Intrusion Detection not working

lbochini · January 24, 2024, 9:20pm

Hi all, i’m running a FreePBX server that i had access to GUI and SSH, suddently i lost access to SSH but GUI interface was working. I noticed that when i stopped the “Intrusion Detection” service, via System admin, the SSH access returns.
So i was doing some tests and saw that a few modules was not updated and also i was getting a error when trying to apply configs (saying that i need to CLI fwconsole enable cdr).
After updating all modules, i no longer can start/stop fail2ban via GUI on Intrusion detection page. Every change i try to make, start service, change advanced settings, it always reload the page with the same configs it was before.
In top of the page i have this message:
"Warning!

Note: The Intrusion Detection handling method has been updated recently. Please clear your browser cache and refresh if you are having issues seeing the Intrusion Detection Start/Restart/Stop button."

But i tried to start the intrusion detection from 3 differents browser (2 that i never logged into this server), and cleared cache from all. Still no work.

Now even with the page saying that Intrusion detection is stopped, i cannot SSH to the server anymore. Since i cannot connect to SSH i cant do CLI commands like restart fail2ban or check anything.

So i was first trying to get access to Intrusion detection working properly to next return to test the SSH issue. Any idea what can be done?

Im on FreePBX 15.0.37.4 with System Admin 15.0.33.10. I also tried to disable system admin but i get a message saying that i have to disable a lot of modules that uses system admin before disable it.

Sorry if i made any mistakes with my language, im not a english native.

comtech · January 24, 2024, 9:46pm

You can allow list the IPs you are coming from in F2B, that will stop you from banning. There is also a Firewall component on the FBX. Again, trusting your incoming IPs there will stop Firewall blocks as well. Lastly make sure any firewalls between your computer and the server properly allow you access. IF all 3 things are in place, you shouldn’t have trouble accessing going forward.

dicko · January 24, 2024, 9:53pm

Fail2ban has it’s own management programs, fail2ban-client and an excellent diagnostic fail2ban-regex, Anything that sysadmin fails to do or does incorrectly with its so called ‘ids’ (aka fail2ban) can be checked and fixed by the underlying fail2ban system just stop sysadmin from messing with it

lbochini · January 26, 2024, 11:58am

When the Sysadmin page was working, i whitelisted my IPs, but still no work, but now i cant even edit the sysadmin page to try adding the IPs again.
Firewall is disabled. We use or own firewall.

lbochini · January 26, 2024, 11:59am

But i can access any of thiss management programs via GUI? since im blocked from SSH.

dicko · January 26, 2024, 1:03pm

You will need a physical or virtual terminal

comtech · January 26, 2024, 4:29pm

Rebooting the box twice in quick secession, will temporally bring down all the FPBX security that could be blocking you. If you’re still blocked at that point, it’s not the server.

system · February 26, 2024, 4:29pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.