Fail2ban won't start after update


#29

Same Topic Different Question: Are we pulling Intrusion Detection Settings out of System Admin?
(currently seeing it under firewall as well as system admin)

Thanks


(Yois) #30

Wow, so strange. It’s probable that I wrote the code that broke something… But I can’t reproduce this. I’ve even started with fresh SNG7 install and it’s just not happening to me. I have Firewall 15.0.11 running on several production systems without any hiccups.

@VoIPTek @ashcortech @jkalber - Are your systems activated? Are you using Intrusion Detection? What version of fail2ban are you running? If you just update Sysadmin does this happen? If you just update Firewall does this happen? Does the problem begin immediately after updating the modules?

Really, fail2ban is controlled by the Sysadmin module’s management of Intrusion Detection. The work I did (regarding fail2ban) was just to ensure that the fail2ban rules in iptables wouldn’t be wiped out by the Responsive Firewall. It will help greatly if we can narrow down whether Sysadmin or Firewall module is the cause of the problem, and in which version the problem surfaced.

I would work on this but I can’t reproduce.


#31

fail2ban-fpbx.noarch 0.8.14-76.sng7 @anaconda/2104


#32

Yes fully activated

Yes intrusion was being used

Current Sysadmin 15.0.21.66, no update available

Somethiing definitely happened in the updates over the weekend. Too many people seeing the same issue at the same time. Whether it’s because of your work or not remains to be seen.


(Jkalber) #33

Just wanted to provide an update that I rebooted the pbx system this morning and everything is back to normal, Fail2ban and Intrusion detection is on and running. I did have to delete that “firewall.enable”

I manage five other PBX’s and the other are having the same issue so I will follow these steps and hopefully fix the others.

Thanks for all your help guys, cheers!


(Lorne Gaetz) #34

Repeated attempts to repro this have been unsuccessful for me, but I did have hands on a system just now where fail2ban wouldn’t start. I don’t know the cause but it appears to be related to System Admin module

15.0.21.65 - fail2ban fails to start
15.0.21.66 - fail2ban starts like normal

You can get .66 from the stable repo with:

fwconsole ma upgrade sysadmin

confirm sysadmin version with:

fwconsole ma list | grep sysadmin

start fail2ban

systemctl start fail2ban.service

Confirm it’s running with

systemctl status fail2ban.service

Fail2ban wont start
(Yois) #35

/etc/aterisk/firewall.lock

Thanks for this, there’s a typo in the source code (that doesn’t affect functionality)


#36

I have .66 and it still won’t start. unfortunately I can’t reboot the phone system right now as the office is open. I’ll try tonight.


(Jared Busch) #37

So @lgaetz what can be done to fix this? Because until this is fixed, Firewall is a commercial product. No matter what this says…

| firewall  | 15.0.8.14  | Enabled and up to date   | AGPLv3+     |

(Yois) #38

@sorvani - I’m also slightly frustrated by this fact, but like I said earlier, the ability to do root tasks from the GUI requires some sanity checking and file verification. If you want to make this completely open, it’s only possible if the open-source community can agree on one signing authority… Once we do that why can’t it just be Sangoma?

If anyone wants to create an open-source fork of the firewall module, it’s easy enough to just create a new incron folder that processes the hook files without signature verification, and to drop hook files in that location… But don’t say I didn’t warn you that this is insecure.


(Yois) #39

(Jared Busch) #40

Of course it can be Sangoma. But it has to be done in something that can be installed on all systems, unlike SysAdmin.


(Simon Telephonics) #41

Access control doesn’t have to be done in the kernel.


(Yois) #42

Care to explain? Both iptables and fail2ban require root.


(Simon Telephonics) #43

I’m talking about using ACL functionality in Asterisk. It’s not a drop-in replacement to iptables but it fits better within the paradigm of FreePBX working with asterisk configuration as the asterisk user. Maybe a direction to consider for FreePBX 17.


#44

(Ron) #45

Hello,
Wanted to add to this thread. Same issue with the GUI indicating Fail2Ban not running, same error codes when attempting to start the service. Same Apache error - ‘filter.d/apache-api’ under /etc/fail2ban ERROR Unable to read the filter ERROR Errors in jail ‘apache-api’. Skipping…

Solution that worked for me on 4 FreePBX 15 was ashcortech in the last update.
Manually running
/var/www/html/admin/modules/sysadmin/hooks/fail2ban-apache-config


#46

I’m not trying to be disruptive, but can someone qualify exactly what version of Fail2ban is being deployed? and who wrote the systemd fail2ban.service that is apparently being used to start it?

Last mention of 0.8 is ‘quite a long time ago’


#47

@yois Yes, all current for all modules & OS, all activated, and nothing I do changes the behavior, a few boxes are doing it and others are not.


#48

@dicko

Note: PBX is 100% Current for OS & Modules
Running: FreePBX 15.0.17.43
Running: fail2ban-fpbx-0.8.14-76.sng7.noarch
Reboot does nothing to resolve.

First here is a video showing how the GUI reacts: https://screenrec.com/share/3lwCtWNBG5

Error trying to start the server image: https://screenrec.com/share/nmZrcENs3b

Oput from status was provided above.