Help with Intrusion Detection

Here is my setup:
FreePBX 2.10.1.9 Distro with Asterisk (Ver. 1.8.21.0). In the GUI System Admin>Intrusion Detection section under Banned IP’s it is showing 0.0.0.0/0 in the IP list 5 times. When I remove these lines and submit the page. It only goes for a second and reappears as soon as I refresh the page. It is affecting the remote extensions connected to my server which cannot register. Extensions within the same local network are working OK.

This may be a bug caused by a recent update of some modules? I have checked the logs of fail2ban but could not find any trace of this IP 0.0.0.0/0 being banned.

Any help to resolve the issue will be much appreciated.

Thank you for your valuable time and effort to help me. I have posted the issue in “Commercial Modules” now. Lets hope that I will get some joy to resolve it there.

When this shows what do you see when you do a iptables -L from the command line. Fail2ban will only ban IPs that are in a log file it is monitoring but it is possible their might be a bug in the actual fail2ban application. This module just reports what is listed as banned in iptables.

With respect and knowing that the devs only monitor the “Commercial Modules” forum here, already the OP has gone this far with me today:-

http://www.freepbx.org/forum/general-help/intrusion-detection-is-banning-00000

this includes his issue from iptables -L

I will beg off now as although I have never had a problem with fail2ban in years, it is packaged in the FreePBX distro under a commercial license which apparently he accepted but which I care not to accept, no harm no foul.

Thank you for taking care of it for him.

Dicko

And here we go again with you posting bogus information. Fail2ban is a RPM on the Distro is not licensed commercial as Fail2Ban is Open Source. System Admin module which allows users to set some fail2ban settings is Commercial but all it does is let you set your ban times and such nothing else. Please stop spreading useless FUD again.

Tony, It was my understanding that the OP had only used the Sysadmin Module to configure the “IDS”,it was that piece was not working for him. And FUD or not most people will only get Fail2ban installed through the sysadmin module, fail2ban alone, is not a choice at least through the GUI that I am aware of, and the only interface to it is through the sysadmin module. I merely supported him as far as I could go as far as my understanding of how fail2ban works and then deferred to those that distribute the code he has trouble with. It was not my intention to create waves, just to get the poster to a place where his concerns might rightly be addressed.

I am sure you have read

http://literature.schmoozecom.com/system_admin-module/UserGuide/system_admin%20-module-userguide.pdf

so you might see why a I or any one who so read might think that the Intrusion Detection is considered part of System Admin module, (because it says it is, “The system admin module provides you access to manage some of the backend Linux options of your PBX such as DNS, Network, email relay settings and others.”) Also and with respect, there is possible further doubt and confusion also perhaps because there is no mention of Fail2ban anywhere in that document)

No fail2ban is a RPM that the distro installs no different then how you install fail2ban on any other OS. System Admin just allows you to set the fail2ban settings as you can see in that document.

I don’t want to step on any toes. I am only interested in a solution as I see the same issue on my system after a clean install and upgrade to 3.211.63-7

The GUI system admin module in “intrusion detection” lists
0.0.0.0/0 five times as banned IP and does not accept any changes. It also does not allow to add any new blacklisted IP’s as it always comes back with the 0.0.0.0/0

Can anyone confirm if this is a problem? Does it simply mean that it does not accept any manual changes or will it in fact block everything? I haven’t noticed it blocking valid registrations and have tested that fail2ban is still working as it should by blocking invalid registration attempts and not blocking whitelisted IPs. Does anyone have anything else to add or a solution to this (non)issue?

my clean install show 0.0.0.0/0 as well

this is my iptables -L

[[email protected] ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-FTP tcp – anywhere anywhere
fail2ban-PBX-GUI tcp – anywhere anywhere
fail2ban-SIP all – anywhere anywhere
fail2ban-BadBots tcp – anywhere anywhere
fail2ban-SSH tcp – anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain fail2ban-FTP (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain fail2ban-PBX-GUI (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain fail2ban-SIP (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

here is another print out

[[email protected] ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-FTP tcp – 0.0.0.0/0 0.0.0.0/0
fail2ban-PBX-GUI tcp – 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fail2ban-BadBots tcp – 0.0.0.0/0 0.0.0.0/0
fail2ban-SSH tcp – 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-FTP (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-PBX-GUI (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SIP (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0