Firewall continuously identifies trusted up addresses as attackers and blocks

I have remote phones with ip addresses listed as Trusted under the network tab of the firewall. Several of those same IP addresses have repeatedly been placed under the Blocked Attackers list under the Blocked Hosts tab. My system is up to date. This just started a few days ago and I keep manually clearing them, but it is happening repeatedly. Any idea what is going on or more importantly how to fix it.

Try adding the affected addresses in Connectivity → Firewall → Intrusion Detection → Whitelist.

Thanks for the suggestion. I have reviewed Firewall - Intrusion Detection - New features | FreePBX - Let Freedom Ring and still can not find the intrusion detection. The tab is not next to networks, and the Enable button is not present in the Advanced Settings. I feel like I am missing something simple.

Never mind. The system has to be activated under System Admin for it to be present.

That didn’t seem to do it. I put my ip address of my office in the whitelist and Trusted (excluded from Firewall) network list. It stayed up for a few mins but again showed up in the Blocked Attackers list and stopped working. I have been putting my remote phones in the Trusted networks for years and it worked fine. All of the sudden a few days ago all of my phones are getting blocked under Blocked Attackers.

Possibly if your fail2ban has the bug mentioned in this thread

the RPM by @yois in the last post will fix it.

I did notice that I had Sync to Legacy. Just enabled that. We will see if that helps. I manually entered the IP I was testing, but who knows. Just double checked that everything is completely up to date.

That bug is from mid 2021. This problem just appeared out of the blue a few days ago (I think 2-3 days but I could be off) for all of my remote phones at once.

In the time it took to write this, I’m blocked again. Is the Blocked Host related to fail2ban? It seems to be indicating that my phone is sending invalid data -

“There is no need to manually remove entries from this section, as their rate limiting will be completely removed in 60 seconds. If they continue to send invalid data, they will be classified as an Attacker.”

Would firewall.log be the correct log to watch to identify this problem? I went pretty far back and all it says is the ip address in question is “reported as good, adding to whitelist.” I have looked thru firewall.log, full, fail2ban, and freepbx.log and can not find anything that would suggest the system is unhappy with my IP but it keeps identifying it as an attacker and adding it to Blocked Host.


I am tracking logs with:
multitail --mergeall -E “xx.xx.xx.xx” freepbx.log fail2ban full firewall.log

My phone is a Polycom Soundpoint IP650, other phones experiencing this problem are various similar Polycoms as well. None have had software updated in a very long time - if it aint broke, dont fix it.

I am currently running fail2ban 0.11.1.

The logs indicate “reported as good, added to whitelist,” “Is now reachable,” “Security Event=SuccessfulAuth”

There are no line items coming thru any of the logs files as I am watching the IP address get added and removed from Rate Limited Hosts and will ultimately end up as a Blocked Attacker.

This will come across as a silly question, but does the source IP match the rule? That said, I’ve seen this as well on systems with intrusion synced with rfw network tab.

Definitely not a silly question. I have double, tipple and quadruple checked. They match. When I filter the chatter in the logs by the IP the traffic is there. I have even ctrc-c ctrl-f to make sure they all match and make sure I’m not nuts.

The order of rules is important in iptables, if Fail2Ban chains come before any whitelist chains then you will likely be caught too quick. Current versions of Fail2Ban allow you to define where you want your chains inserted. To list your rules

iptables -L -x --line-numbers

to print

iptables -S

man iptables

I let it sit for the weekend, running update script each night, and rebooted the server before work this morning. All is back working as normal. We did/changed nothing to make it start doing this and nothing to stop it - I dont know…

It just started again this morning blocking two of our whitelisted phones. I am completely at a loss. It worked for years and started doing this in 2020 for a while and then just stopped as quickly as it started. Now it is doing it again. No changes to anything, just suddenly decides our outside phones need to be blocked. Doesn’t do it to any internal phones, just the ones outside and not even all of those necessarily. They are at different locations. Older Polycom phones. I can go clear them from the Blocked Attackers list and they may work anywhere from a few minutes to a few hours but it just blocks them again. The IP addresses are a Trusted Network. They are listed as a green trusted source on the Intrusion Detection tab. I rebooted the server a couple weeks ago when this was happening and it cleared it up for a while. I have not touched iptables manually, so everything there was programmatically input. I have not been able to find anything interesting by running a tail on the logs. I am at a complete loss - I hope someone else has experienced this before and can offer some direction. Thanks!

Use the custom iptables rules for your whitelists

I just rebooted the server - again - and it seemed to clear it up like before. It seems like the firewall is accumulating some kind of junk over time that changes its behavior. I wonder if something was changed that is causing it to act like this? In the past, this server has operated in excess of a year between reboots.

Again, you need to identify the iptables chain that banned that host/network , if that chain came before any chain that would have allowed it, then you will need to re-order such chains. My guess is it your Fail2Ban chains as with old versions, bans are forgotten on reload or reboot.

I’m having similar issues, how do you change how they are read? Regarding the order

I am also seeing this behavior on a newer install. 50% of the 30ish phones over the weekend are on the Blocked Hosts list. The phones are “remote” and connect via ipsec vpn, all from the same subnet. Subnet is whitelisted in networks tab and fail2ban.

I’ve just tried switching fail2ban from sync to legacy. I will see if that makes a difference.

edit: I just went ahead and added a custom iptables rule in the gui

-I INPUT 1 -s 10.1.6.0/24 -j ACCEPT

Not really sure why it’s required as the subnet is “whitelisted” and trusted in two other places…

I have a script that updates everything each night, so everything is up to date. I suppose I can go in and manually put in a line to clear it but is this a system bug? I would not expect this to be normal behavior.

If your script restarts Fail2Ban and your version of F2B is < 0.9 then all the bans are forgotten.

That depends on the ‘two other places’ relative position to he line that banned . . .

iptables -L -n --line-numbers