Freepbx blascklist

dvsatech · February 12, 2023, 3:53am

I am having a problem with 128.90.0.0/16, 42.104.0.0/16 and 45.254.0.0/16 constantly trying to log into my systems. I have added these IP blocks to my black list but I am still getting reports of these IP’s being banned. Why isnt the black list stopping them? I have even changed my port numbers but eventually they figure out the new port and try again.

I am running freepbx 15.0.29 with all updates.

lgaetz · February 12, 2023, 1:52pm

Just did a quick test of a system running firewall version 15.0.43 which is the current stable version. It shouldn’t matter for what we’re testing here, but is there any reason why your version is so far behind?

Tested by adding a single entry to the firewall blacklist in the GUI 108.162.0.0/16

Confirm it’s active from the CLI with:

# fwconsole firewall list blacklist
All blacklisted entries.
        108.162.0.0/16

and I can see the iptables rule with

# iptables-save | grep fpbxblacklist
:fpbxblacklist - [0:0]
-A fpbxblacklist -s 108.162.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A fpbxfirewall -j fpbxblacklist

The above rule blocks the site https://downforeveryoneorjustme.com/ and when it’s active the site reports my pbx as down.

dvsatech · February 12, 2023, 3:24pm

Thanks for the reply.
My FW is version 15.0.42 (the free PBX as displayed in dashboard was 15.0.29.) I continue to get new ban emails for IP’s within the scope of what I have added. I got 199 in the last 8 hours, every IP is within the scope. I added a bunch of /24 rules after the fact and it still getting through.

When I run your commands I have 13 rules but 199 emails came in anyway, Every ban email had an IP that should have been blocked.

fwconsole firewall list blacklist
All blacklisted entries.
103.27.228.0/24
128.90.0.0/16
128.90.115.0/24
128.90.117.0/24
128.90.135.0/24
128.90.164.0/24
128.90.166.0/24
128.90.206.0/24
128.90.50.0/24
42.103.0.0/16
45.120.203.0/24
45.254.0.0/16
45.254.246.0/24
iptables-save | grep fpbxblacklist
:fpbxblacklist - [0:0]
-A fpbxblacklist -s 128.90.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 42.103.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 45.254.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.166.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.206.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.115.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.135.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 45.254.246.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.50.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.117.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 45.120.203.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 103.27.228.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.164.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxfirewall -j fpbxblacklist

BAN EMAIL (1 of 199)

Hi,

The IP 128.90.160.251 has just been banned by Fail2Ban after
4 attempts against SIP on vpspbx8.dvsatech.com.

Regards,

Fail2Ban

(Note, I added the /24 after the /16 didn’t stop the ban emails, thought maybe /16 wasn’t working). On my systems a ban is forever (or until the next reboot). I should never see the same IP again, but I do.

dvsatech · February 12, 2023, 3:49pm

You can see if I search for the IP, its listed many times… BOTH via BAN and Blacklist. My PBX was rebooted after the firewall change was made so I should not see any BAN IP’s on the list that are also in the blacklist?

iptables-save | grep 128.90
-A fail2ban-SIP -s 128.90.79.127/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.107.76/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.160.208/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.192.56/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.176.26/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.105.252/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.115.61/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.166.194/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.166.57/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.199.57/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.117.16/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.109.82/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.162.128/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.102.249/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.171.45/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.101.246/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.145.51/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.21.234/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.143.132/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.171.164/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.160.246/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.160.251/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.105.141/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.50.42/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.107.1/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.117.20/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.117.183/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.79.116/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.79.215/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.90.64/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.177.223/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.165.25/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.69.180/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.53.128/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.184.141/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.53.160/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.160.39/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.175.223/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.197.7/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.78.64/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.53.173/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.90.108/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.162.188/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.114.252/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.196.154/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.164.248/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.117.231/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.50.34/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.135.138/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.206.50/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.114.90/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.199.209/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.109.246/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.151.227/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.21.106/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.115.53/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.107.13/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.112.73/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.165.30/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.116.76/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.195.142/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 128.90.143.176/32 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.166.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.206.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.115.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.135.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.50.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.117.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fpbxblacklist -s 128.90.164.0/24 -j REJECT --reject-with icmp-port-unreachable

FYI: I have also had IP’s on my whitelist BANNED, That shouldn’t happen either. At least once or twice a year, my customers have an “outage” where none of the phones can access the PBX because the firewall banned their IP even though its on the “networks” list as trusted, and the intrusion detection as “Trusted”. Still, if a phone has the wrong password (or port #), the IP gets banned and the whole site goes down until I unban.

I opened a bug ticket on the ban issue and they closed it saying my firewall was too old but I have 9 PBX’s, it happens on ALL of them that have “responsive firewall” enabled and every one of them was running the latest updates. I do both “yum upgrade -y”, “fwconsole ma upgradeall”, and reload and/or reboot at least once a month. If anything was "outdated’ its because it wasn’t part of the updates.
(module admin is set to standard and commercial). “Fail2Ban Bybase” is disabled (maybe I should enable this).

blacklist is version 15.0.3
Firewall is version 15.0.43

BlazeStudios · February 12, 2023, 4:12pm

Have that above rule makes these below rules redundant

128.90.115.0/24
128.90.117.0/24
128.90.135.0/24
128.90.164.0/24
128.90.166.0/24
128.90.206.0/24
128.90.50.0/24

Same here, you don’t need to list the /24’s when you block the /16.

45.254.0.0/16
45.254.246.0/24

dvsatech · February 12, 2023, 4:51pm

I know they are redundant. If you read my post, I added them when the /16 DIDNT stop the bans. With the /16 and /24’s they still get through.

dicko · February 12, 2023, 9:23pm

The rules are upside down, if iptables previously blocks /16 , then you should never need (or even see fail2ban catching ) /32 hosts. fail2ban’s chains need to be inserted after any ‘lists’ (chains) of any color. This is apparently ‘not the case’ but trivial in versions of f2b > 0.8

dvsatech · February 13, 2023, 5:48am

I loaded all updates but my fail2ban is still only V0.8.14
What do I have to do to get a new updated fail2ban and why isn’t it in the general release? You have mentioned in previous posts (many many months ago) that > 0.8 fixes stuff. Even my Freepbx 16 servers are still 0.8.14?

dicko · February 13, 2023, 6:23am

I download it from fail2ban.org.
Only the distro publishers would be able to explain why it’s never updated.

dvsatech · February 13, 2023, 3:59pm

Interesting…freepbx has fail2ban 0.8.14 but the change log on fail2ban.org goes from 0.8.13 to 0.9.0 they don’t even have a 0.8.14??

dicko · February 13, 2023, 4:56pm

0.9.13 should be 0.8.13 (8 years ago)

dvsatech · February 13, 2023, 11:25pm

yes, type, I corrected it. My point was they dont even list 8.14 but thats what the distro has.

dicko · February 14, 2023, 12:36am

Until there is a response from the publishers it will remain a mystery, so far there has never been none , go figure . . .

jervin · February 18, 2023, 11:33pm

There is a section called “Official source tarballs” where 0.8.14 is listed and is listed as “very-stable”. 0.9.4 is listed as “stable” in the same list. They seem to be the current versions.

dicko · February 19, 2023, 1:44am

github.com

fail2ban/fail2ban/blob/1.0.2/ChangeLog

<!-- vim: syntax=Markdown -->
                         __      _ _ ___ _
                        / _|__ _(_) |_  ) |__  __ _ _ _
                       |  _/ _` | | |/ /| '_ \/ _` | ' \
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|

Fail2Ban: Changelog
===================

ver. 1.0.2 (2022/11/09) - finally-war-game-test-tape-not-a-nuclear-alarm
-----------

### Fixes
* backend `systemd`: code review and several fixes:
  - wait only if it is necessary, e. g. in operational mode and if no more entries retrieved (end of journal);
  - ensure we give enough time after possible rotation, vacuuming or adding/removing journal files,
    and move cursor back and forth to avoid entering dead space
* `filter.d/named-refused.conf`:
  - support BIND named log categories, gh-3388
  - allow `info:` as possible error prefix too ("query (cache) denied" may occur as info)

This file has been truncated. show original

Is more appropriate in 2023.

dvsatech · February 21, 2023, 1:56am

0.8.14 may be “very stable” but it doesn’t work properly and is 8 years older…

system · March 23, 2023, 1:57am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.