FreePBX-AWS Version 15 fail2ban not working

FreePBX Security
1

I’m setting up FreePBX via AWS for my company. We setup one server that has everything configured for testing purposes and it works perfectly. The company decided to move forward with setting up a second server that will house the FreePBX for production use. AWS servers have security groups to allow/disallow certain connections. We cloned the security settings from the testing server to the new server and have been double checked

I’m having issues with basically the very first step of setting up the server, concerning fail2ban. On the original server we setup the fail2ban and works just fine. I put under /etc/fail2ban/jail.conf the IP addresses that fail2ban shouldn’t ban. There’s four IP CIDR’s in total. Our two ISP’s and our SIP server connections (primary, and backup).

Again, on the test server it worked just fine. No issues. However, when I put the IP addresses that was in the original server to the new server, it doesn’t work. After double checking and copying/pasting the IP addresses the new server locks me out as soon as I restart fail2ban without fail.

Here’s what I’ve tried so far, note I’m only focusing on one IP right now. The primary internet connection that my system is using:

  1. The IP address by itself (e.g. 10.10.10.10)
  2. The IP address in a CIDR block (e.g. 10.10.10.10/28)
  3. The IP addresses in the entire CIDR block (e.g. 10.10.10.10, 10.10.10.11, 10.10.10.12…etc.)
  4. The IP addresses with the other 3 IP’s separated by the space separator, just as fail2ban instructs in the file.
    (e.g. 10.10.10.10/28 192.168.1.0/28, etc.)

I’ve tried the suggestion here where you setup a new file specifically for whitelisting IP’s under /etc/fail2ban/jail.d/ignoremyip.conf:

The above doesn’t work either. I tried the same steps as above:

  1. IP address by itself
  2. IP address w/CIDR block,
  3. The IP addresses in the entire CIDR block (e.g. 10.10.10.10, 10.10.10.11, 10.10.10.12…etc.)
  4. With the other 3 IP’s separated by the space separator, just as fail2ban instructs in the file.
    (e.g. 10.10.10.10/28 192.168.1.0/28, etc.)

I’ve searched online for any known bugs in fail2ban with FreePBX v15, or with FreePBX v15 via AWS and haven’t come up with anything useful.

I did find one bug for the FreePBX on AWS that a whitelist gets wiped after an upgrade from v14 to v15, however it’s the whitelist through the GUI of FreePBX that I never setup on either server. The lock out only happens when I restart fail2ban every time.

Other info:

  1. Under iptables -l to check for banned IP’s there’s no listing under fail2ban-ban for my IP address, in fact there’s not even a section yet for any IP’s that have been banned
  2. I can’t check the logs for fail2ban, cause as soon as I restart it I haven’t had a situation where my IP wasn’t locked out.
  3. Version of FreePBX on AWS
    • Old/testing Server: v14.0.13.26
    • New Server: v15.0.16.38
  4. Here’s my IP tables version as well, don’t know if it’s necessary, but fail2ban goes off of IP tables I believe:
    • Old/testing Server: v1.4.21
    • New Server: v1.4.21

I’ve tried so many configurations that I’m at a complete lost, so any suggestions of what to test/look into next would be appreciated

2

If there is a /etc/fail2ban/jail.local then /etc/fail2ban/jail.conf is ignored.

3

I knew I had to be missing something and that’s probably it. When you mentioned this I remember I did something similar on the original. I can’t test it at the moment, as I had to move on to a couple of other projects for the time being. I’ll update this post once I’m able to confirm

4

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.