FreePBX 14, fail2ban dead


#1

I installed the distro for FreePBX 14. I am somewhat familiar with fail2ban, I use it on other systems. But it is not working on the FreePBX installation.
I tested it and it is not blocking anything. Then I dug a little deeper, I logged into the server and ran fail2ban-client status, and it said: Number of jail: 0.

So that explains why it is not blocking anything, but looking at the jail.local and related files, everything looks reasonable. Yet, fail2ban is not doing anything. Again, this is a clean install of the freePBX distro.

What should I check next?


(Marbled) #2

Hi!

I can’t really help you here as I have not played much with fail2ban but just to be sure of what we are talking of here, is this a new install or an upgrade?

It sounds like it’s a new install but I am not fully sure…

Thank you and have a nice day!

Nick


#3

Here is my jail.local

# Configuration automatically generated via the Sysadmin Module
# This file will be overwritten by Sysadmin on startup. If you modify`> Preformatted text`
# this file, your changes will be lost. DO NOT MODIFY THIS FILE!
# generated: Mon, 21 Aug 2017 23:31:09 +0000

[DEFAULT]
ignoreip = 127.0.0.1 10.0.10.15
bantime = 1800
findtime = 600
maxretry = 1
backend = auto

[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=SIP, protocol=all]
     sendmail[name=SIP, dest=phil@xxx.com, sender=Scratchy@aquila.local]
logpath = /var/log/asterisk/fail2ban

[pbx-gui]
enabled = true
filter = freepbx
action = iptables-allports[name=SIP, protocol=all]
     sendmail[name=SIP, dest=phil@xxx.com, sender=Scratchy@aquila.local]
logpath = /var/log/asterisk/freepbx_security.log

[ssh-iptables]
enabled = true
filter = sshd
action = iptables-multiport[name=SSH, protocol=tcp, port=ssh]
     sendmail[name=SSH, dest=phil@xxx.com, sender=Scratchy@aquila.local]
logpath = /var/log/secure

[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = iptables-multiport[name=apache-auth, protocol=tcp, port=http]
     sendmail[name=apache-auth, dest=phil@xxx.com, sender=Scratchy@aquila.local]
logpath = /var/log/httpd/error_log

[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables-multiport[name=FTP, protocol=tcp, port=ftp]
     sendmail[name=FTP, dest=phil@xxx.com, sender=Scratchy@aquila.local]
logpath = /var/log/vsftpd.log

[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, protocol=tcp, port="http,https"]
     sendmail[name=BadBots, dest=phil@xxx.com, sender=Scratchy@aquila.local]
logpath = /var/log/httpd/*access_log

[recidive]
# recidivist.
#
#  Noun: A convicted criminal who reoffends, especially repeatedly.
#
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
     sendmail[name=recidive, dest=phil@xxx.com, sender=Scratchy@aquila.local]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 20

Legacy FreePBX Distro with fail2ban 0.9.6
#4

New install. It is a fresh install of FreePBX 14.


(Marbled) #5

Hi!

I thought so but was not sure…

I played with mine as well and I saw the same problem as yours.

I can only get it to report the jails by doing a fail2ban-client reload before asking for its status…

It’s as if they don’t get loaded at startup…

Are you seeing the same thing?

Good luck and have a nice day!

Nick


(Avayax) #6

Do you have the FreePBX firewall enabled?


#7

Yes, it is enabled.
I have hammered it with bad password attempts from an outside network, it seems completely oblivious.


#8

Wow, you are right. Reload got fail2ban to start up.
I am continuing testing.


#9

I also verified fail2ban on SNG7 not working, even though it is running, but there are no active jails. Not even reload got it working, either with FreePBX Firewall module enabled or disabled.


(Avayax) #10

I am not familiar with the FreePBX firewall, but here is a thread about the firewall disabling fail2ban jails when enabled:


(Marbled) #11

Hi,

I don’t use the FreePBX firewall and I can replicate his problem…

Have a nice day,

Nick


#12

Fail2ban is working now, but there are additional problems.
For example, I wanted to increase the bantime to 30000, but when I did that, it still had the default (I think it was 600).

I had to go to the command line and force it to change.


(Marbled) #13

Hi!

What did you do to get it working almost normally?

Thank you and have a nice day!

Nick


#14

I just did a reload like you suggested. Then I have been making config changes from the command line. I would love to hear an official response on it though.

It was suggested that it is exclusive of the firewall, but need some more information.
I use f2b a lot on my edge firewall and it is a lifesaver, especially against aggressive spam campaigns.


(Nate) #15

This doesn’t help much, but:

https://issues.freepbx.org/browse/FREEPBX-15440


(Marbled) #16

Hi!

OK, I thought you had found a way to have this stick without the need for a reload…

I don’t use the firewall, never did… I enforce ACLs on my SIP ports (and others) with another firewall…

:wink:

Anyone know if it is possible not to have the firewall enabled when the server is initially installed (since this seems to be part of the problem)? I don’t remember…

The thing I don’t get though is why a reload is fixing things (even if the firewall was possibly initially enabled) and what do we need to do not to have to do this reload to get things working…

Have a nice day!

Nick


(Andrey Borodin) #17

I am add to fail2ban.service
ExecStartPost=/usr/bin/fail2ban-client reload


#18

Confirmed.
Fresh install FreePBX Distro SNG7, Firewall module not activated by startup wizard end removed by
fwconsole ma delete.
Fail2Ban start with 0 jails.
After manual run
fail2ban-client reload
all work OK.

This is VERY SERIOUSLY security bug, isn’t it?

This issue on tracker:
https://issues.freepbx.org/browse/FREEPBX-15440
https://issues.freepbx.org/browse/FREEPBX-15446


#19

Greetings,

I have seen the exact same problem. Firewall enabled AND disabled.

fail2ban-client reload

seems to get it working.


#20

This solution work fine.
File /usr/lib/systemd/system/fail2ban.service after add this string:

[Unit]
Description=Fail2Ban Service
After=httpd.service

[Service]
Restart=always
ExecStartPre=-/usr/bin/fail2ban-check
ExecStart=/usr/bin/fail2ban-server -f -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x
ExecStartPost=/usr/bin/fail2ban-client reload
ExecStop=/usr/bin/fail2ban-client stop

[Install]
WantedBy=default.target