Intrusion detection is banning 0.0.0.0/0

Hi there,
I am running FreePBX Distro FreePBX 2.10.1.9. For the past couple of days my system keeps banning IP 0.0.0.0/0 which results in all my remote extensions being banned and I have 9 of them at 3 different locations. This IP 0.0.0.0/0 is added in the banned IP list as soon as I remove it.

I would really appreciate any help to resolve the issue.

I will assume you are using fail2ban.

Sounds like a bug, as denying 0.0.0.0/0 will ban EVERYTHING and I am sure that was not the intention, you could perhaps add

ignoreip = 0.0.0.0/8 # (ignore all hosts on THIS network,reference RFC3330)

to etc/fail2ban/jail.conf, assuming you have a bogus service/software/setup somewhere in your local network, because 0.0.0.0 as a host is not routable from outside. But you really need to find out which jail is responsible and what is causing it in the /var/log/fail2ban.log* files.

Thank you for your reply. Below is the log from fail2ban. I wonder if you can direct me to problem area:

2013-04-13 16:36:46,256 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -j fail2ban-PBX-GUI
iptables -F fail2ban-PBX-GUI
iptables -X fail2ban-PBX-GUI returned 100
2013-04-13 16:36:46,262 fail2ban.jail : INFO Jail ‘apache-tcpwrapper’ stopped
2013-04-13 16:36:47,258 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -j fail2ban-BadBots
iptables -F fail2ban-BadBots
iptables -X fail2ban-BadBots returned 100
2013-04-13 16:36:47,265 fail2ban.jail : INFO Jail ‘apache-badbots’ stopped
2013-04-13 16:36:48,256 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -j fail2ban-SSH
iptables -F fail2ban-SSH
iptables -X fail2ban-SSH returned 100
2013-04-13 16:36:48,263 fail2ban.jail : INFO Jail ‘ssh-iptables’ stopped
2013-04-13 16:36:49,260 fail2ban.actions.action: ERROR iptables -D INPUT -p all -j fail2ban-SIP
iptables -F fail2ban-SIP
iptables -X fail2ban-SIP returned 100
2013-04-13 16:36:49,266 fail2ban.jail : INFO Jail ‘asterisk-iptables’ stopped
2013-04-13 16:36:50,258 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -j fail2ban-FTP
iptables -F fail2ban-FTP
iptables -X fail2ban-FTP returned 100
2013-04-13 16:36:50,264 fail2ban.jail : INFO Jail ‘vsftpd-iptables’ stopped
2013-04-13 16:36:50,266 fail2ban.server : INFO Exiting Fail2ban
2013-04-13 16:36:52,033 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2013-04-13 16:36:52,035 fail2ban.jail : INFO Creating new jail 'ssh-iptables’
2013-04-13 16:36:52,038 fail2ban.jail : INFO Jail ‘ssh-iptables’ uses Gamin
2013-04-13 16:36:52,098 fail2ban.filter : INFO Added logfile = /var/log/secure
2013-04-13 16:36:52,101 fail2ban.filter : INFO Set maxRetry = 5
2013-04-13 16:36:52,109 fail2ban.filter : INFO Set findtime = 600
2013-04-13 16:36:52,112 fail2ban.actions: INFO Set banTime = 18000
2013-04-13 16:36:52,317 fail2ban.jail : INFO Creating new jail 'asterisk-iptables’
2013-04-13 16:36:52,318 fail2ban.jail : INFO Jail ‘asterisk-iptables’ uses Gamin
2013-04-13 16:36:52,321 fail2ban.filter : INFO Added logfile = /var/log/asterisk/full
2013-04-13 16:36:52,324 fail2ban.filter : INFO Set maxRetry = 3
2013-04-13 16:36:52,332 fail2ban.filter : INFO Set findtime = 600
2013-04-13 16:36:52,334 fail2ban.actions: INFO Set banTime = 18000
2013-04-13 16:36:52,428 fail2ban.jail : INFO Creating new jail 'apache-tcpwrapper’
2013-04-13 16:36:52,428 fail2ban.jail : INFO Jail ‘apache-tcpwrapper’ uses Gamin
2013-04-13 16:36:52,432 fail2ban.filter : INFO Added logfile = /var/log/httpd/error_log
2013-04-13 16:36:52,434 fail2ban.filter : INFO Set maxRetry = 6
2013-04-13 16:36:52,443 fail2ban.filter : INFO Set findtime = 600
2013-04-13 16:36:52,445 fail2ban.actions: INFO Set banTime = 18000
2013-04-13 16:36:52,489 fail2ban.jail : INFO Creating new jail 'apache-badbots’
2013-04-13 16:36:52,490 fail2ban.jail : INFO Jail ‘apache-badbots’ uses Gamin
2013-04-13 16:36:52,494 fail2ban.filter : INFO Added logfile = /var/log/httpd/access_log
2013-04-13 16:36:52,496 fail2ban.filter : INFO Set maxRetry = 1
2013-04-13 16:36:52,505 fail2ban.filter : INFO Set findtime = 600
2013-04-13 16:36:52,507 fail2ban.actions: INFO Set banTime = 172800
2013-04-13 16:36:52,610 fail2ban.jail : INFO Creating new jail 'vsftpd-iptables’
2013-04-13 16:36:52,610 fail2ban.jail : INFO Jail ‘vsftpd-iptables’ uses Gamin
2013-04-13 16:36:52,613 fail2ban.filter : INFO Set maxRetry = 5
2013-04-13 16:36:52,622 fail2ban.filter : INFO Set findtime = 600
2013-04-13 16:36:52,624 fail2ban.actions: INFO Set banTime = 1800
2013-04-13 16:36:52,678 fail2ban.jail : INFO Jail ‘ssh-iptables’ started
2013-04-13 16:36:52,684 fail2ban.jail : INFO Jail ‘asterisk-iptables’ started
2013-04-13 16:36:52,692 fail2ban.jail : INFO Jail ‘apache-tcpwrapper’ started
2013-04-13 16:36:52,700 fail2ban.jail : INFO Jail ‘apache-badbots’ started
2013-04-13 16:36:52,708 fail2ban.jail : INFO Jail ‘vsftpd-iptables’ started


You will have to post the part of the log that shows the banning of 0.0.0.0/0 this just shows fail2ban-server starting up.

You might find occurrences in your rotated logs as I suggested /var/log/fail2ban.log.*

grep “0.0.0.0” /var/log/fail2ban.log*

I can only find the following logs in todays date from /var/log/asterisk/fail2ban. I am using FreePBX distro GUI. I have also installed webmin on my server. Where should I look for the logs?

[2013-04-13 08:17:14] NOTICE[3002] cdr.c: CDR simple logging enabled.
[2013-04-13 08:17:14] NOTICE[3002] loader.c: 205 modules will be loaded.
[2013-04-13 08:17:15] NOTICE[3002] res_smdi.c: Unable to load config smdi.conf: SMDI disabled
[2013-04-13 08:17:15] NOTICE[3002] res_smdi.c: No SMDI interfaces are available to listen on, not starting SMDI listener.
[2013-04-13 08:17:15] NOTICE[3002] config.c: Registered Config Engine mysql
[2013-04-13 08:17:15] NOTICE[3002] config.c: Registered Config Engine curl
[2013-04-13 08:17:15] NOTICE[3002] chan_skinny.c: Configuring skinny from skinny.conf
[2013-04-13 08:17:15] NOTICE[3002] chan_skinny.c: Unable to load config skinny.conf, Skinny disabled.
[2013-04-13 08:17:15] NOTICE[3002] chan_agent.c: No agent configuration found – agent support disabled
[2013-04-13 08:17:15] NOTICE[3002] chan_mgcp.c: Unable to load config mgcp.conf, MGCP disabled
[2013-04-13 08:17:15] NOTICE[3002] iax2-provision.c: No IAX provisioning configuration found, IAX provisioning disabled.
[2013-04-13 08:17:16] NOTICE[3002] chan_sip.c: The ‘username’ field for sip peers has been deprecated in favor of the term ‘defaultuser’
[2013-04-13 08:17:16] NOTICE[3083] chan_sip.c: Peer ‘11’ is now Reachable. (165ms / 2000ms)
[2013-04-13 08:17:16] NOTICE[3083] chan_sip.c: Peer ‘12’ is now Reachable. (163ms / 2000ms)
[2013-04-13 08:17:16] NOTICE[3083] chan_sip.c: Peer ‘13’ is now Reachable. (162ms / 2000ms)
[2013-04-13 08:17:16] NOTICE[3002] chan_ooh323.c: Unable to load config ooh323.conf, OOH323 disabled
[2013-04-13 08:17:17] NOTICE[3002] pbx_ael.c: Starting AEL load process.
[2013-04-13 08:17:17] NOTICE[3002] pbx_ael.c: File /etc/asterisk/extensions.ael not found; AEL declining load
[2013-04-13 08:17:17] NOTICE[3002] app_queue.c: No queuerules.conf file found, queues will not follow penalty rules
[2013-04-13 08:17:17] NOTICE[3083] chan_sip.c: Peer ‘001100555’ is now Reachable. (29ms / 2000ms)
[2013-04-13 17:45:16] NOTICE[11333] iax2-provision.c: No IAX provisioning configuration found, IAX provisioning disabled.
[2013-04-13 17:45:16] NOTICE[3065] chan_mgcp.c: Unable to load config mgcp.conf, MGCP disabled
[2013-04-13 17:45:16] NOTICE[11333] res_config_ldap.c: Cannot reload LDAP RealTime driver.
[2013-04-13 17:45:16] NOTICE[11333] app_queue.c: No queuerules.conf file found, queues will not follow penalty rules


Hi there these are the log entries for 0.0.0.0 from my server. Please let me know if you can spot any issues.

grep -r “0.0.0.0” /var/log/
/var/log/messages.2:Mar 28 09:07:10 MyVoIPServer ntpd[2768]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages.2:Mar 28 13:59:51 MyVoIPServer ntpd[2793]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages.2:Mar 28 14:04:43 MyVoIPServer ntpd[2791]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/secure.3:Mar 19 06:33:02 MyVoIPServer sshd[2739]: Server listening on 0.0.0.0 port 22.
/var/log/secure.3:Mar 20 09:36:52 MyVoIPServer sshd[2736]: Server listening on 0.0.0.0 port 22.
/var/log/secure.3:Mar 22 09:30:14 MyVoIPServer sshd[2733]: Server listening on 0.0.0.0 port 22.
/var/log/messages.3:Mar 19 06:33:02 MyVoIPServer ntpd[2771]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages.3:Mar 20 09:36:53 MyVoIPServer ntpd[2768]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages.3:Mar 22 09:30:14 MyVoIPServer ntpd[2765]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/secure:Apr 12 14:53:06 MyVoIPServer sshd[2751]: Server listening on 0.0.0.0 port 22.
/var/log/secure:Apr 12 17:45:05 MyVoIPServer sshd[2734]: Server listening on 0.0.0.0 port 22.
/var/log/secure:Apr 12 18:06:52 MyVoIPServer sshd[2733]: Server listening on 0.0.0.0 port 22.
/var/log/secure:Apr 13 08:17:08 MyVoIPServer sshd[2739]: Server listening on 0.0.0.0 port 22.
/var/log/messages.4:Mar 12 10:46:07 MyVoIPServer ntpd[2785]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages.4:Mar 13 09:25:03 MyVoIPServer ntpd[2761]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/secure.1:Apr 2 14:38:40 MyVoIPServer sshd[2728]: Server listening on 0.0.0.0 port 22.
/var/log/asterisk/full:[2013-04-13 08:17:15] VERBOSE[3002] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full:[2013-04-13 08:17:16] VERBOSE[3002] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/asterisk/full.1:[2013-04-12 14:53:12] VERBOSE[3014] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full.1:[2013-04-12 14:53:13] VERBOSE[3014] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/asterisk/full.1:[2013-04-12 17:45:12] VERBOSE[3001] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full.1:[2013-04-12 17:45:12] VERBOSE[3001] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/asterisk/full.1:[2013-04-12 18:06:59] VERBOSE[2996] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full.1:[2013-04-12 18:06:59] VERBOSE[2996] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/secure.4:Mar 12 10:46:07 MyVoIPServer sshd[2753]: Server listening on 0.0.0.0 port 22.
/var/log/secure.4:Mar 13 09:25:02 MyVoIPServer sshd[2729]: Server listening on 0.0.0.0 port 22.
/var/log/messages.1:Apr 2 14:38:41 MyVoIPServer ntpd[2760]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/secure.2:Mar 28 09:07:10 MyVoIPServer sshd[2736]: Server listening on 0.0.0.0 port 22.
/var/log/secure.2:Mar 28 13:59:51 MyVoIPServer sshd[2761]: Server listening on 0.0.0.0 port 22.
/var/log/secure.2:Mar 28 14:04:42 MyVoIPServer sshd[2759]: Server listening on 0.0.0.0 port 22.
/var/log/messages:Apr 12 14:53:06 MyVoIPServer ntpd[2783]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages:Apr 12 17:45:05 MyVoIPServer ntpd[2766]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages:Apr 12 18:06:52 MyVoIPServer ntpd[2765]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages:Apr 13 08:17:09 MyVoIPServer ntpd[2771]: Listening on interface wildcard, 0.0.0.0#123 Disabled
grep -r “0.0.0.0” /var/log/asterisk/
/var/log/asterisk/full:[2013-04-13 08:17:15] VERBOSE[3002] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full:[2013-04-13 08:17:16] VERBOSE[3002] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/asterisk/full.1:[2013-04-12 14:53:12] VERBOSE[3014] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full.1:[2013-04-12 14:53:13] VERBOSE[3014] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/asterisk/full.1:[2013-04-12 17:45:12] VERBOSE[3001] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full.1:[2013-04-12 17:45:12] VERBOSE[3001] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/asterisk/full.1:[2013-04-12 18:06:59] VERBOSE[2996] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full.1:[2013-04-12 18:06:59] VERBOSE[2996] chan_sip.c: == SIP Listening on 0.0.0.0:5060


that looks like your asterisk log, failban rotated logs will be in /var/log/ as:-

/var/log/fail2ban.log.1
/var/log/fail2ban.log.2
/var/log/fail2ban.log.3
.
.

You probably can’t do this from the GUI, sorry.

Here are the search results for 0.0.0.0 from all log files. Please let me know if you can spot any problem.

grep -r “0.0.0.0” /var/log/
/var/log/messages.2:Mar 28 09:07:10 MyVoIPServer ntpd[2768]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages.2:Mar 28 13:59:51 MyVoIPServer ntpd[2793]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages.2:Mar 28 14:04:43 MyVoIPServer ntpd[2791]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/secure.3:Mar 19 06:33:02 MyVoIPServer sshd[2739]: Server listening on 0.0.0.0 port 22.
/var/log/secure.3:Mar 20 09:36:52 MyVoIPServer sshd[2736]: Server listening on 0.0.0.0 port 22.
/var/log/secure.3:Mar 22 09:30:14 MyVoIPServer sshd[2733]: Server listening on 0.0.0.0 port 22.
/var/log/messages.3:Mar 19 06:33:02 MyVoIPServer ntpd[2771]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages.3:Mar 20 09:36:53 MyVoIPServer ntpd[2768]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages.3:Mar 22 09:30:14 MyVoIPServer ntpd[2765]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/secure:Apr 12 14:53:06 MyVoIPServer sshd[2751]: Server listening on 0.0.0.0 port 22.
/var/log/secure:Apr 12 17:45:05 MyVoIPServer sshd[2734]: Server listening on 0.0.0.0 port 22.
/var/log/secure:Apr 12 18:06:52 MyVoIPServer sshd[2733]: Server listening on 0.0.0.0 port 22.
/var/log/secure:Apr 13 08:17:08 MyVoIPServer sshd[2739]: Server listening on 0.0.0.0 port 22.
/var/log/messages.4:Mar 12 10:46:07 MyVoIPServer ntpd[2785]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages.4:Mar 13 09:25:03 MyVoIPServer ntpd[2761]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/secure.1:Apr 2 14:38:40 MyVoIPServer sshd[2728]: Server listening on 0.0.0.0 port 22.
/var/log/asterisk/full:[2013-04-13 08:17:15] VERBOSE[3002] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full:[2013-04-13 08:17:16] VERBOSE[3002] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/asterisk/full.1:[2013-04-12 14:53:12] VERBOSE[3014] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full.1:[2013-04-12 14:53:13] VERBOSE[3014] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/asterisk/full.1:[2013-04-12 17:45:12] VERBOSE[3001] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full.1:[2013-04-12 17:45:12] VERBOSE[3001] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/asterisk/full.1:[2013-04-12 18:06:59] VERBOSE[2996] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full.1:[2013-04-12 18:06:59] VERBOSE[2996] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/secure.4:Mar 12 10:46:07 MyVoIPServer sshd[2753]: Server listening on 0.0.0.0 port 22.
/var/log/secure.4:Mar 13 09:25:02 MyVoIPServer sshd[2729]: Server listening on 0.0.0.0 port 22.
/var/log/messages.1:Apr 2 14:38:41 MyVoIPServer ntpd[2760]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/secure.2:Mar 28 09:07:10 MyVoIPServer sshd[2736]: Server listening on 0.0.0.0 port 22.
/var/log/secure.2:Mar 28 13:59:51 MyVoIPServer sshd[2761]: Server listening on 0.0.0.0 port 22.
/var/log/secure.2:Mar 28 14:04:42 MyVoIPServer sshd[2759]: Server listening on 0.0.0.0 port 22.
/var/log/messages:Apr 12 14:53:06 MyVoIPServer ntpd[2783]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages:Apr 12 17:45:05 MyVoIPServer ntpd[2766]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages:Apr 12 18:06:52 MyVoIPServer ntpd[2765]: Listening on interface wildcard, 0.0.0.0#123 Disabled
/var/log/messages:Apr 13 08:17:09 MyVoIPServer ntpd[2771]: Listening on interface wildcard, 0.0.0.0#123 Disabled
grep -r “0.0.0.0” /var/log/asterisk/
/var/log/asterisk/full:[2013-04-13 08:17:15] VERBOSE[3002] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full:[2013-04-13 08:17:16] VERBOSE[3002] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/asterisk/full.1:[2013-04-12 14:53:12] VERBOSE[3014] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full.1:[2013-04-12 14:53:13] VERBOSE[3014] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/asterisk/full.1:[2013-04-12 17:45:12] VERBOSE[3001] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full.1:[2013-04-12 17:45:12] VERBOSE[3001] chan_sip.c: == SIP Listening on 0.0.0.0:5060
/var/log/asterisk/full.1:[2013-04-12 18:06:59] VERBOSE[2996] chan_iax2.c: == Binding IAX2 to default address 0.0.0.0:4569
/var/log/asterisk/full.1:[2013-04-12 18:06:59] VERBOSE[2996] chan_sip.c: == SIP Listening on 0.0.0.0:5060


cat /var/log/fail2ban.* |less

will give you all you have in your logs, just peruse the issue of that command and go chase down a time and date when you got banned.

Here are results from iptables -L. If that helps to trace the problem?

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all – anywhere anywhere


None of that helps, you need to post your fail2ban.log around the time you get banned, all the rest is noise.

I cannot find the entry banning 0.0.0.0/0 in the logs. It is only in the GUI in the list of Banned IP’s.

Then from my very first post,

. . . Sounds like a bug,

please report the problem in the “Commercial Modules” forum as the developers are monitoring that.

Thank you for your valuable time and effort to help me. I have posted the issue in “Commercial Modules” now. Lets hope that I will get some joy to resolve it there.