I am having a problem with 128.90.0.0/16, 42.104.0.0/16 and 45.254.0.0/16 constantly trying to log into my systems. I have added these IP blocks to my black list but I am still getting reports of these IP’s being banned. Why isnt the black list stopping them? I have even changed my port numbers but eventually they figure out the new port and try again.
Just did a quick test of a system running firewall version 15.0.43 which is the current stable version. It shouldn’t matter for what we’re testing here, but is there any reason why your version is so far behind?
Tested by adding a single entry to the firewall blacklist in the GUI 108.162.0.0/16
Confirm it’s active from the CLI with:
# fwconsole firewall list blacklist
All blacklisted entries.
108.162.0.0/16
and I can see the iptables rule with
# iptables-save | grep fpbxblacklist
:fpbxblacklist - [0:0]
-A fpbxblacklist -s 108.162.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A fpbxfirewall -j fpbxblacklist
Thanks for the reply.
My FW is version 15.0.42 (the free PBX as displayed in dashboard was 15.0.29.) I continue to get new ban emails for IP’s within the scope of what I have added. I got 199 in the last 8 hours, every IP is within the scope. I added a bunch of /24 rules after the fact and it still getting through.
When I run your commands I have 13 rules but 199 emails came in anyway, Every ban email had an IP that should have been blocked.
fwconsole firewall list blacklist
All blacklisted entries.
103.27.228.0/24
128.90.0.0/16
128.90.115.0/24
128.90.117.0/24
128.90.135.0/24
128.90.164.0/24
128.90.166.0/24
128.90.206.0/24
128.90.50.0/24
42.103.0.0/16
45.120.203.0/24
45.254.0.0/16
45.254.246.0/24
iptables-save | grep fpbxblacklist
:fpbxblacklist - [0:0]
-A fpbxblacklist -s 128.90.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 42.103.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 45.254.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.166.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.206.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.115.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.135.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 45.254.246.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.50.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.117.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 45.120.203.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 103.27.228.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.164.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxfirewall -j fpbxblacklist
BAN EMAIL (1 of 199)
Hi,
The IP 128.90.160.251 has just been banned by Fail2Ban after
4 attempts against SIP on vpspbx8.dvsatech.com.
Regards,
Fail2Ban
(Note, I added the /24 after the /16 didn’t stop the ban emails, thought maybe /16 wasn’t working). On my systems a ban is forever (or until the next reboot). I should never see the same IP again, but I do.
You can see if I search for the IP, its listed many times… BOTH via BAN and Blacklist. My PBX was rebooted after the firewall change was made so I should not see any BAN IP’s on the list that are also in the blacklist?
iptables-save | grep 128.90
-A fail2ban-SIP -s 128.90.79.127/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.107.76/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.160.208/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.192.56/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.176.26/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.105.252/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.115.61/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.166.194/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.166.57/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.199.57/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.117.16/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.109.82/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.162.128/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.102.249/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.171.45/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.101.246/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.145.51/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.21.234/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.143.132/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.171.164/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.160.246/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.160.251/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.105.141/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.50.42/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.107.1/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.117.20/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.117.183/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.79.116/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.79.215/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.90.64/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.177.223/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.165.25/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.69.180/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.53.128/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.184.141/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.53.160/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.160.39/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.175.223/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.197.7/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.78.64/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.53.173/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.90.108/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.162.188/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.114.252/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.196.154/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.164.248/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.117.231/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.50.34/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.135.138/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.206.50/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.114.90/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.199.209/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.109.246/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.151.227/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.21.106/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.115.53/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.107.13/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.112.73/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.165.30/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.116.76/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.195.142/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.143.176/32 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.166.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.206.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.115.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.135.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.50.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.117.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.164.0/24 -j REJECT --reject-with icmp-port-unreachable
FYI: I have also had IP’s on my whitelist BANNED, That shouldn’t happen either. At least once or twice a year, my customers have an “outage” where none of the phones can access the PBX because the firewall banned their IP even though its on the “networks” list as trusted, and the intrusion detection as “Trusted”. Still, if a phone has the wrong password (or port #), the IP gets banned and the whole site goes down until I unban.
I opened a bug ticket on the ban issue and they closed it saying my firewall was too old but I have 9 PBX’s, it happens on ALL of them that have “responsive firewall” enabled and every one of them was running the latest updates. I do both “yum upgrade -y”, “fwconsole ma upgradeall”, and reload and/or reboot at least once a month. If anything was "outdated’ its because it wasn’t part of the updates.
(module admin is set to standard and commercial). “Fail2Ban Bybase” is disabled (maybe I should enable this).
blacklist is version 15.0.3
Firewall is version 15.0.43
The rules are upside down, if iptables previously blocks /16 , then you should never need (or even see fail2ban catching ) /32 hosts. fail2ban’s chains need to be inserted after any ‘lists’ (chains) of any color. This is apparently ‘not the case’ but trivial in versions of f2b > 0.8
I loaded all updates but my fail2ban is still only V0.8.14
What do I have to do to get a new updated fail2ban and why isn’t it in the general release? You have mentioned in previous posts (many many months ago) that > 0.8 fixes stuff. Even my Freepbx 16 servers are still 0.8.14?
There is a section called “Official source tarballs” where 0.8.14 is listed and is listed as “very-stable”. 0.9.4 is listed as “stable” in the same list. They seem to be the current versions.