Fail2Ban, unban an IP?


#1

The version of freepbx I’m using now persists the fail2ban list so a restart won’t clear it. I take a hardline approach to blocking IP addresses. I give them 8 attempts and then permaban the IP. This hasn’t been an issue for 2 years. Today someone keep trying to login (mind you with the same username/password they use to login to their desktop) and caused themselves to be banned. I am not trying to unban then but I can’t figure out how best to do that. Advice?


#2

Figured it out using the CLI.

Check your IP tables;

[root@pbx]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-FTP  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 21
fail2ban-apache-auth  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 80
fail2ban-SIP  all  --  0.0.0.0/0            0.0.0.0/0
fail2ban-SIP  all  --  0.0.0.0/0            0.0.0.0/0
fail2ban-BadBots  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 80,443
fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22
fail2ban-recidive  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-BadBots (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-FTP (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-SIP (2 references)
target     prot opt source               destination
REJECT     all  --  192.168.0.156        0.0.0.0/0           reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-apache-auth (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-recidive (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

In my case you can see that 192.168.0.156 is blocked using the fail2ban-SIP rule because they tried to login to the Admin portal multiple times (trying to login to run a report).

Now check the fail2ban jails.

[root@pbx]# fail2ban-client status
Status
|- Number of jail:      7
`- Jail list:           apache-tcpwrapper, recidive, pbx-gui, apache-badbots, ssh-iptables, asterisk-iptables, vsftpd-iptables

For my problem I need to unban the IP from the “pbx-gui” jail.

[root@pbx]# fail2ban-client set pbx-gui unbanip 192.168.0.156
192.168.0.156

And now it is removed from fail2ban. Note that if you try to remove it from a jail that it doesn’t exist it will just return that the IP doesn’t exist in the jail, so no harm.

I imagine if this was a SIP phone it would be in the asterisk-iptables jail. SSH failure in the ssh-iptables jail. And so on.


(Dave Burgess) #3

@xrobau Rob will be able to expand on this, but the one fear I have is that, if you fire off one of the Firewall rules associated with FreePBX, you might catch one of the recidivist rules, in which case the next time they try to log in, they might trip the alarm and get perma-banned again.

The obvious solution to this is “don’t do that”, but failing that, you might want to submit a tocket and explain what you need to have happen in the case of an inadvertent permaban.


#4

Fail2ban works with iptables , cleverly the FreeBX adds kernel level monitoring, which will of course override iptables rules