FreePBX and fail2ban [SOLVED]

FreePBX
1

I have a strange behavior of fail2ban
Here are 2 e-mails

9:27
Hi,

The IP 185.53.91.32 has just been banned by Fail2Ban after
70 attempts against SIP on auto-q.ergotel.eu.

Regards,

fail2ban

9:27
Hi,

The IP 185.53.91.32 has just been banned by Fail2Ban after
2 attempts against recidive on auto-q.ergotel.eu.

Regards,

fail2ban

So he tried 70 times and then immediately after 2 times and was banned …

Yet in the configuration file it’s not like that …
Work on /etc/fail2ban/jail.conf

Can you tell me which files I need to touch to indicate the fail2ban parameters?

Thank you!

2

/etc/fail2ban should be about right. I am not a great fan of fail2ban but you’ll find in depth info on fail2ban.org

3

It is not clear … there is an area in the web interface of freepbx to manage fail2ban but it does not seem to be appropriate, for example it does not seem to handle the recidive …
And then if I change files and restart fail2ban it does not seem that the freepbx interface will not notice changes …
Has anyone tackled the problem in detail?

4

From - Mon Sep 24 10:27:40 2018
X-Account-Key: account1
X-UIDL: 1537777387.28000.mxavas2.ad.aruba.it,S=951
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: [email protected]
Delivered-To: [email protected]
Received: (qmail 27998 invoked by uid 89); 24 Sep 2018 08:23:07 -0000
Received: from unknown (HELO mxcmd07.ad.aruba.it) (62.149.157.42)
by mxavas2.ad.aruba.it with SMTP; 24 Sep 2018 08:23:07 -0000
Received: from auto-q.ergotel.eu ([185.58.195.5])
by mxcmd07.ad.aruba.it with bizsmtp
id fLP71y02P07Tbjt01LP7WH; Mon, 24 Sep 2018 10:23:08 +0200
Received: by auto-q.ergotel.eu (Postfix, from userid 0)
id C4E0343D9E; Mon, 24 Sep 2018 10:23:07 +0200 (CEST)
Subject: [Fail2Ban] SIP: banned 185.53.91.50 on auto-q.ergotel.eu
Date: Mon, 24 Sep 2018 08:23:07 +0000
From: Fail2Ban [email protected]
To: [email protected]
Message-Id: [email protected]
X-Spam-Rating: mxavas2.ad.aruba.it 1.6.2 0/1000/N

Hi,

The IP 185.53.91.50 has just been banned by Fail2Ban after
190 attempts against SIP on auto-q.ergotel.eu.

Regards,

Fail2Ban

5

From - Mon Sep 24 10:27:40 2018
X-Account-Key: account1
X-UIDL: 1537777388.24996.mxavas11.ad.aruba.it,S=961
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: [email protected]
Delivered-To: [email protected]
Received: (qmail 24989 invoked by uid 89); 24 Sep 2018 08:23:08 -0000
Received: from unknown (HELO mxcmd07.ad.aruba.it) (62.149.157.42)
by mxavas11.ad.aruba.it with SMTP; 24 Sep 2018 08:23:08 -0000
Received: from auto-q.ergotel.eu ([185.58.195.5])
by mxcmd07.ad.aruba.it with bizsmtp
id fLP81y02407Tbjt01LP8Ws; Mon, 24 Sep 2018 10:23:08 +0200
Received: by auto-q.ergotel.eu (Postfix, from userid 0)
id 9774843D9E; Mon, 24 Sep 2018 10:23:08 +0200 (CEST)
Subject: [Fail2Ban] recidive: banned 185.53.91.50 on auto-q.ergotel.eu
Date: Mon, 24 Sep 2018 08:23:08 +0000
From: Fail2Ban [email protected]
To: [email protected]
Message-Id: [email protected]
X-Spam-Rating: mxavas11.ad.aruba.it 1.6.2 0/1000/N

Hi,

The IP 185.53.91.50 has just been banned by Fail2Ban after
2 attempts against recidive on auto-q.ergotel.eu.

Regards,

Fail2Ban

6

But what’s the point of receiving 2 emails like this ???
Yet I have not modified anything in particular, it’s a freePBX 14 recently installed …
Others see anomalies like that?

7

Two emails one from SIP and the other from recidive, where habitual offenders end up.

8

maybe I understood why I have so many attempts
the machine in question the night is off and when the next day the black list is reset …

9

Fail2ban fixed that with release .9

10

well … so with 9 even if you restart the lists remain … interesting

11

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.