By nightly updates, this is what I mean:
fwconsole ma refreshsignatures; fwconsole chown; fwconsole ma updateall; fwconsole r; yum -y update;
You can use fail2ban-regex to check any logs that F2B is watching, it would identify the culprit lines that caused the ban, restarting very old versions of F2B does not retain itās bans over a restart, which would explain the behavior you see. As a work around you could add that netork to F2Bās āignoreipā
From what I see, it looks like the root cause is how the Chain fpbxnets is getting messed up (deleting half of the trusted networks and doubling the remaining ones). This seems to leave the deleted ones to operate outside the protection of being an explicitly defined trusted network. Then the sip phone on one of those deleted ips gets banned based on the Chain fail2ban-SIP. I know that sensitivity on that is super high. Even if I have a good phone with good credentials, they get banned within seconds if they are not explicitly trusted. I have stopped all updates. We will see if that works if things stop getting reloaded in that process. If that doesnāt work, I guess Ill have to go the brute force option and manually whitelist it in f2b. Tks.
F2B never bans anything without finding a matching regex in a log enough times in a limited period. That is just the way it works. fail2ban-regex is the tool to use.
Maybe a few seconds is a slight exaggeration. I think a literal time would be a few minutes - as in single digit minutes.
Ill look. Thanks!!
F2B defines itās ātimesā in seconds (long int) so choose wisely , Current versions remember bans over restart, yours , probably not. I recommend you keep your trigger level l low, but your detection period high and you ban time higher. there are bots out there that will try a few times a day for ever, new cloud servers are particularly prone to these because the awarded IP address is āre-usedā and a new āhitā for them sends you to a āsecond levelā for discovery.
Iām not complaining about it blocking so readily. I have had this system up for about 10 years and have had my share of problems along those lines. My trunk is provided by Twilio, and I ended up having to go upstream to them and blocking stuff at that level to make sure I donāt have costly problems. The firewall as it is now is WAY better than it used to be.
Updateā¦ The problem has been narrowed down a little, at least. I have had the system up and running since the last problem (after rebooting to clear the issue) about a week ago with no updates running and it just started blocking my ips again. I checked the Chain fpbxnets and it is doing the same things again - every other trusted network is listed twice and the opposite ones are not present. Those ones that were overwritten by the duplicates are being blocked, as would be expected for a phone on a non trusted network. Ill look further with fail2ban-regex. Looks like Ill end up manually clearing them with ignoreip. I hope this is useful info so someone on the dev team may be able to figure out why these trusted networks are doing this.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.