In the failtoban list I can see /32 subnets, but when I enter subnets into the whitelist, it becomes red. Are only IP addresses allowed?
/32 isn’t a subnet. It is a single IP address.
You likely understand that this does not answer my question, but you still posted this, likely just for the fun of it. Let’'s have fun!
It is the FreePBX development team, not I, who made a deliberate decision to occupy the on-screen space by the /32 mask, in the listing under the intrusion detection. I am an innocent victim here.
So, back to the OP: Are only IP addresses allowed?
Why, by the way? To make the lives of admins miserable by having us whitelist each /32 IP address of each network that we have to allow?
What are you trying to add? What error are you getting? I can add a subnet
2 Likes
If the field is shaded red/pink like this, you have a syntax error in your input.
Here, I’m missing an octet in the IPv4 address.
Can you provide an example of your actual input when the input field is red/pink?
1 Like
I think you nailed it! I don’t have the exact address that had caused the field to glow red, but I was able to reproduce the same by adding an extra leading or trailing space.
Maybe this could be a TODO item for some future development to adjust the regexp that validates the input, so as to ignore and trim blank spaces. For better times when the dev team has spare cycles. In a perfect world.
Since we are on the topic of intrusion detection, I want to also ask something that’s been bothering me for some time:
When I come to the intrusion detection tab of the firewall, it may show some 50-100 addresses that have been blocked. But when I add another whitelist and save, the list suddenly shrinks to only a handful. Why? Does it mean that all of the banned addresses are now allowed? Is there a way to persist the ban list and only keep adding to it? My timeout is set to 3 years, so none of them should be dropped from the list.
Technically, this should be a new topic, but what do you mean by this:
Where/how did you set this “timeout”?
How to Use Fail2ban to Secure Your Linux Server (CentOS, Ubuntu, Debian, Fedora, and Plesk) might be helpful. It’s not specific to Fail2ban on FreePBX, so you will need to adjust commands, etc. accordingly.
Also, see and consider this Stack Overflow answer.
I’m wondering whether a ban time much shorter (perhaps 10 minutes) than 3 years was in effect for the banned addresses you observed and when you added to the whitelist, it refreshed the banned address list as well, removing any from the displayed list for which the ban had expired.
Also consider that Fail2ban bans are cleared and logs are re-evaluated upon service restart.
That’s a great way to shoot yourself in the foot.
You go into a coffee shop and run a SIP client then use your PBX
You leave and a day later someone comes into same shop, picks up the free wifi, and tries accessing your PBX. They get banned
A day after that you go back into coffee shop and try to use your phone. Now you be banned.
The idea behind fail2ban is it prevents an attacker from using a high speed guessing attack. Adding a delay of 2 minutes is enough to make a brute force attack on a reasonably long password take longer than your lifetime a timeout of more than that is just going to cause problems.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.