I seem to be cursed by some ridiculous fail2ban issue and I’m struggling to understand why it seems to be only affecting me…
I recently deployed a 1-click FreePBX v16 droplet on DigitalOcean which gave me a vanilla out-of-the-box FreePBX installation to start configuring. Shortly after configuring my deployment I start noticing that my Fail2Ban is off. Each time I click the Start button in System Admin > Intrusion Detection it never refreshes to reflect an ‘on’ state within the Admin GUI.
So I SSH into my Droplet and discover that the fail2ban-client is stuck in a failed state. All the repeated log entries reflect the same thing:
> fail2ban-client[5957]: ERROR Found no accessible config files for ... > fail2ban-client[5957]: ERROR Unable to read the filter
This same error keeps preventing fail2ban from starting up… I checked the GitHub and /config/filter.disn’t even supposed to have config files for apache-api OR openvpn, or they’re just nested within other config files now. I checked my own fail2ban directories and they’re identical to the GitHub repo. When I try searching around for these error log entries people only really ever a similar problem of log files not being found or created which is easily fixed.
Therefore, why in the world is my particular out-of-the-box instance trying to look for config files where there aren’t supposed to be any?? I even tried using yum to completely remove all traces of fail2ban, verified there was no fail2ban left on the system, and reinstalled it using yum install fail2ban-fpbx.noarch and amazingly when starting it was still yielding the same error… Literally how? Moreover, if the service startup doesn’t find a config file, and seemingly skips over it, why does that then seem to cause the service to fail entirely??
I can’t imagine I did anything wrong here just setting up the basics from a fresh install and I also can’t imagine I stumbled upon some package maintainer’s mistake in the latest release… so what is going on here? Does FreePBX Fail2Ban need these filters? If so where are they at? If not, how do I force the service to forget about them?
Any ideas with this are greatly appreciated! Thanks!
All [jails] that have enabled = true will be loaded from either jail.conf, jail.local if it exists or as xxx.conf files in the jail.d/ drop directory. they will need matching filters.conf’s watching existing logs in filters.d/
Sys Admin module should put those files in place. Try reinstalling it. Also that image on DO is a bit out of date so run yum update and also update all FreePBX modules.
Now for me to come clean here, @billsimon when I first setup your 1-click FreePBX v16 droplet on DigitalOcean, I just glanced over your Get Started section and did nothing else with it since I had alot of experience with the PBXact system in the past and was already intending to buy the SysAdmin Pro module. Even after installing the Pro module and fully-updating the system, that isn’t enough to load the proper Fail2Ban jail configs!!
I went back to your Get Started guide and did fwconsole ma enablerepo commercial then fwconsole ma downloadinstall sysadmin then restarted the fail2ban service and it FINALLY worked and has been just fine since then!
So my only question from this experience… what is the difference between the Admin GUI’s SysAdmin Pro module and what your instructions had me do? Because just to reiterate, I already had SysAdmin Pro installed on my system, and the entire system was fully up-to-date. I even used SysAdmin Pro to setup all of my SMTP config before I started to work on the Fail2Ban service issue. I would’ve practically expected either of these actions to fill-in any missing F2B config.
I just launched a fresh copy and, before updating, investigated it.
First of all, the Getting Started documentation applied to an earlier iteration of the image. Now the commercial repo and sysadmin module are preinstalled. So I should update that.
I launched the image and aborted firewall setup at first. When I checked, fail2ban was running fine. Once I went back and configured the firewall, I saw the same thing you experienced. I’m not sure what’s going on there. I went to ssh and ran all the standard updates:
yum update fwconsole ma upgradeall fwconsole chown fwconsole r
and finally fwconsole restart since the asterisk package was updated.
Well I’m atleast glad you ran into what I was experiencing. Hopefully that’s a one-and-done type of issue, - globally!
Nonetheless thanks for your assistance and thanks a ton for making a 1-click droplet available for FreePBX! I’ve been starting my own IT company and knew that FreePBX was the best choice for my phone system, but I didn’t wanna labor with the setup. Your droplet made it super easy to just jump right in, so thanks again!
