The version of freepbx I’m using now persists the fail2ban list so a restart won’t clear it. I take a hardline approach to blocking IP addresses. I give them 8 attempts and then permaban the IP. This hasn’t been an issue for 2 years. Today someone keep trying to login (mind you with the same username/password they use to login to their desktop) and caused themselves to be banned. I am not trying to unban then but I can’t figure out how best to do that. Advice?
Figured it out using the CLI.
Check your IP tables;
[root@pbx]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-FTP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21
fail2ban-apache-auth tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80
fail2ban-SIP all -- 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all -- 0.0.0.0/0 0.0.0.0/0
fail2ban-BadBots tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-recidive all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-FTP (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SIP (2 references)
target prot opt source destination
REJECT all -- 192.168.0.156 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-auth (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-recidive (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
In my case you can see that 192.168.0.156 is blocked using the fail2ban-SIP rule because they tried to login to the Admin portal multiple times (trying to login to run a report).
Now check the fail2ban jails.
[root@pbx]# fail2ban-client status
Status
|- Number of jail: 7
`- Jail list: apache-tcpwrapper, recidive, pbx-gui, apache-badbots, ssh-iptables, asterisk-iptables, vsftpd-iptables
For my problem I need to unban the IP from the “pbx-gui” jail.
[root@pbx]# fail2ban-client set pbx-gui unbanip 192.168.0.156
192.168.0.156
And now it is removed from fail2ban. Note that if you try to remove it from a jail that it doesn’t exist it will just return that the IP doesn’t exist in the jail, so no harm.
I imagine if this was a SIP phone it would be in the asterisk-iptables jail. SSH failure in the ssh-iptables jail. And so on.
@xrobau Rob will be able to expand on this, but the one fear I have is that, if you fire off one of the Firewall rules associated with FreePBX, you might catch one of the recidivist rules, in which case the next time they try to log in, they might trip the alarm and get perma-banned again.
The obvious solution to this is “don’t do that”, but failing that, you might want to submit a tocket and explain what you need to have happen in the case of an inadvertent permaban.
Fail2ban works with iptables , cleverly the FreeBX adds kernel level monitoring, which will of course override iptables rules