Fail2Ban Not Banning IP Addresses

guillaumesoucy · April 6, 2022, 5:50am

Hahaha that’s bad…

The good news is, no more attack for more than 48H now,

Will continue monitoring the logs and in the mean time I’ll try to find out how to make fail2ban working again because it works just fine before, I’d remember I’ve got IP addresses in the banned section in the WebGUI.

guenni · April 10, 2022, 10:08am

Hello Guilaume,
finally what did you do to stop intrusions?
Due to your sceenshots, you did’nt define a “trusted network” in the intrusion detection tab of the firewall. Therefore fail2ban can not know, what’s allowed and what’s not allowed. (yellow line in your dashboard)
Moreover: If you can arrange your router distributes always the same IPs to your phones by MAC, and the IPs are always part of a defined subnet (lets say e.g. 192.168.0.1/26), you may allow in the pbx-extension-tab this subnet only (…match_permit). After that only phones with defined IPs can log in.
In addition: Never allow your router to forward port 80 or 443 to your pbx or open port 80/443 to the world. This is an clear invitation for all hackers.
Keep care with the “match-permit” definition. The kind of writing CIDR is different for pjsip and chansip extentions, specifically if you allow more than one CIDR. In fact you may allow one IP only per extension.

guillaumesoucy · April 10, 2022, 11:20pm

Hi guenni,

I didn’t do anything other blocking problematic IP addresses at the FreePBX firewall using the WebGUI and within 24 hours no more attacks. But, I still monitoring to make sure there no more new attacks.

For the IP assignation, it would be hard see impossible as phones are spread across three different remotes sites, plus I’m using the server for my mobile communication as well, all with Dynamic IP.

However, I’m always connecting from the three same ISP, two of my sites are using A, one is suing B and mobile C. What I can do is to only allow those three ISP using there host name as they are using multiples IP ranges, this is principally the case of the mobile one. The host name will change but not the .ispname.com

So this could be a solution, I just need to find out how to doing it correctly.

With regards,

Guillaume

system · May 11, 2022, 11:21pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.