Is the address the correct format? I would not expect it to accept 111@ since there is a field aready for the auth user. It is probably expecting the format pbxhost:port
Display Name = Outbound CallerID Name
Address = username
Auth ID = username
Label = Phone line label
You shouldn’t have 111@ip in the address field.
I have been going over everything here and tripple checking settings etc etc. I still do not know why the phones I am trying to register keep appearing in the BANNED IP section of Fail2Ban AND they are specifically listed as a Whitelisted IP and the network they are on is ALSO Whitelisted.
I Stopped Fail2Ban - I made the entries by Removing them from the Banned section and placing them in the Whitelist section - Then Restart Fail2ban. - I then asked local users to replug in the Lan cable and as soon as the phones boot up, they pop right into the Banned list !! They are in Both places !
I am tempted to just shut down Fail2Ban entirely and rely on our Firewall but I am reading about a Hack that seems to affecting FreePBX and Digium phones etc. Any concern ??/
OK - So now what do I do to find out WHY they are being thrown into Banned what can I do to stop this from happening ?? I don’t understand one comment dicko made about a Bad Auth - I tripple checked the settings and made sure the passwords matched in FreePBX Extensions and in the Phone’s GUI and even setting up the Phones on the phone’s keypad on the one unit I had sent to me.
All SNGREP tells me is 403 forbidden - or failed. All the CLI shows is Failed to Authenticate.
All these phones worked fine on previous VoIPs
fail2ban comes with this tool:-
fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf
would pass the named log file against the fail2ban ‘filter’ and print out the matched lines
I am going to need time to go through the output
Lines: 22278 lines, 0 ignored, 7110 matched, 15168 missed
Missed line(s): too many to print. Use --print-all-missed to print all 15168 lines
RTFM perhaps ?
fail2ban-regex -h
(add --print-all-matched)
When I ran with --print-all-matched i got this…
fail2ban-regex: error: no such option: --print-all-matched
When I used --print-no-missed I get this output … But the part that says Wrong password/Username/auth I don’t understand - the User and password ARE correct etc. This is where I ask why it thinks the Pwd or Username/auth is wrong - where is it pulling that from ?
\d+])?:\s+[[(]?asterisk(?:(\S+))?[])]?:?|[[(]?asterisk(?:(\S+))?[])]?:?(?:[\d+])?:?)?\s(?:[ID \d+ \S+])?\s*|[]\s*)(?:NOTICE|SECURITY)(?:[\d+]):?(?:[C-[\da-f]])? \S+:\d( in \w+:)? Registration from ‘[^’]’ failed for ‘(:\d+)?’ - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error (permit/deny)|Not a local domain)$
| 10) [5588] ^(\s(<[^.]+.[^.]+>)?\s*(?:\S+ )?(?:kernel: [ *\d+.\d+] )?(?:@vserver_\S+ )?(?:(?:
I suspect a previous alliance with ‘Onsip’
pasting the rule is not helpful, pasting an example line of a caught log file woud be.
dicko - I am trying … I am not familiar with fail2ban command line and the “manuals” are not helping me.
I could any out necessary if I knew exactly how to get that data.
A side question… will Fail2Ban prevent the VoIP from pinging a phone ?? I ask because I cannot ping any of the phones I am trying to register but they DO answer ping from Windows Command Line and I can get to their GUIs … Their local networks are listed in the Asterisk Settings. I suspect F2B is blocking them ( ICMP )
If this is true - back to square one as above !
Chek your options with
fail2ban-regex -h
Perhaps older versions had
–print-all-ignored
Again, what about Onsip, your posted log shows that your phones are contacting the Onsip boot server, Have you factory wiped the phones?
Only on One ( 1 ) phone did I use boot.onsip.com ( ext 111) because I wanted to Factory reset the phone and update it to see if that was an issue with it being blocked. I figured it would wipe out any “stuck” auth info and let me start over. I could not find a better way to reset and update than ONSIP. It did wipe and reset the phone though. I tried poly2.polcom.com but it just kept rebooting itself. Is ONSIP an issue ??
If there is a better method to wipe / reset/ and update - I am all ears ( or eyes ). A lot of these phones are in remote offices and they do not have the same nice GUI but the older one ver 3. something not sure.
When the phone booted it started downloading and installing new Firmware and Software and when it completed that I was presented with a more useful GUI with all kinds of info and config options. I thought I was home free.
I found ONSIP by reading pages and pages of posts with people with similar issues. I took a chance on ONSIP and it seemed to work. I have a updated phone with a greaat GUI that won’t register.
I shut down Fail2Ban for 3 hours today - and I was able to ping these phones via the VoIP CLI - but they just refuse to register STILL !! I am at the point where I need to get a definitive answer – these phones are vital to us as we are contractors for various military installations.
They worked via VPNs for years in our remote locations anjd all our offices. I know Polycoms can be troublesome and probably not the best choice ( our SNOMs are less an issue ) but we have 40 of them - some are working and most are not - but I am not hooking them up until I can figure this out… why have all the phones not working ?
You are best off having the phones get their configs from your FreePBX using http or https, make sure the port used is open and use the url not the ip of your pbc anf the right user/password, you can maybe do a manager login in (456) remotely with an off site client but probably better done locally.
Yes well - I have issue with the phones offsite… I need to walk someone locally through the set up - not always available which is why I had them send me 2 problem phones… the ones we are tring to get registered ! The one I used ONSIP for since the Poly Public Provisoning Servers did’nt work .
I do use the Mgr login user Polycom pwd 456 on all of them. But as I explained - even if I sucessfully update the phone, it still will not register and gets Banned instantly. I have 2 of those phones on my desk now…these are the ones we are working with.
Connect to the Poly Public Provisioning Server
- Obtain your phone’s administrator password.
- Reboot the phone (from Home/Menu, select Settings > Basic > Restart).
- While the phone is booting up, press the Cancel soft key.
- Press Setup
- Enter your phone’s password (default is 456), then press OK.
- Scroll down to and select Provisioning Server Menu.
- On Server Type, press Edit.
- Scroll left arrow key until HTTP is selected, then press OK.
- On Server Address, press Edit.
- Enter the appropriate server address for your phone model.
- SoundPoint IP Desk phones: Index of /4015
- SoundPoint IP Speaker phones: Index of /4015
-
VVX models: Index of /594
The Older Polycoms we have IP 650 - that are not updated - the GUI is very plain - only options are SIP and Lines… there is no option in the GUI - at least as far as I can find - the get into any Advanced Option to do a Factory Reset / and Update.
All this is fine… but the bottom line to me is . no matter what I try, the phones won’t register and immediately appear in Banned in F2B GUI and are Whitelisted in the SAME GUI at the same time !!
I cannot get them out jail - if I can find what jail they are in. If I can get past the F2B dilemma and get these phones to show at least in Endpoints - I think I may have a chance to get them registered.
Still trying to narrow this problem down a bit…
I have tried deleting extensions that do not show as Endpoints when I run PJSIP Show Endpoints. Reboot the server and create a new extension - I have tried this on the 3 phones I cannot get working - but they still will NOT
show up as Endpoints. The Server can PING their IPs and they are visible on our network.
I understand that if they are not showing as Endpoints - they cannot Register, but can anyone tell me why when I create a New Extension, it does not show as Endpoint either using CHAN_PJSIP or CHAN_SIP ?
The Phones we had working on FreePBX 15 showed up as Endpoints on FreePBX 16 but I cannot create a NEW Endpoint when I set up a new extension!
Could this be the basis of my issue on phone registration ? and not just Fail2Ban / FW ??
If so, how do I try to resolve this?
Hi lgaetz - I took another look at your earlier response - I seem to have a number of issues but I overlooked that when I delete and re-create an Extension or make a New Extension - that the Endpoint does create also - I re-posted this as my continuing issue. So - what can I do or where can I see why these are not being created? The IP’s can be pinged and they are visible on the network - but FreePBX is not creating the Endpoint
I read one post where the person changed the order of the Endpoint Identifier … mine is set to User Name, Auth_Username, Header, IP, Annonymous.
If I cannot get my PBX to show endpoints when I create or re-create a new extension, is there a specific order to these that pjsip likes ?
I don’t see any other user that has this same issue with endpoints not being created from adding extesions.
A bug?
speaking in Yealink-Phone-config words:
This transport looks like your phone is behind a router and you are trying to connect with NAT for your phone on port 5060. Yealink-phones set always the port to 0 ore nothing automatically by choosing DNS-NAPTR. Are you trying to use TLS?
If you have a VPN where the phone can directly reach the PBXs net-range, why not using 5060 UDP or 5060 TCP? Or simple try the yealink-config with DNS-NAPTR transport together with port 0.
In addition what Lorne said above: 111@xxxxxxx looks quite strange. I would delete that “Address” entry and let it empty. You have the server address under Server 1 which should be enough.
On fail2ban I can say, your phone IP will be blocked, as long as fail2ban will find a reject in any of the log-files for the “find-period” defined and the number of rejects within this find-period (maybe 9). It doesn’t help to put it IP on the whitelist afterwards. You can’t change already existing log entries. You may try to:
fail2ban-client set sip unbanip 10.1.106.2 and see whether the IP was blocked on the answer.
After that you can look at asterisk -rvvvv on the console and look what happens when the phone tries to register - as long as there is no other traffic on the PBX-side.
PS: Do you really want to set 24 calls per line?
This is not absolutely correct
On fail2ban I can say, your phone IP will be blocked, as long as fail2ban will find a reject in any of the log-files for the “find-period” defined and the number of rejects within this find-period (maybe 9). It doesn’t help to put it IP on the whitelist afterwards.
Fail2Ban will only be able to ban an ip or network if the connection has had to progress through all the chains previous without success. If the registration is successful or the whitelist is located prior to the Fal2ban chains, then iptables has done it’s job as intended and iptables should be immediately ‘short circuited’. If your Rules are upside down and so ‘restrictive’ that Fail2ban can preempt your otherwise well intention-ed iptables rules, then I suggest you are mis-understanding how it should be used, Consider it a garbage collector and not a braindead bouncer.
Anything that fail2ban can glean from the logfile the jail is watching means that you have mis-configured your PBX in the first place. look at the regex that triggered the ban and fix that error first.
This is getting a bit confusing to me… The phones I am trying to register are in the same office as our VoIP and on the same network… the VoIP can ping them and they are on DHCP. We are not using FreePBX Firewall since we have our own PFSense FW/Router/VPN and the NAT rules and FW rules have not changed which is allowing port 5060 UDP and 5061 TCP and 5160 UDP / 5161 TCP ( I enabled Chan_SIP to cover that base) - This was our set-up previously on FreePBX 15 on a server that failed hardware - New Server - New Install Freepbx 16. Same phones - same network same rules nothing changed.
What I am NOW seeing is that when the new server came online - I had no issues registering most our SNOMs and a handful of Polycoms - except for the few phones I am now having trouble with.
All I did was try to try to set up a new extensions I need – BUT I do NOT see them when I run PJSIP SHOW Endpoints !! The server can ping their IPs !! I have deleted them - rebooted - and tried to re-create them but I do not see them as endpoints or contacts.
The VoIP server is acting like I ( logged as admin ) do not have permissions to add extensions ??? and is ignoring my extension creation.
Fail2Ban issue was one of my previous questions … Now when I look for banned IPs - none of my phones show up. But I noticed the No Endpoint Issue now.
This was a standard install from my account with FreePBX - the server is Activated and has SYS ADMIN modules but not ENDPOINT Module …
Contact: 109/sip:[email protected]:5060 3dc7856983 Avail 15.824
Contact: 110/sip:[email protected]:5060 8639ec459f Avail 13.859
Contact: 112/sip:[email protected]:5060 cddf46bf11 Avail 26.647
Contact: 123/sip:[email protected]:5060 24fd1cb0bb Avail 14.990
Contact: 124/sip:[email protected]:2048;line=73mqcngw 653aa904a9 Avail 24.840
Contact: 125/sip:[email protected]:5060 21226eb2ce Avail 16.977
These are the phones I have registered – I do not understand ext 124 - but it is working just fine…
I cannot get Extension 111 to register - and, of course, it is the one I need most.
If Fail2Ban is still a factor - I do not knoww how I can “Clear” out any old fragments of banned IPs it’s holding.
If the issue is with ENDPOINT creation - I do not know what I am doing wrong - or how to verify if that is the problem.
That is where I am at right now.