Fail2Ban, SSH, and Could not get banned list

I have searched for and tried just about everything I can in regards to this particular problem but I am still without resolution and the timer is ticking. I have tried reinstalling Fail2ban several times, I have looked ant error logs, configuration files, etc and think I know what the problem is but I don’t know how to resolve it. The biggest issue is that I work remotely and can only access the server via the web GUI as I can’t even SSH. Putty gives me Connection Error: Connection Refused so I have to have someone, usually my assistant but he’s on sick leave, help do the typing at the terminal. This also means no screenshots. But what I do have is the data from the intrusion detection error messages (Sorry ahead of time):

Exception

HELP

Could not get banned list

/var/www/html/admin/config.php

1. // load language info if available
2. modgettext::textdomain($module_name);
3. if ( isset($currentcomponent) ) {
4. $bmo->GuiHooks->doGUIHooks($module_name, $currentcomponent);
5. }
6. if ($bmo->GuiHooks->needsIntercept($module_name, $module_file)) {
7. $bmo->Performance->Start(“hooks-$module_name-$module_file”);
8. $bmo->GuiHooks->doIntercept($module_name, $module_file);
9. $bmo->Performance->Stop(“hooks-$module_name-$module_file”);
10. } else {

GET Data

POST Data empty

Files empty

Cookies

Session

Server/Request Data

Environment Variables empty

Registered Handlers

Exception

HELP

Could not get banned list

/var/www/html/admin/libraries/BMO/GuiHooks.class.php

1. $hooks = $this->getHooks($moduleToCall, $filename);

• if (!isset($hooks[‘INTERCEPT’])) {

2. return true;
3. }
4. \modgettext::push_textdomain(strtolower($moduleToCall));

• $output = $this->getOutput($filename);
• \modgettext::pop_textdomain();

GET Data

POST Data empty

Files empty

Cookies

Session

Server/Request Data

Environment Variables empty

Exception

HELP

Could not get banned list

/var/www/html/admin/libraries/BMO/GuiHooks.class.php

1. echo $output;

• }
• private function getOutput($filename) {

2. ob_start();
3. include $filename;
4. $output = ob_get_contents();
5. ob_end_clean();

GET Data

POST Data empty

Files empty

Cookies

Session

Server/Request Data

Environment Variables empty

Registered Handlers

Exception

HELP

Could not get banned list

/var/www/html/admin/modules/sysadmin/page.sysadmin.php

GET Data

POST Data empty

Files empty

Cookies

Session

Server/Request Data

Environment Variables empty

Registered Handlers

Exception

HELP

Could not get banned list

/var/www/html/admin/modules/sysadmin/functions.inc/intrusion.php

GET Data

POST Data empty

Files empty

Cookies

Session

Server/Request Data

Environment Variables empty

Registered Handlers

Exception

HELP

Could not get banned list

/var/www/html/admin/modules/sysadmin/Sysadmin.class.php

GET Data

POST Data empty

Files empty

Cookies

Session

Server/Request Data

Environment Variables empty

Registered Handlers

And that is all I have. This happened on another server that is nearly identical but a reboot of the server fixed it. The other thing is that it was working prior to the last System Admin Module upgrade (Commercial). The sense of urgency is that I need to off load a bunch of voice recordings to free up space and the storage is filling up fast. I appreciate any helpful suggestions. Thank you.

yum update sysadmin

I believe the poster said had no ssh access and the person who would be onsite is out so they cannot run yum.
I assume you cannot attempt to ssh in from a different IP to see if that works (that would assume fail2ban hasn’t somehow failed in a way to block all ssh - not sure if that is even possible).

I don’t remember if stopping the firewall via the web gui completely stops iptables (I believe it does), so could try that and see if you can ssh then.

I don’t know if there has been a recent sysadmin update that might fix your issue, but you could use the web interface to go to the sysadmin menu and check the OS and module updates to see if anything pertinent could be upgraded.

as mentioned, yum update sysadmin will fix this. If you don’t have SSH access at this time, you can install all yum updates by going to Admin > Updates > System Updates and update all packages from there.

Once completed you should be able to access fail2ban just fine.

Thank you all. I have Fail2Ban back up thanks to a set of helping hands and reinstalling SysAdmin BUT still can’t use SSH to access the Terminal or SFTP. I whitelisted the subnet I use to access the network too. Any other ideas? My set of helping hands is on a tight leash from his manager as they are swamped so every time I borrow him it has to be quickly and with meaningful purpose.

Is it possible that fail2ban is not the issue? i.e. when did you last have ssh access?
I would try disabling the firewall entirely for a few minutes and seeing if ssh now works (assuming your PBX is not directly connected to the internet so no firewall for a few minutes should be ok!)

Either the freepbx firewall is not allowing it (change ssh to the internet zone), or you have some custom iptables rules blocking it, or it could be blocked in /etc/hosts.deny. I would check the freepbx firewall first if you use it “connectivity” -> firewall -> services tab -> ssh (set to internet). There are many other possibilities of why you might not be able to ssh in, have you made changes to ssh authentication (require ssh key for long/deny root login with password)? Have you made custom iptables rules? Have you done anything else that might effect ssh?

Does your “helping hands” ssh to the box so we know ssh is working locally? Assuming so, ask them to do: (assuming non-root user)
sudo iptables -L -n > /tmp/iptables.output #so can see firewall rules
sudo cp /etc/secure /tmp/secure.log # so can see what is getting logged by ssh
sudo chmod a+r /tmp/secure.log
ps auxww > /tmp/ps.output # so can verify ssh is running
and get you those files. If they are non-technical, maybe they can mail them from the command line to you?

No one can SSH into the box. It is only accessible from the terminal that is physically connected to the server. So not even local SSH traffic is able to access it. However, I can have him run the above and if nothing else take pictures of the screen with his phone.

oof. does fpbx send emails? If so, I would use email to make life simpler. Though FPBX can be configured to send mail differently than the the host does.
mail EMAIL-ADDRESS < /tmp/iptables.output
mail EMAIL-ADDRESS < /tmp/secure.log
mail EMAIL-ADDRESS < /tmp/ps.output
sudo mailq # will show if mail was sent or not
I don’t remember if the mailx package is installed by default? If not:
sudo yum install mailx

I don’t believe that any FreePBX firewall settings could result in this error – unauthorized packets are simply dropped, which should result in Putty showing “Network error: Connection timed out”.

Either sshd is not running at all, it’s running on a nonstandard port, or some other networking gear or logic is blocking it, e.g. the hypervisor firewall (if it’s a virtual machine).

Yes - you haven’t said anything about where you are compared to the PBX - are you using a VPN into the office or ???. Or is there port forwarding through the office firewall to hit the PBX, etc. ec.

I would start with making sure that ssh is running

netcat -vz 22

(you might need yum install netcat first)`

If it says ‘connection refused’, then grep Port /etc/ssh/sshd_config should confirm the port it is running on but if that returns nothing , then maybe openssh-server is not even installed.

So turns out sshd was not running at all. This was caused by a missing directory /var/empty and and of course the /sshd directory in /empty. Once my helping hands was able to recreate the empty and the sshd directories sshd started without problem and I am now able to access the server via ssh. Thank you @Stewart1 for the hint. It never occured to me that sshd might not be dependant on fail2ban but the other way round. Oh, and to answer your question, @nielsen, the server is in Arizona and I live in Washington state. My assistant is on sick leave for then next week or so and running the department remotely has me a bit frazzled. Vacations I can plan for, illness not so much. Thanks again everyone.

For completeness, it needs to be said that setting ssh to the Internet zone is only appropriate for short time while debugging. Allowing untrusted source IPs to access the ssh service is strongly discouraged.

On a slightly embarassing note, I’d also like to say that setting up the OpenVPN server on FreePBX is a real boon. I’ve been failing at ever setting up a VPN (since the '90s) because the instructions that I’ve been given always assumed that my information framework was the same as everyone else’s. I’m pleased (and like I said, a little embarassed) to admit that I’ve finally set up a working VPN. With that addition to my network, all of the ‘sketchy’ port practices I’ve been using for the past 30 years are finally starting to come down.

I recommend VPN access to the server for anything that even remotely resembles admin work, even though I’ve never been able to join you in the promised land until a couple of weeks ago.

Pretty good protections for sshd include

• Change the service port in /etc/ssh/sshd_config and /etc/services

• Set up public keys and don’t reuse them across machines.

• Disable password authentication and root access in sshd_config

The fail2ban ssh jail will still work but will probably never be used.

Actively maintained openvpn setup script

the site also provides a wire-guard install script if you wanna be cool

This ^^^^^^^^

You should never use password authentication over ssh

(But also do the ssh-copy-id thing before you disallow passwords)

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.