones back online is to disable Fail2Ban. In one system I tried to reinstall F2B and that was a big mistake, now it won’t start at all. I will probably end up creating a new server for this system. I am not running the firewall on either. Can someone point me to the config files for fail2ban? I have looked for fail2ban in the /etc direcory and not there. Maybe I can get some info on what is going on there??
You should find fail2ban in /etc/fail2ban
I found the fail2ban directory in one of the systems and found the jail.local file looking at it it does have the correct ips in the ignoreip entry. So it shouldn’t ban those IPs so what coul dbe going on? I did a yum info fail2ban and the version stated there on both is 0.11.1 Is it possible that somehow both are compromised, and how?
Which OS your are running ?
NAME=“Sangoma Linux”
VERSION=“7 (Core)”
ID=“sangoma”
ID_LIKE=“centos rhel fedora”
VERSION_ID=“7”
PRETTY_NAME=“Sangoma Linux 7 (Core)”
Okay thanks, FreePBX-16
Try to upgrade all modules maybe f2b (firewall), core and framework module versions are old.
Edit: Added my old Freepbx-16 system modules. compare with yours
# fwconsole ma list | egrep "firewall|core|framework"
| core | 16.0.68.32 | Enabled | GPLv3+ | Sangoma |
| firewall | 16.0.57.11 | Enabled | AGPLv3+ | Sangoma |
| framework | 16.0.40.13 | Enabled | GPLv2+ | Sangoma |
Here is from both systems, interesting that the provider for framework is unknown
Attentive
| core | 16.0.68.32 | Enabled | GPLv3+ | Sangoma |
| firewall | 16.0.57.11 | Enabled | AGPLv3+ | Sangoma |
| framework | 16.0.40.13 | Enabled | GPLv2+ | Unknown |
Rigg
| core | 16.0.68.32 | Enabled | GPLv3+ | Sangoma |
| firewall | 16.0.57.11 | Enabled | AGPLv3+ | Sangoma |
| framework | 16.0.40.13 | Enabled | GPLv2+ | Unknown |
Do you have the ClearlyIP module repo in use?
1 Like
I believe so:
fwconsole setting MODULE_REPO
Setting of “MODULE_REPO” is (text)[https://mirror.clearlyip.com]
Sounds like you have their framework module. Any module with a valid signature but not from Sangoma shows that.
That makes sense
first of all it might make sense to check the current status of the single jails:
[root@freepbx ~]# fail2ban-client status
Status
|- Number of jail: 9
`- Jail list: apache-api, recidive, ssh-iptables, apache-badbots, pbx-gui, asterisk-iptables, openvpn, apache-tcpwrapper, vsftpd-iptables
than e.g fail2ban-client status recidive
In my experiance the unban through web-interface does not work.
Therefore I always needed to say: fail2ban-client set unbanip x.y.z.w
However iptables -nvL is usually a quite long print.
And usually the web-interface → firewall → networks should have a green (trusted) ip of you opposite server. Is your own one, there you can trust him.
Also firewall → intrusion detection shall have the opposite ip whitelisted.
Right hand you may also under ‘advanced’ set additional own rules (like mine) for IAX connections:
-A fpbxinterfaces -p udp -m set --match-set allow-list src -m multiport --dports 4569,5060,12345 -j ACCEPT
-A fpbxinterfaces -p udp -m multiport --dports 4569,5060,12345 -j DROP
which requires a ipset called ‘allow-list’