Fail2ban recidive filter - System Admin Intrusion Detection

FreePBX Security
1

Hi there,

Question regarding the fail2ban’s filter ‘recidive’ :slight_smile:
Below is the default configuration

[recidive]
# recidivist.
#
#  Noun: A convicted criminal who reoffends, especially repeatedly.
#
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
     sendmail[name=recidive, dest=support@[domain.com, [email protected]]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 20

By looking for all fail2ban log files (/var/log/fail2ban.log*) it generates an issue. For example, IP 192.168.1.1 was banned for 2 days because of a bad REGISTER, but today the issue is fixed on the client’s end. Even we remove the IP from the banlist (System Admin > Intrusion Detection) the IP will be banned again by ‘recidive’ jail.

The solution is to remove all the old fail2ban logs or add the IP to the whitelist and wait a few days before removing it from the whitelist.

For the situations where the real bad requests keep coming in and we need to ban an IP for a longer period, okay I understand, but in my sample it’s a little bit overkills no? :slight_smile:

Greets,

2

You have to Stop & Start F2B ( Intrusion Detection) service when you add or removed IP.
Thant means new service new log and no ban issue…

3

that’s not a solution :slight_smile:
fail2ban keeps adding that IP to the ban by the reason ‘recidive’
the (temporally in my opinion) solution is to clear/remove the fail2ban log files

4

which system you are seeing that issue ? pls

https://sangomakb.atlassian.net/wiki/spaces/PG/pages/35226461/System+Admin-Intrusion+Detection

5

very strange, i was a bit wrong, even the cleaning of the logs does not help lol
after restarting the service it keeps blocking by recidive

this is on FreePBX 17.0.19.17 + System Admin 17.0.2.4

6

what is your FW module version ?

7

System Firewall 17.0.1.29

however it’s not enabled, using iptables instead

8 
| firewall          | 17.0.1.35  | Enabled | AGPLv3+     | Sangoma   |

Try to upgrade FW module.

9

upgraded
still the same issue, banned IP keeps banned by recidive filter… even all the log files are removed lol

10

oh w8, I have 17.0.1.30 on the stable track
will try the edge now

11

When you stop&start F2Ban from GUI is service PID number changes?
and check the log file have to change too…

693059 Feb 24 10:11 fail2ban.log
root        1774  0.3  0.4 1729104 34364 ?       Ssl  Feb17  29:45 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

root     1335074  0.6  0.4 1728972 34168 ?       Ssl  10:11   0:01 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
12 
17.0.1.35

^^ is --edge i guess.

13

updated fw module to 17.0.1.35 => same issue
updated sysadmin module to 17.0.2.13 => same issue

stop > start fail2ban from GUI, the PID is indeed different

but now I checked the recent logs from /var/log/fail2ban:

2025-02-24 11:18:07,131 fail2ban.actions        [1924688]: NOTICE  [recidive] Unban 192.168.1.1
2025-02-24 11:18:07,147 fail2ban.utils          [1924688]: ERROR   7fbf28f5bcf0 -- exec: iptables -D fail2ban-recidive -s 192.168.1.1 -j REJECT --reject-with icmp-port-unreachable
2025-02-24 11:18:07,174 fail2ban.actions        [1924688]: ERROR   Failed to execute unban jail 'recidive' action 'iptables-allports' info 'ActionInfo({'ip': '192.168.1.1', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fbf29109620>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fbf29109da0>})': Error unbanning 192.168.1.1
2025-02-24 11:18:08,746 fail2ban.actions        [1925653]: NOTICE  [recidive] Restore Ban 192.168.1.1
2025-02-24 11:18:12,972 fail2ban.actions        [1925653]: NOTICE  [recidive] Unban 192.168.1.1
2025-02-24 11:18:18,778 fail2ban.actions        [1925959]: NOTICE  [recidive] Restore Ban 192.168.1.1

So it fails to unban and then restores the ban

14

Sorry, I can’t reproduce same issue at F2B and FW side…
Added IP address to F2B side added automatically to FW Trusted network side too.

Stopped F2B logs

2025-02-24 10:37:48,974 fail2ban.server         [1340338]: INFO    Stopping all jails
2025-02-24 10:37:48,975 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/asterisk/fail2ban'
2025-02-24 10:37:48,976 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/asterisk/fail2ban'
2025-02-24 10:37:48,976 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/asterisk/freepbx_security.log'
2025-02-24 10:37:48,977 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/auth.log'
2025-02-24 10:37:48,977 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/apache2/error.log'
2025-02-24 10:37:48,978 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/vsftpd.log'
2025-02-24 10:37:48,978 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/apache2/other_vhosts_access.log'
2025-02-24 10:37:48,979 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/apache2/access.log'
2025-02-24 10:37:48,979 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/apache2/other_vhosts_access.log'
2025-02-24 10:37:48,980 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/apache2/access.log'
2025-02-24 10:37:49,001 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/openvpn.log'
2025-02-24 10:37:49,002 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/fail2ban.log.1'
2025-02-24 10:37:49,003 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/fail2ban.log.2.gz'
2025-02-24 10:37:49,003 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/fail2ban.log'
2025-02-24 10:37:49,003 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/fail2ban.log.3.gz'
2025-02-24 10:37:49,003 fail2ban.filter         [1340338]: INFO    Removed logfile: '/var/log/fail2ban.log.4.gz'
2025-02-24 10:37:49,616 fail2ban.jail           [1340338]: INFO    Jail 'sshd' stopped
2025-02-24 10:37:49,708 fail2ban.jail           [1340338]: INFO    Jail 'asterisk-iptables' stopped
2025-02-24 10:37:49,812 fail2ban.jail           [1340338]: INFO    Jail 'pbx-gui' stopped
2025-02-24 10:37:49,928 fail2ban.jail           [1340338]: INFO    Jail 'ssh-iptables' stopped
2025-02-24 10:37:50,032 fail2ban.jail           [1340338]: INFO    Jail 'apache-tcpwrapper' stopped
2025-02-24 10:37:50,132 fail2ban.jail           [1340338]: INFO    Jail 'vsftpd-iptables' stopped
2025-02-24 10:37:50,239 fail2ban.jail           [1340338]: INFO    Jail 'apache-badbots' stopped
2025-02-24 10:37:50,328 fail2ban.jail           [1340338]: INFO    Jail 'apache-api' stopped
2025-02-24 10:37:50,330 fail2ban.jail           [1340338]: INFO    Jail 'openvpn' stopped
2025-02-24 10:37:50,330 fail2ban.jail           [1340338]: INFO    Jail 'recidive' stopped
2025-02-24 10:37:50,332 fail2ban.database       [1340338]: INFO    Connection to database closed.
....

Started.

2025-02-24 10:37:50,978 fail2ban.jail           [1340506]: INFO    Jail 'sshd' started
2025-02-24 10:37:50,994 fail2ban.jail           [1340506]: INFO    Jail 'asterisk-iptables' started
2025-02-24 10:37:50,999 fail2ban.jail           [1340506]: INFO    Jail 'pbx-gui' started
2025-02-24 10:37:51,002 fail2ban.jail           [1340506]: INFO    Jail 'ssh-iptables' started
2025-02-24 10:37:51,007 fail2ban.jail           [1340506]: INFO    Jail 'apache-tcpwrapper' started
2025-02-24 10:37:51,010 fail2ban.jail           [1340506]: INFO    Jail 'vsftpd-iptables' started
2025-02-24 10:37:51,022 fail2ban.jail           [1340506]: INFO    Jail 'apache-badbots' started
2025-02-24 10:37:51,039 fail2ban.jail           [1340506]: INFO    Jail 'apache-api' started
2025-02-24 10:37:51,081 fail2ban.jail           [1340506]: INFO    Jail 'openvpn' started
2025-02-24 10:37:51,098 fail2ban.jail           [1340506]: INFO    Jail 'recidive' started

Stop & Start F2Ban works on my side. Maybe you have different ( customised ) some configs ?

15

Only seeing this Errors!

2025-02-24 10:45:08,840 fail2ban.transmitter    [1340506]: ERROR   Command ['get', 'ignoreip'] has failed. Received IndexError('list index out of range')
2025-02-24 10:45:08,971 fail2ban.transmitter    [1340506]: ERROR   Command ['set', 'addignoreip', '192.168.3.0/24'] has failed. Received Exception("Invalid command '192.168.3.0/24' (no set action or not yet implemented)")
2025-02-24 10:45:09,062 fail2ban.transmitter    [1340506]: ERROR   Command ['set', 'addignoreip', '192.168.19.0/24'] has failed. Received Exception("Invalid command '192.168.19.0/24' (no set action or not yet implemented)")
2025-02-24 10:45:09,244 fail2ban.transmitter    [1340506]: ERROR   Command ['set', 'addignoreip', '192.168.2.0/24'] has failed. Received Exception("Invalid command '192.168.2.0/24' (no set action or not yet implemented)")
2025-02-24 10:45:09,430 fail2ban.transmitter    [1340506]: ERROR   Command ['set', 'addignoreip', '127.0.0.1'] has failed. Received Exception("Invalid command '127.0.0.1' (no set action or not yet implemented)")
2025-02-24 10:45:09,616 fail2ban.transmitter    [1340506]: ERROR   Command ['set', 'addignoreip', '192.168.3.95'] has failed. Received Exception("Invalid command '192.168.3.95' (no set action or not yet implemented)")
2025-02-24 10:45:09,802 fail2ban.transmitter    [1340506]: ERROR   Command ['set', 'addignoreip', '127.0.1.1'] has failed. Received Exception("Invalid command '127.0.1.1' (no set action or not yet implemented)")
2025-02-24 10:45:09,991 fail2ban.transmitter    [1340506]: ERROR   Command ['set', 'addignoreip', '192.168.3.7'] has failed. Received Exception("Invalid command '192.168.3.7' (no set action or not yet implemented)")
2025-02-24 10:45:10,174 fail2ban.transmitter    [1340506]: ERROR   Command ['set', 'addignoreip', '3.x.5X.2XX'] has failed. Received Exception("Invalid command '3.X.5X.2XX' (no set action or not yet implemented)")
16

yes but the steps to reproduce are a bit different/complex
first you need an ip to be blocked by recidive filter :slight_smile:

17

Issue created as well:

1 Like
18

I suggest

fail2ban-client --help

as a good starting point to manage bans by jail manage fail2ban directly rather than through FreePBX.

fail2ban-client -V

should return >= 0.9 to have it retain tables over reload/reboot

19

Yes it is >= 0.9:

fail2ban-client -V
1.0.2

fail2ban-client set recidive unbanip IP

indeed removes the ban for the IP, however it should also work from the GUI :stuck_out_tongue:

20

FreePBX never fully understood Fail2ban since it was added by Elastix and copied by them a long time ago but renamed it :wink:

edit

@franckdanard , will you comment ?