Fail2Ban Not Banning IP Addresses

Good day,

I notice a lot of failed login attempts against our FreePBX server in despite of Fail2Ban is running.

I was able to block those five IP addresses manually using the WebGUI, how to make those IP banned automatically?

I took some screenshot of the WebGUI and everything seem running. And it is not a cache issue as suggest one of the warning, I’ve got the Firefox cleared and it didn’t fix the issue.



Thank-you,

Guillaume

Was required to ban even more this morning.

I need help please, that is very annoying.

Thank-you,

Guillaume

I had the problem with too many attacks from failed login attempts as well, the solution for me was:

  1. change the SIP port to something much different than the default 5060/5061 area… i.e. change to something that the port scanning bots would have a very hard time finding such as port 54874. Ever since I changed my SIP port for the sip driver used, the failed login attempts changed from 40-50 bans per day to 1 per week.
  2. in firewall>intrusion detection, I’d change ban time to at least 3600, max retry to 2 and find time to 300

Hello,

I’d kept the ban time to 86400 but I’d set to max retry to 2 and the find time to 300 to see if it could help.

Thank-you

Guillaume

New failed login attempts are still happening.

Need more help please.

Are you allowing ‘guest’ or ‘anonymous’ calls?

Are you using UDP/5060 for your transport?

What does

fail2ban-client -V

return ?

Did you change the SIP port to something other than 5060/5061? It’s an easy fix that solves the attacks most times as most scanners target the SIP ports 5060/5061. Again I’d recommend you switch to some port >20,000 that way the attackers will have a much harder time.

@thetelcoguy If possible prefer keeping the “normal ports”. I’d remember I did tried this back in 2016 for I don’t remember the reason and some of my devices wasn’t able to connect anymore. I don’t know if this is because I’m behind a NAT. ;-(

But the idea is very good.

@dicko

Guest and anonymous calls are set to “No”

fail2ban-client -V give:

[[email protected] ~]# fail2ban-client -V
Fail2Ban v0.8.14

Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
Copyright of modifications held by their respective authors.
Licensed under the GNU General Public License v2 (GPL).

Written by Cyril Jaquier <[email protected]>.
Many contributions by Yaroslav O. Halchenko <[email protected]>.

Unfortunately the ‘normal’ ports are besieged by the guys that you are having to ban, how about switching to TLS on 5061, that’s both ‘normal’ and very safe. ?

That version of Fail2Ban ‘forgets’ bans over a reboot, for an effective ‘recidive’ and longterm bans you will need fail2ban >=0.9 . (current is 0.11)

Yes sure that I can use the 5061.

Concerning fail2ban, when doing yum install fail2ban I’ve got errors like:

file /etc/logrotate.d/fail2ban from install of fail2ban-server-0.11.1-9.el7.2.noarch conflicts with file from package fail2ban-fpbx-0.8.14-76.sng7.noarch

Is there a specific way to upgrade it? I just don’t want mess everything up.

Just to confirm, that’s TLS on port 5061.

Yeah an on going problem with the ‘Distro’ :wink: but you will have to take that up with Sangoma.

Is they are charging money for that?

If yes, is there a way to fixing it without going to Sangoma?

TLS is free but you will need a valid TLS certificate that matches your PBX’s public DNS name.

I will, step back from the fail2ban thing :slight_smile:

I know for the TLS. :grinning:

I saw some post on this forums concerning the fail2ban issue that I have. Will try to go there and see or, I will post my own if needed.

Thanks!

If you switch to TLS and block UDP/5060 at your firewall, I don’t think you’ll need Fail2Ban so much.

If all the endpoints connecting to your FreePBX server have static IP’s all you have to do is configure iptables to allow those IP address to 5060 or whatever port you want. If all the endpoints are dynamic (dhcp) IP addresses, you can put a Mikrotik router in front of your FreePBX server and run a script that will auto ban each failed attempt depending on how many failed attempts you allow. I use both of these methods and they work like a charm. Granted there are some bots that are very aggressive and with the script we use in /etc/fail2ban/action.d/script_name the attacker in some cases can try 200+ times before the router blocks the IP (since they were already attacking they might be considered like ‘established’) but they all get blocked - forever unless I clear out the list on the Mikrotik router. Food for thought anyway.

Current versions of fail2ban use much more aggressive scanning techniques (l.e. faster response) make sure pyinotify is installed and working, and if using 0.8 it makes a notable difference.

Hello,

No, all endpoints are on DHCP, only the PBX is on static IP. For Mikrotik router, our FreeBPX is on an VM (Proxmox), I could probably work with a dedicated NIC to the PBX VM, it will change our topology, I’m not sure if I want that.

I’m trying (in another thread) to obtain help updating fail2ban but, apparently the package is fail2ban-fpbx.

https://community.freepbx.org/t/errors-when-trying-to-upgrade-fail2ban/82369

You have my sympathies, Sangoma apparently don’t see it as a problem. :wink: