FreePBX and fail2ban

Hello,

I`ve recently installed a server with FreePBX Distro. The installation went ok, no problems whatsoever. The configuration also went great.

The last step was setting up the firewall, so … fail2ban .
Now, the web interface shows the asterisk service as not running, also the web interface works very very very slow, and there`s an error on the WEB status.

Any suggestions ?

Version info please. What changes did you make in fail2ban? Was it working correctly before the fail2ban changes? Have you tried to reverse the changes to see if the problem is fixed?

Hi,
FreePBX is a registered trademark of Bandwidth.com
FreePBX 2.11.0.0beta2.2 is licensed under GPL

I think this is the version and yes… it was working properly before the fail2ban changes. Sadly I wasn`t the one who installed/changed fail2ban.

The only file related to the firewall contains :
#!/bin/bash

firewall=/sbin/iptables

$firewall -F
$firewall -X

$firewall -P INPUT DROP
$firewall -P FORWARD ACCEPT
$firewall -P OUTPUT ACCEPT

$firewall -A INPUT -s XXX.XXX.XXX.XXX -j ACCEPT
$firewall … etc etc etc , a series of IPs

Your default input rule is FROP so you will drop any packets that you have not explicitly allowed. Since you did not provide enough config info you will have to look for somewhere in the config where your internet Ethernet is setup.

What is your network setup?

2 lan cards, one for the local network and one with internet connection ( for the sip trunks)
I have no clue where I can find more config info.

The etc. etc. etc. part is what we need. Which eth is internal. Eth0 or eth1?

I would allow all traffic in your internal interface.

eth0 is external, and eth1 is local - 192.160.0.50,
well … the rest is :

$firewall -A INPUT -s 192.168.0.0/24 -j ACCEPT # LAN
$firewall -A INPUT -s PROVIDER IP -j ACCEPT
$firewall -A INPUT -s PROVIDER IP -j ACCEPT
$firewall -A INPUT -s MY IP -j ACCEPT
$firewall -A INPUT -s MY HOME IP -j ACCEPT
$firewall -A INPUT -s -i eth0 -p tcp --dport 80 HOME IP -j ACCEPT
$firewall -A INPUT -s Work IP -j ACCEPT
$firewall -A INPUT -s 127.0.0.1 -j ACCEPT
$firewall -A INPUT -s Work IP -j ACCEPT
$firewall -A INPUT -s Work IP -j ACCEPT

/etc/init.d/fail2ban restart
service iptables save

To make it clearer, asterisk is working fine, just the web interface is not working properly.

Is the problem on the internal or external interface?

both :frowning:

you mention:-

"The only file related to the firewall contains :
#!/bin/bash
.
.

"

what exactly is this file? it doesn’t look like it has anything to do with a normal fail2ban installation.

Have similar problem.

Admin/intrusion detection can not add to banned ip list.

This is my logfile after trying to add an ip address to banned ip’s:

2013-10-22 09:21:22,634 fail2ban.server : INFO Stopping all jails
2013-10-22 09:21:23,041 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -j fail2ban-BadBots
iptables -F fail2ban-BadBots
iptables -X fail2ban-BadBots returned 100
2013-10-22 09:21:23,143 fail2ban.jail : INFO Jail ‘apache-badbots’ stopped
2013-10-22 09:21:24,109 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -j fail2ban-PBX-GUI
iptables -F fail2ban-PBX-GUI
iptables -X fail2ban-PBX-GUI returned 100
2013-10-22 09:21:24,113 fail2ban.jail : INFO Jail ‘apache-tcpwrapper’ stopped
2013-10-22 09:21:25,011 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -j fail2ban-SSH
iptables -F fail2ban-SSH
iptables -X fail2ban-SSH returned 100
2013-10-22 09:21:25,014 fail2ban.jail : INFO Jail ‘ssh-iptables’ stopped
2013-10-22 09:21:25,051 fail2ban.actions.action: ERROR iptables -D INPUT -p all -j fail2ban-SIP
iptables -F fail2ban-SIP
iptables -X fail2ban-SIP returned 100
2013-10-22 09:21:25,847 fail2ban.jail : INFO Jail ‘asterisk-iptables’ stopped
2013-10-22 09:21:26,100 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -j fail2ban-FTP
iptables -F fail2ban-FTP
iptables -X fail2ban-FTP returned 100
2013-10-22 09:21:26,104 fail2ban.jail : INFO Jail ‘vsftpd-iptables’ stopped
2013-10-22 09:21:26,105 fail2ban.server : INFO Exiting Fail2ban
2013-10-22 09:21:27,495 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.8
2013-10-22 09:21:27,496 fail2ban.jail : INFO Creating new jail 'ssh-iptables’
2013-10-22 09:21:27,498 fail2ban.jail : INFO Jail ‘ssh-iptables’ uses Gamin
2013-10-22 09:21:27,519 fail2ban.jail : INFO Initiated ‘gamin’ backend
2013-10-22 09:21:27,521 fail2ban.filter : INFO Added logfile = /var/log/secure
2013-10-22 09:21:27,522 fail2ban.filter : INFO Set maxRetry = 5
2013-10-22 09:21:27,524 fail2ban.filter : INFO Set findtime = 600
2013-10-22 09:21:27,525 fail2ban.actions: INFO Set banTime = 1800
2013-10-22 09:21:27,635 fail2ban.jail : INFO Creating new jail 'apache-badbots’
2013-10-22 09:21:27,636 fail2ban.jail : INFO Jail ‘apache-badbots’ uses Gamin
2013-10-22 09:21:27,637 fail2ban.jail : INFO Initiated ‘gamin’ backend
2013-10-22 09:21:27,638 fail2ban.filter : INFO Added logfile = /var/log/httpd/access_log
2013-10-22 09:21:27,639 fail2ban.filter : INFO Set maxRetry = 1
2013-10-22 09:21:27,641 fail2ban.filter : INFO Set findtime = 600
2013-10-22 09:21:27,642 fail2ban.actions: INFO Set banTime = 172800
2013-10-22 09:21:27,680 fail2ban.jail : INFO Creating new jail 'asterisk-iptables’
2013-10-22 09:21:27,681 fail2ban.jail : INFO Jail ‘asterisk-iptables’ uses Gamin
2013-10-22 09:21:27,681 fail2ban.jail : INFO Initiated ‘gamin’ backend
2013-10-22 09:21:27,683 fail2ban.filter : INFO Added logfile = /var/log/asterisk/full
2013-10-22 09:21:27,684 fail2ban.filter : INFO Set maxRetry = 8
2013-10-22 09:21:27,686 fail2ban.filter : INFO Set findtime = 600
2013-10-22 09:21:27,687 fail2ban.actions: INFO Set banTime = 1800
2013-10-22 09:21:27,729 fail2ban.jail : INFO Creating new jail 'apache-tcpwrapper’
2013-10-22 09:21:27,729 fail2ban.jail : INFO Jail ‘apache-tcpwrapper’ uses Gamin
2013-10-22 09:21:27,730 fail2ban.jail : INFO Initiated ‘gamin’ backend
2013-10-22 09:21:27,732 fail2ban.filter : INFO Added logfile = /var/log/httpd/error_log
2013-10-22 09:21:27,733 fail2ban.filter : INFO Set maxRetry = 6
2013-10-22 09:21:27,735 fail2ban.filter : INFO Set findtime = 600
2013-10-22 09:21:27,736 fail2ban.actions: INFO Set banTime = 1800
2013-10-22 09:21:27,752 fail2ban.jail : INFO Creating new jail 'vsftpd-iptables’
2013-10-22 09:21:27,753 fail2ban.jail : INFO Jail ‘vsftpd-iptables’ uses Gamin
2013-10-22 09:21:27,754 fail2ban.jail : INFO Initiated ‘gamin’ backend
2013-10-22 09:21:27,755 fail2ban.filter : INFO Set maxRetry = 5
2013-10-22 09:21:27,757 fail2ban.filter : INFO Set findtime = 600
2013-10-22 09:21:27,758 fail2ban.actions: INFO Set banTime = 1800
2013-10-22 09:21:27,775 fail2ban.jail : INFO Jail ‘ssh-iptables’ started
2013-10-22 09:21:27,795 fail2ban.jail : INFO Jail ‘apache-badbots’ started
2013-10-22 09:21:27,808 fail2ban.jail : INFO Jail ‘asterisk-iptables’ started
2013-10-22 09:21:27,829 fail2ban.jail : INFO Jail ‘apache-tcpwrapper’ started
2013-10-22 09:21:27,848 fail2ban.jail : INFO Jail ‘vsftpd-iptables’ started

Not really sure if its included anywhere, but thats where the allowed IPs are, any IP thats not in there, won`t be allowed to connect to the server ( www/putty or any other way)

I suspect you are using the Schmooze “intrusion detection” rpm for installing fail2ban, so I can’t be authoritative, if you use a more regular deployment just use

fail2ban-client set banip

and it’s corollary

fail2ban-client set addignoreip

where

fail2ban-client status

will expose your 's

Stupid forum doesn’t allow editing.

just run

fail2ban-client and note the stuff in the angle brackets as to JAIL’s and IP’s (that can be networks)

<JAIL> ?

Hello again,

fail2ban-client

Usage: /usr/bin/fail2ban-client [OPTIONS]

Fail2Ban v0.8.10 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

Options:
-c configuration directory
-s socket path
-p pidfile path
-d dump configuration. For debugging
-i interactive mode
-v increase verbosity
-q decrease verbosity
-x force execution of the server (remove socket file)
-h, --help display this help message
-V, --version print the version

Command:




]# fail2ban-client status
Status
|- Number of jail: 3
`- Jail list: asterisk-udp, asterisk-tcp, ssh-iptables

asterisk-udp and asterisk-tcp have been merged in the latest version but

fail2ban-client set asterisk-udp banip 10.10.10.10
fail2ban-client set asterisk-udp bantime 86400

will ban for 1 day 10.10.10.10

just spend time on keeping your regexes up to date and use

fail2ban-regex /var/log/asterisk/yourlog /etc/fail2ban/filter.d/yourasteriskfilter

to check that they are actually going to work.

Turns out it was a problem in iptables

So what was the issue ?
I’m having something similar…