Help with Intrusion Detection - Fail2Ban 0.0.0.0/0

Commercial Modules
1

Here is my setup:
FreePBX 2.10.1.9 Distro with Asterisk (Ver. 1.8.21.0). In the GUI System Admin>Intrusion Detection section under Banned IP’s it is showing 0.0.0.0/0 in the IP list 5 times. When I remove these lines and submit the page. It only goes for a second and reappears as soon as I refresh the page. It is affecting the remote extensions connected to my server which cannot register. Extensions within the same local network are working OK.

This may be a bug caused by a recent update of some modules? I have checked the logs of fail2ban but could not find any trace of this IP 0.0.0.0/0 being banned.

Here are the logs with 0.0.0.0 entries from my server logs:

> grep -r "0\.0\.0\.0" /var/log/ /var/log/messages.2:Apr 2 14:38:41 MyVoIPServer ntpd[2760]: Listening on interface wildcard, 0.0.0.0#123 Disabled /var/log/secure.3:Mar 28 09:07:10 MyVoIPServer sshd[2736]: Server listening on 0.0.0.0 port 22. /var/log/secure.3:Mar 28 13:59:51 MyVoIPServer sshd[2761]: Server listening on 0.0.0.0 port 22. /var/log/secure.3:Mar 28 14:04:42 MyVoIPServer sshd[2759]: Server listening on 0.0.0.0 port 22. /var/log/messages.3:Mar 28 09:07:10 MyVoIPServer ntpd[2768]: Listening on interface wildcard, 0.0.0.0#123 Disabled /var/log/messages.3:Mar 28 13:59:51 MyVoIPServer ntpd[2793]: Listening on interface wildcard, 0.0.0.0#123 Disabled /var/log/messages.3:Mar 28 14:04:43 MyVoIPServer ntpd[2791]: Listening on interface wildcard, 0.0.0.0#123 Disabled /var/log/messages.4:Mar 19 06:33:02 MyVoIPServer ntpd[2771]: Listening on interface wildcard, 0.0.0.0#123 Disabled /var/log/messages.4:Mar 20 09:36:53 MyVoIPServer ntpd[2768]: Listening on interface wildcard, 0.0.0.0#123 Disabled /var/log/messages.4:Mar 22 09:30:14 MyVoIPServer ntpd[2765]: Listening on interface wildcard, 0.0.0.0#123 Disabled /var/log/secure.1:Apr 12 14:53:06 MyVoIPServer sshd[2751]: Server listening on 0.0.0.0 port 22. /var/log/secure.1:Apr 12 17:45:05 MyVoIPServer sshd[2734]: Server listening on 0.0.0.0 port 22. /var/log/secure.1:Apr 12 18:06:52 MyVoIPServer sshd[2733]: Server listening on 0.0.0.0 port 22. /var/log/secure.1:Apr 13 08:17:08 MyVoIPServer sshd[2739]: Server listening on 0.0.0.0 port 22. /var/log/secure.1:Apr 13 21:56:28 MyVoIPServer sshd[2735]: Server listening on 0.0.0.0 port 22. /var/log/asterisk/full.1:[2013-04-13 08:17:15] VERBOSE[3002] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569 /var/log/asterisk/full.1:[2013-04-13 08:17:16] VERBOSE[3002] chan_sip.c: == SIP Listening on 0.0.0.0:5060 /var/log/asterisk/full.1:[2013-04-13 21:56:35] VERBOSE[2998] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569 /var/log/asterisk/full.1:[2013-04-13 21:56:35] VERBOSE[2998] chan_sip.c: == SIP Listening on 0.0.0.0:5060 /var/log/asterisk/full.2:[2013-04-12 14:53:12] VERBOSE[3014] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569 /var/log/asterisk/full.2:[2013-04-12 14:53:13] VERBOSE[3014] chan_sip.c: == SIP Listening on 0.0.0.0:5060 /var/log/asterisk/full.2:[2013-04-12 17:45:12] VERBOSE[3001] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569 /var/log/asterisk/full.2:[2013-04-12 17:45:12] VERBOSE[3001] chan_sip.c: == SIP Listening on 0.0.0.0:5060 /var/log/asterisk/full.2:[2013-04-12 18:06:59] VERBOSE[2996] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569 /var/log/asterisk/full.2:[2013-04-12 18:06:59] VERBOSE[2996] chan_sip.c: == SIP Listening on 0.0.0.0:5060 /var/log/secure.4:Mar 19 06:33:02 MyVoIPServer sshd[2739]: Server listening on 0.0.0.0 port 22. /var/log/secure.4:Mar 20 09:36:52 MyVoIPServer sshd[2736]: Server listening on 0.0.0.0 port 22. /var/log/secure.4:Mar 22 09:30:14 MyVoIPServer sshd[2733]: Server listening on 0.0.0.0 port 22. /var/log/messages.1:Apr 12 14:53:06 MyVoIPServer ntpd[2783]: Listening on interface wildcard, 0.0.0.0#123 Disabled /var/log/messages.1:Apr 12 17:45:05 MyVoIPServer ntpd[2766]: Listening on interface wildcard, 0.0.0.0#123 Disabled /var/log/messages.1:Apr 12 18:06:52 MyVoIPServer ntpd[2765]: Listening on interface wildcard, 0.0.0.0#123 Disabled /var/log/messages.1:Apr 13 08:17:09 MyVoIPServer ntpd[2771]: Listening on interface wildcard, 0.0.0.0#123 Disabled /var/log/messages.1:Apr 13 21:56:28 MyVoIPServer ntpd[2767]: Listening on interface wildcard, 0.0.0.0#123 Disabled /var/log/secure.2:Apr 2 14:38:40 MyVoIPServer sshd[2728]: Server listening on 0.0.0.0 port 22.

And this is logs from /var/log/asterisk/

> grep -r "0\.0\.0\.0" /var/log/asterisk/ /var/log/asterisk/full.1:[2013-04-13 08:17:15] VERBOSE[3002] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569 /var/log/asterisk/full.1:[2013-04-13 08:17:16] VERBOSE[3002] chan_sip.c: == SIP Listening on 0.0.0.0:5060 /var/log/asterisk/full.1:[2013-04-13 21:56:35] VERBOSE[2998] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569 /var/log/asterisk/full.1:[2013-04-13 21:56:35] VERBOSE[2998] chan_sip.c: == SIP Listening on 0.0.0.0:5060 /var/log/asterisk/full.2:[2013-04-12 14:53:12] VERBOSE[3014] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569 /var/log/asterisk/full.2:[2013-04-12 14:53:13] VERBOSE[3014] chan_sip.c: == SIP Listening on 0.0.0.0:5060 /var/log/asterisk/full.2:[2013-04-12 17:45:12] VERBOSE[3001] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569 /var/log/asterisk/full.2:[2013-04-12 17:45:12] VERBOSE[3001] chan_sip.c: == SIP Listening on 0.0.0.0:5060 /var/log/asterisk/full.2:[2013-04-12 18:06:59] VERBOSE[2996] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569 /var/log/asterisk/full.2:[2013-04-12 18:06:59] VERBOSE[2996] chan_sip.c: == SIP Listening on 0.0.0.0:5060

And this is what I get from iptables.

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-FTP tcp – anywhere anywhere
fail2ban-BadBots tcp – anywhere anywhere
fail2ban-SIP all – anywhere anywhere
fail2ban-PBX-GUI tcp – anywhere anywhere
fail2ban-SSH tcp – anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain fail2ban-FTP (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain fail2ban-PBX-GUI (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain fail2ban-SIP (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

2

I see nothing in here that says 0.0.0.0 is banned. Where are you seeing it is banned.

The command iptables -L would show you all banned IPs and yours does not list any.

3

Please see the screen shot attached. It is showing in GUI.

Screenshot

4

I am not sure this is actually getting into the active ban list, but without a doubt FPBX is populating the Banned IP’s section with 0.0.0.0/0 if there is nothing else present, and if you try and delete them it comes right back.

Tony, I have several 3.11 systems, and they are all exhibiting this symptom currently at the latest 3.211.63-7 version. Even the demo kit from you from OTTS is now doing this with the licensed sysadmin module, as I just checked it.

5

I just installed a new 3.211.63-6 Distro and did no config what so ever. There are multiple instances of 0.0.0.0/0 in the Banned IP’s list. Deleting them does not work. They just reappear.

6

I was the first to post this issue and now there are several other people reporting the same issue. I hope that the developers or some other competent programmer from the community will notice it now. My system is playing. The issue affects remote extensions which cannot register. However, for some reason it is happening intermittently even though 0.0.0.0/0 is there in banned IP list permanently.

7

As the first responder to your first post, can I ask if you filed a “bug report” yet? Nobody but the developers can help you here due to licensing restrictions, this is a “commercial” module which I don’t use, I just know how Fail2Ban works.