Fail2Ban stopped to ban ip intruders

arturxps · December 9, 2015, 9:28am

Hi all,
I have a problem with protection of my freepbx, fail2ban stop to ban, firewall is not banned and sysadmin pro doesn’t show banned ip. Everything is updated and nothing is changed manually. I wait two weeks b/s maybe is bug but take to long time to risk anymore.
FreePBX 13.0.27 x64
Current Asterisk Version: 13.5.0
PBX Firmware: 10.13.66-6
PBX Service Pack: 1.0.0.0
System Admin 13.0.30.1

from asterisk log files:
acl.c: SIP Peer ACL: Rejecting ‘85.25.217.166’ due to a failure to pass ACL '(BASELINE)'
acl.c: SIP Peer ACL: Rejecting ‘173.242.113.131’ due to a failure to pass ACL '(BASELINE)'
chan_sip.c: Failed to authenticate device 100sip:[email protected];tag=a9ec6dcd
.
.
.acl.c: SIP Peer ACL: Rejecting ‘85.25.217.166’ due to a failure to pass ACL ‘(BASELINE)’

[root@sip ~]# /sbin/iptables-save
Generated by iptables-save v1.4.7 on Wed Dec 9 11:06:03 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [117141:35039980]
:fpbx-rtp - [0:0]
:fpbxattacker - [0:0]
:fpbxblacklist - [0:0]
:fpbxfirewall - [0:0]
:fpbxhosts - [0:0]
:fpbxinterfaces - [0:0]
:fpbxknownreg - [0:0]
:fpbxlogdrop - [0:0]
:fpbxnets - [0:0]
:fpbxregistrations - [0:0]
:fpbxrfw - [0:0]
:fpbxshortblock - [0:0]
:fpbxsignalling - [0:0]
:fpbxsmarthosts - [0:0]
:fpbxsvc-chansip - [0:0]
:fpbxsvc-ftp - [0:0]
:fpbxsvc-http - [0:0]
:fpbxsvc-https - [0:0]
:fpbxsvc-iax - [0:0]
:fpbxsvc-isymphony - [0:0]
:fpbxsvc-nfs - [0:0]
:fpbxsvc-pjsip - [0:0]
:fpbxsvc-provis - [0:0]
:fpbxsvc-restapps - [0:0]
:fpbxsvc-smb - [0:0]
:fpbxsvc-ssh - [0:0]
:fpbxsvc-tftp - [0:0]
:fpbxsvc-ucp - [0:0]
:fpbxsvc-webrtc - [0:0]
:fpbxsvc-xmpp - [0:0]
:zone-external - [0:0]
:zone-internal - [0:0]
:zone-other - [0:0]
:zone-reject - [0:0]
:zone-trusted - [0:0]
-A INPUT -j fpbxfirewall
-A fpbx-rtp -p udp -m udp --dport 10000:20000 -j ACCEPT
-A fpbx-rtp -p udp -m udp --dport 4000:4999 -j ACCEPT
-A fpbxattacker -m recent --set --name ATTACKER --rsource
-A fpbxattacker -j LOG --log-prefix "attacker: "
-A fpbxattacker -j DROP
-A fpbxfirewall -i lo -j ACCEPT
-A fpbxfirewall -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fpbxfirewall -p udp -m udp --sport 1:1024 -m state --state RELATED,ESTABLISHE D -j ACCEPT
-A fpbxfirewall -p icmp -j ACCEPT
-A fpbxfirewall -d 255.255.255.255/32 -j ACCEPT
-A fpbxfirewall -m pkttype --pkt-type multicast -j ACCEPT
-A fpbxfirewall -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A fpbxfirewall -j fpbx-rtp
-A fpbxfirewall -j fpbxsignalling
-A fpbxfirewall -j fpbxsmarthosts
-A fpbxfirewall -j fpbxregistrations
-A fpbxfirewall -j fpbxnets
-A fpbxfirewall -j fpbxhosts
-A fpbxfirewall -j fpbxblacklist
-A fpbxfirewall -j fpbxinterfaces
-A fpbxfirewall -m mark --mark 0x2/0x2 -j fpbxrfw
-A fpbxfirewall -j fpbxlogdrop
-A fpbxhosts -s 127.0.0.1/32 -j zone-trusted
-A fpbxinterfaces -i eth0 -j zone-external
-A fpbxknownreg -m mark --mark 0x1/0x1 -j ACCEPT
-A fpbxknownreg -j fpbxsvc-ucp
-A fpbxlogdrop -j REJECT --reject-with icmp-port-unreachable
-A fpbxnets -s 82.146.XXX.XXX/32 -j zone-trusted
-A fpbxnets -s 195.200.XXX.XXX/32 -j zone-trusted
-A fpbxnets -s 92.111.XXX.XXX/32 -j zone-trusted
-A fpbxnets -s 192.168.0.XXX/32 -j zone-trusted
-A fpbxnets -s 62.108.XXX.XXX/32 -j zone-trusted
-A fpbxnets -s 192.168.0.0/24 -j zone-trusted
-A fpbxregistrations -s 192.168.0.XXX/32 -j fpbxknownreg
-A fpbxregistrations -s 192.168.0.XXX/32 -j fpbxknownreg
-A fpbxregistrations -s 192.168.0.XXX/32 -j fpbxknownreg
-A fpbxregistrations -s 192.168.0.XXX/32 -j fpbxknownreg
-A fpbxregistrations -s 192.168.0.XXX/32 -j fpbxknownreg
-A fpbxregistrations -s 192.168.0.XXX/32 -j fpbxknownreg
-A fpbxregistrations -s 192.168.0.XXX/32 -j fpbxknownreg
-A fpbxregistrations -s 192.168.0.XXX/32 -j fpbxknownreg
-A fpbxregistrations -s 192.168.0.XXX/32 -j fpbxknownreg
-A fpbxregistrations -s 92.111.XXX.XXX/32 -j fpbxknownreg
-A fpbxregistrations -s 62.108.XXX.XXX/32 -j fpbxknownreg
-A fpbxregistrations -s 82.146.XXX.XXX/32 -j fpbxknownreg
-A fpbxregistrations -s 195.200.XXX.XXX/32 -j fpbxknownreg
-A fpbxrfw -m recent --set --name REPEAT --rsource
-A fpbxrfw -m recent --rcheck --seconds 10 --hitcount 50 --name REPEAT --rsource -j fpbxattacker
-A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 1 --name ATTACKER --rso urce -j fpbxattacker
-A fpbxrfw -m recent --rcheck --seconds 60 --hitcount 10 --name SIGNALLING --rso urce -j fpbxshortblock
-A fpbxrfw -m recent --set --name SIGNALLING --rsource
-A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 100 --name REPEAT --rso urce -j fpbxattacker
-A fpbxrfw -j ACCEPT
-A fpbxshortblock -m recent --set --name CLAMPED --rsource
-A fpbxshortblock -j LOG --log-prefix "clamped: "
-A fpbxshortblock -j REJECT --reject-with icmp-port-unreachable
-A fpbxsignalling -p udp -m udp --dport 5060 -j MARK --set-xmark 0x3/0xffffffff
-A fpbxsmarthosts -s 82.146.XXX.XXX/32 -m mark --mark 0x1/0x1 -j ACCEPT
-A fpbxsmarthosts -s 195.200.XXX.XXX/32 -m mark --mark 0x1/0x1 -j ACCEPT
-A fpbxsvc-chansip -p udp -m udp --dport 5060 -j ACCEPT
-A fpbxsvc-ftp -p tcp -m tcp --dport 21 -j ACCEPT
-A fpbxsvc-http -p tcp -m tcp --dport 80 -j ACCEPT
-A fpbxsvc-https -p tcp -m tcp --dport 443 -j ACCEPT
-A fpbxsvc-iax -p udp -m udp --dport 4569 -j ACCEPT
-A fpbxsvc-isymphony -p tcp -m tcp --dport 58080 -j ACCEPT
-A fpbxsvc-isymphony -p tcp -m tcp --dport 55050 -j ACCEPT
-A fpbxsvc-nfs -j RETURN
-A fpbxsvc-provis -p tcp -m tcp --dport 83 -j ACCEPT
-A fpbxsvc-restapps -p tcp -m tcp --dport 84 -j ACCEPT
-A fpbxsvc-smb -j RETURN
-A fpbxsvc-ssh -p tcp -m tcp --dport 22 -j ACCEPT
-A fpbxsvc-tftp -p udp -m udp --dport 69 -j ACCEPT
-A fpbxsvc-ucp -p tcp -m tcp --dport 81 -j ACCEPT
-A fpbxsvc-ucp -p tcp -m tcp --dport 8001 -j ACCEPT
-A fpbxsvc-webrtc -p tcp -m tcp --dport 8088 -j ACCEPT
-A fpbxsvc-xmpp -p tcp -m tcp --dport 5222 -j ACCEPT
-A zone-external -j fpbxsvc-ssh
-A zone-external -j fpbxsvc-https
-A zone-external -j fpbxsvc-ucp
-A zone-external -j fpbxsvc-xmpp
-A zone-internal -j fpbxsvc-ssh
-A zone-internal -j fpbxsvc-http
-A zone-internal -j fpbxsvc-https
-A zone-internal -j fpbxsvc-ucp
-A zone-internal -j fpbxsvc-chansip
-A zone-internal -j fpbxsvc-iax
-A zone-internal -j fpbxsvc-isymphony
-A zone-internal -j fpbxsvc-provis
-A zone-internal -j fpbxsvc-restapps
-A zone-internal -j fpbxsvc-xmpp
-A zone-internal -j fpbxsvc-ftp
-A zone-internal -j fpbxsvc-tftp
-A zone-other -j fpbxsvc-ucp
-A zone-other -j fpbxsvc-provis
-A zone-other -j fpbxsvc-xmpp
-A zone-reject -j fpbxsvc-webrtc
-A zone-reject -j fpbxsvc-nfs
-A zone-reject -j fpbxsvc-smb
-A zone-trusted -j ACCEPT
COMMIT
Completed on Wed Dec 9 11:06:03 2015

can someone to help me?
regards,
Artur

GeekBoy · January 11, 2016, 8:02pm

Fail2ban is setup against bad password attempts. ACL is Access Control List; meaning the IP address has to be white listed to get access. So it is working.

If you want, you could setup the configuration to ban on multiple access attempts.