Fail2ban.log full of ['get', 'ignoreip'] and ['set', 'addignoreip', '<IP addr>'] errors

kurt19001 · July 7, 2025, 10:20pm

Hello,
I am running FreePBX 17.0.19.28 and Asterisk 22.4.1 on Debian 12. The system handles calls properly, but /var/log/fail2ban.log records the following four lines every five minutes:

2025-07-06 01:00:43,250 fail2ban.transmitter    [2119]: ERROR   Command ['get', 'ignoreip'] has failed. Received IndexError('list index out of range')
2025-07-06 01:00:43,338 fail2ban.transmitter    [2119]: ERROR   Command ['set', 'addignoreip', '192.168.0.60'] has failed. Received Exception("Invalid command '192.168.0.60' (no set action or not yet implemented)")
2025-07-06 01:00:43,426 fail2ban.transmitter    [2119]: ERROR   Command ['set', 'addignoreip', '127.0.0.1'] has failed. Received Exception("Invalid command '127.0.0.1' (no set action or not yet implemented)")
2025-07-06 01:00:43,514 fail2ban.transmitter    [2119]: ERROR   Command ['set', 'addignoreip', '127.0.1.1'] has failed. Received Exception("Invalid command '127.0.1.1' (no set action or not yet implemented)")

Those three IP addresses are in the ignore list for all of the fail2ban jails:

root@ivr28:/etc/fail2ban# !365
for J in `fail2ban-client  status | grep "Jail list:"  | awk -F: '{print $2}' | sed -e s/,//g`; do echo $J; echo =======================; fail2ban-client get $J ignoreip; echo; done
apache-api
=======================
These IP addresses/networks are ignored:
|- 192.168.0.60
|- 127.0.0.1
`- 127.0.1.1

apache-badbots
=======================
These IP addresses/networks are ignored:
|- 192.168.0.60
|- 127.0.0.1
`- 127.0.1.1

apache-tcpwrapper
=======================
These IP addresses/networks are ignored:
|- 192.168.0.60
|- 127.0.0.1
`- 127.0.1.1

asterisk-iptables
=======================
These IP addresses/networks are ignored:
|- 192.168.0.60
|- 127.0.0.1
`- 127.0.1.1

openvpn
=======================
These IP addresses/networks are ignored:
|- 192.168.0.60
|- 127.0.0.1
`- 127.0.1.1

pbx-gui
=======================
These IP addresses/networks are ignored:
|- 192.168.0.60
|- 127.0.0.1
`- 127.0.1.1

recidive
=======================
These IP addresses/networks are ignored:
|- 192.168.0.60
|- 127.0.0.1
`- 127.0.1.1

ssh-iptables
=======================
These IP addresses/networks are ignored:
|- 192.168.0.60
|- 127.0.0.1
`- 127.0.1.1

sshd
=======================
These IP addresses/networks are ignored:
|- 192.168.0.60
|- 127.0.0.1
`- 127.0.1.1

vsftpd-iptables
=======================
These IP addresses/networks are ignored:
|- 192.168.0.60
|- 127.0.0.1
`- 127.0.1.1

root@ivr28:/etc/fail2ban#

Does anyone know what might be causing this?

Santhosh · July 11, 2025, 9:41am

Hi @kurt19001
How were these IPs added to the trusted zone..? through the Intrusion Detection GUI or directly in the jail.local file?

Try removing them and then re-adding them using the GUI. If the issue still persists, please share a screenshot of the Intrusion Detection settings and the relevant jail.local entries.

kurt19001 · July 14, 2025, 2:34pm

Hello @Santhosh ,
Thanks for your reply! I never tried to use the “Intrusion Detection GUI” to add an IP address to ignore. I’m sure these are coming from /etc/fail2ban/jail.local:

root@box:/etc/fail2ban# head -13 jail.local
# Configuration automatically generated via the Sysadmin Module
# This file will be overwritten by Sysadmin on startup. If you modify
# this file, your changes will be lost. DO NOT MODIFY THIS FILE!
# generated: Fri, 23 May 2025 19:00:43 +0000

[DEFAULT]
ignoreip =  127.0.0.1 127.0.1.1 192.168.0.60
sendername = FreePBX Alerts
bantime = 86400
findtime = 600
maxretry = 8
backend = auto

root@box:/etc/fail2ban#

I will try removing and adding these addresses through the GUI and see (and post) what happens.

The fact that the “fail2ban-client get ignoreip” command can retrieve the ignored IPs but those errors (especially the “get”) keep popping up in the log file make me suspect that the “fail2ban.transmitter” is trying to “get” and “set” them from/into some other place, and that place is corrupted and/or misconfigured. Is there a mysql database or table someplace that I can try clearing or something?

kurt19001 · July 14, 2025, 5:06pm

Hello Again @Santhosh ,
In trying to remove and re-add the ignored IPs, it becomes clear to me that I don’t really know what I’m doing with (at least) the “Intrusion Detection” portion of the FreePBX GUI.

At:

[(http://w.x.y.z/admin/config.php?display=firewall&tab=intrusion_detection)

I see:

There is no “ignored IP” list labeled as such. I can remove the ignored IPs from the jails with:

fail2ban-client set <jailname> delignoreip <IP address>

(being careful not to restart fail2ban) but where in the “Intrusion Detection” screen do I re-add them? Into which Zone? Or do I use the “Custom Whitelist”?

The lower portion of the screen shows the contents of whichever of the four zones I click on, and those contents vary with time. If I click on [Clear All], they are cleared but soon come back.

Hmmm, I think I do not use the “Intrusion Detection” screen at all. I think I instead use the adjacent-tab “Network” screen.

kurt19001 · July 14, 2025, 9:17pm

Hi @Santhosh (last time today ),
I have some results. Using the “delignoreip” command above, I removed the three ignored IPs from all of the fail2ban jails. Then, in the [firewall]->[networks] tab I added those three IPs to the formerly-empty “Other” zone. Finally in the [Intrusion Detection] tab I clicked [Clear All] and then [Other Zone], with results very similar to the below. I clicked [Save Intrusion Detection].

I say ‘very similar to’ because I also had a fourth, slightly-lighter green line which repeated the 127.0.1.1 IP, with “host” in the type column. That looked wrong, so I went into the “advanced settings” screen accessible via the side-tab, and changed the “include /etc/hosts” setting from enabled to disabled. When I went back to the [Intrusion Detection] tab, the 4th line was gone and I saw exactly what you see above.

The first time I clicked [save Intrusion Detection], the fail2ban.log entries changed from the four lines at the start of this post every five minutes, to just:

2025-07-14 15:26:03,572 fail2ban.transmitter    [2242]: ERROR   Command ['get', 'ignoreip'] has failed. Received IndexError('list index out of range')
2025-07-14 15:26:03,661 fail2ban.transmitter    [2242]: ERROR   Command ['set', 'addignoreip', '127.0.1.1'] has failed. Received Exception("Invalid command '127.0.1.1' (no set action or not yet implemented)")

every five minutes. But when I clicked [Save Intrusion Detection] after making the duplicate 127.0.1.1 line go away, I got:

2025-07-14 15:45:19 : addignoreip 127.0.1.1 in jail apache-api
2025-07-14 15:45:19 : addignoreip 127.0.1.1 in jail apache-badbots
2025-07-14 15:45:20 : addignoreip 127.0.1.1 in jail apache-tcpwrapper
2025-07-14 15:45:20 : addignoreip 127.0.1.1 in jail asterisk-iptables
2025-07-14 15:45:20 : addignoreip 127.0.1.1 in jail openvpn
2025-07-14 15:45:20 : addignoreip 127.0.1.1 in jail pbx-gui
2025-07-14 15:45:20 : addignoreip 127.0.1.1 in jail recidive
2025-07-14 15:45:21 : addignoreip 127.0.1.1 in jail ssh-iptables
2025-07-14 15:45:21 : addignoreip 127.0.1.1 in jail sshd
2025-07-14 15:45:21 : addignoreip 127.0.1.1 in jail vsftpd-iptables
2025-07-14 15:45:22,646 fail2ban.transmitter    [2242]: ERROR   Command ['get', 'ignoreip'] has failed. Received IndexError('list index out of range')
2025-07-14 15:45:22,737 fail2ban.transmitter    [2242]: ERROR   Command ['set', 'addignoreip', '127.0.1.1'] has failed. Received Exception("Invalid command '127.0.1.1' (no set action or not yet implemented)")
2025-07-14 15:46:22,417 fail2ban.transmitter    [2242]: ERROR   Command ['get', 'ignoreip'] has failed. Received IndexError('list index out of range')
2025-07-14 15:46:22,515 fail2ban.transmitter    [2242]: ERROR   Command ['set', 'addignoreip', '127.0.1.1'] has failed. Received Exception("Invalid command '127.0.1.1' (no set action or not yet implemented)")

The GUI caused 127.0.1.1 to go into the ignore lists, but not the other two IPs. And it’s still failing to get and set 127.0.1.1 every five minutes, while ignoring the other two IPs in the GUI “IPs that are currently trusted” list.

Santhosh · July 16, 2025, 12:21pm

We have raised github jira [bug]: Fail2ban.log full of [‘get’, ‘ignoreip’] and [‘set’, ‘addignoreip’, ‘<IP addr>’] errors · Issue #808 · FreePBX/issue-tracker · GitHub
please follow the same for fix update

kurt19001 · July 16, 2025, 3:53pm

Thank you @Santhosh ! I subscribed to the issue in GitHub. If you want me to try anything else, please let me know here or in GitHub.

system · August 16, 2025, 3:54pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.