Firewall / intrustion detection issue

Every few weeks, about half of my remote users get locked out. There is no error message, they just cannot connect.

The firewall status shows “Cumulative Total of remote clients” increasing every minute.

I’ve check iptables and those ip’s are not listed. I tried stopping firewall, intrusion detection, and fail2ban. Still unable to connect.

Wireshark shows the remote endpoint sends a TLS v1.0 Client Hello, and FreePBX responds with the correct certificate. Endpoint sends an ACK, and then FreePBX stops responding to the endpoint, and the remaining packets just get RST.

Intrusion detection says “no banned ip’s”.
Firewall says no rate limted hosts, no blocked attackers.
And the Cumulative Total of remote clients just keeps climbing.

I tried restarting the server, no effect.

FreePBX 14.0.3.19, Asterisk 15.5.0.

IIRC there was someone here a few months ago with a very similar issue.

Long story short, the PBX had a DHCP IP.

Do you have a Static IP?

Yes, all my servers are DHCP, but it has been for over 15 years, and it has a reserved address that doesn’t change. How could that be causing this?

I can change it to static this evening if that’s worth doing.

Servers relying on DHCP is always a bad choice for obvious reasons, use for a static IP outside your DHCP assignment range and configure the interface statically on the server.

Static IP, rebooted.
Still no connections.

Clearly a bug in the firewall / intrusion detection.
“cumulative remote clients” has climbed to 141, and that is just from 2 endpoints.

Also, IP of client doesn’t matter. I switched networks on a client, new ip address, still no connection.

Whitelisting subnets has no effect either.

Not a bug with fail2ban, it honors any comma delimited entries, host or network, in its
ignoreip =
configuration in

/etc/fail2ban/jail.conf

It just works that way but I can’t speak to how that is configured by any third party implementation , it might be a bug in that.

I checked all the jails on fail2ban, they are all empty. (Which is also suspicious to me).

also, as I said, I completely shut down fail2ban (and fpbx firewall), and it made no difference.

I don’t agree with this statement, insofar as it is possible to assign and document a static IP address based on criteria (including MAC address or UUID, for example) outside the DHCP pool range. I do this all the time so that I have my machine IP address assignments documented in one place and, if needed, can assign additional DHCP “features” based on that server’s needs.

If the server’s DHCP assignment fails (the DHCPd is dead, for example), the failover static IP address is set to the same IP address, thereby allowing for the precise assignment of the address as well as keeping everything in one place so I don’t have to remember which addresses are where.

In theory, I do agree that assigning servers with static IP addresses is good practice, but in practice, having this “belt and suspenders” approach has kept me honest on more than one occasion.

Each to his own, personally, if I didn’t have full knowledge and control over my network, I would have to question whether I should actually be the boss

Just as a test, I temporarily enabled udp/tcp (instead of tls). My endpoint connected right away. It’s only tls that is being blocked.

Then unless you have any other iptables rules(iptables - L|grep "yourtlsport") blocking your tls port , then look elsewhere

be aware the the ‘s’ in tls means secure, which means it requires authentication mechanisms that you need to implement correctly.

I have it running now. (workaround).
Problem is in the TLS trust.

On a side note, it appears that FreePBX isn’t supporting tls 1.2. I can’t get it off tls 1.0. Have you encountered this?

Yes, you are currently just stuck with 1, given the role of the service, is that a problem?

It is a problem. TLS 1.0 is depreciated because of vulnerabilities. At my work it is blocked. TLS 1.0 should no longer be in use.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.