Fail2Ban Not Banning IP Addresses

New failed login attempts are still happening.

Need more help please.

Are you allowing ‘guest’ or ‘anonymous’ calls?

Are you using UDP/5060 for your transport?

What does

fail2ban-client -V

return ?

Did you change the SIP port to something other than 5060/5061? It’s an easy fix that solves the attacks most times as most scanners target the SIP ports 5060/5061. Again I’d recommend you switch to some port >20,000 that way the attackers will have a much harder time.

@thetelcoguy If possible prefer keeping the “normal ports”. I’d remember I did tried this back in 2016 for I don’t remember the reason and some of my devices wasn’t able to connect anymore. I don’t know if this is because I’m behind a NAT. ;-(

But the idea is very good.

@dicko

Guest and anonymous calls are set to “No”

fail2ban-client -V give:

[root@telephone-dc ~]# fail2ban-client -V
Fail2Ban v0.8.14

Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
Copyright of modifications held by their respective authors.
Licensed under the GNU General Public License v2 (GPL).

Written by Cyril Jaquier <[email protected]>.
Many contributions by Yaroslav O. Halchenko <[email protected]>.

Unfortunately the ‘normal’ ports are besieged by the guys that you are having to ban, how about switching to TLS on 5061, that’s both ‘normal’ and very safe. ?

That version of Fail2Ban ‘forgets’ bans over a reboot, for an effective ‘recidive’ and longterm bans you will need fail2ban >=0.9 . (current is 0.11)

Yes sure that I can use the 5061.

Concerning fail2ban, when doing yum install fail2ban I’ve got errors like:

file /etc/logrotate.d/fail2ban from install of fail2ban-server-0.11.1-9.el7.2.noarch conflicts with file from package fail2ban-fpbx-0.8.14-76.sng7.noarch

Is there a specific way to upgrade it? I just don’t want mess everything up.

Just to confirm, that’s TLS on port 5061.

Yeah an on going problem with the ‘Distro’ :wink: but you will have to take that up with Sangoma.

Is they are charging money for that?

If yes, is there a way to fixing it without going to Sangoma?

TLS is free but you will need a valid TLS certificate that matches your PBX’s public DNS name.

I will, step back from the fail2ban thing :slight_smile:

I know for the TLS. :grinning:

I saw some post on this forums concerning the fail2ban issue that I have. Will try to go there and see or, I will post my own if needed.

Thanks!

If you switch to TLS and block UDP/5060 at your firewall, I don’t think you’ll need Fail2Ban so much.

If all the endpoints connecting to your FreePBX server have static IP’s all you have to do is configure iptables to allow those IP address to 5060 or whatever port you want. If all the endpoints are dynamic (dhcp) IP addresses, you can put a Mikrotik router in front of your FreePBX server and run a script that will auto ban each failed attempt depending on how many failed attempts you allow. I use both of these methods and they work like a charm. Granted there are some bots that are very aggressive and with the script we use in /etc/fail2ban/action.d/script_name the attacker in some cases can try 200+ times before the router blocks the IP (since they were already attacking they might be considered like ‘established’) but they all get blocked - forever unless I clear out the list on the Mikrotik router. Food for thought anyway.

Current versions of fail2ban use much more aggressive scanning techniques (l.e. faster response) make sure pyinotify is installed and working, and if using 0.8 it makes a notable difference.

Hello,

No, all endpoints are on DHCP, only the PBX is on static IP. For Mikrotik router, our FreeBPX is on an VM (Proxmox), I could probably work with a dedicated NIC to the PBX VM, it will change our topology, I’m not sure if I want that.

I’m trying (in another thread) to obtain help updating fail2ban but, apparently the package is fail2ban-fpbx.

https://community.freepbx.org/t/errors-when-trying-to-upgrade-fail2ban/82369

You have my sympathies, Sangoma apparently don’t see it as a problem. :wink:

Hahaha that’s bad… :sweat_smile:

The good news is, no more attack for more than 48H now, :crossed_fingers:

Will continue monitoring the logs and in the mean time I’ll try to find out how to make fail2ban working again because it works just fine before, I’d remember I’ve got IP addresses in the banned section in the WebGUI.

Hello Guilaume,
finally what did you do to stop intrusions?
Due to your sceenshots, you did’nt define a “trusted network” in the intrusion detection tab of the firewall. Therefore fail2ban can not know, what’s allowed and what’s not allowed. (yellow line in your dashboard)
Moreover: If you can arrange your router distributes always the same IPs to your phones by MAC, and the IPs are always part of a defined subnet (lets say e.g. 192.168.0.1/26), you may allow in the pbx-extension-tab this subnet only (…match_permit). After that only phones with defined IPs can log in.
In addition: Never allow your router to forward port 80 or 443 to your pbx or open port 80/443 to the world. This is an clear invitation for all hackers.
Keep care with the “match-permit” definition. The kind of writing CIDR is different for pjsip and chansip extentions, specifically if you allow more than one CIDR. In fact you may allow one IP only per extension.

Hi guenni,

I didn’t do anything other blocking problematic IP addresses at the FreePBX firewall using the WebGUI and within 24 hours no more attacks. But, I still monitoring to make sure there no more new attacks.

For the IP assignation, it would be hard see impossible as phones are spread across three different remotes sites, plus I’m using the server for my mobile communication as well, all with Dynamic IP.

However, I’m always connecting from the three same ISP, two of my sites are using A, one is suing B and mobile C. What I can do is to only allow those three ISP using there host name as they are using multiples IP ranges, this is principally the case of the mobile one. The host name will change but not the .ispname.com

So this could be a solution, I just need to find out how to doing it correctly.

With regards,

Guillaume

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.