I have recently install FreePBX 220.127.116.11, trying to get a handle on the firewall, i have it set up, but it does not seem to be doing what i think it should be doing.
i have a particular IP which is probing us constantly 18.104.22.168 - i wanted to add that to the blacklist using the gui - which i did - and i expected to be able to see the rule in the firewall using iptables…
“iptables -L -n | grep 22.214.171.124”
but NO, and it does not block it either.
I am sure this is not how it is supposed to work, should it should block the IP and it be visible in iptables?
when i use fail2ban from the command line as
“fail2ban-client -vvv set pbx-gui banip 126.96.36.199”
It shows up as blocked, and indeed it is blocked, and it sends me an email, but that is not the active firewall working, just fail2ban adding to the firewall… i can see the trusted IPs so something is doing something somewhere.
Is there a way to see what the firewall is doing as i cannot find a log file, i DID find /tmp/firewall.log - but that does not seem to be the actual log file.
The firewall is active according to the GUII… meantime someone is probing from 188.8.131.52.
grep -c “failed for '184.108.40.206” /var/log/asterisk/full
i get a count of 257, which is over the last 8 hour period 220.127.116.11 has been probing, i thought the firewall would block attackers at around 49 attempts…
i then added 18.104.22.168 to the blacklist - and i was still seeing attempts - i am worried that something is not working as it should and the system is without a working firewall.
without some data on how you have set up the firewall it is really hard to answer your questions.
- you should white list all ip’s that should be allowed to access your pbx - do this in both the firewall and fail2ban
- you should set all NIC’s to external
- you should set the services you will use to have nothing checked (not reject or any of the others)
- if you have remote phones that use dynamic ip addresses then be sure to turn on the responsive firewall and enable the appropriate protocol (chan_sip or pj_sip)
- we typically reduce the fail2ban retry count to 2 increase the find time and the ban time.
1,2,4 were as you detailed.
Thing i missed was that i had not set services as you outlined, in particular sip on 5060 to have nothing set (were set to external) - now i have done that the annoying probing has stopped showing up.
I had already reduced the fail2ban count to 3, will take it to 2.
Is there any log i can watch to see what the firewall is doing? Though it seems to be working, i like watching the logs for a bit on a new system to see what is going on.
Will banned IPs show up in iptables or is there some other thing going on in the kernel?
Thanks for the help.
my guess is that you will see very little hit fail2ban but you will see blocked hosts on the firewall gui under status->blocked hosts
with this configuration, the firewall is blocking everything except the known ip’s. the responsive firewall does allow a limited number of sip registration attempts. if the registration is not successful, then the host is blocked.
just remember if you set a service to external and your NIC is set to external, then the firewall does nothing for that service.
sounds like you have things well in hand