My Security questions

celson · August 7, 2015, 5:17am

Hi,

I’m new to FreePBX (so please bear with me) and we just bought a System 100 appliance. I have been reading some post regarding fail2ban and IPtables(but I’m still having a hard time to fully understand). I have 4 questions.

I haven’t applied any IPtables or fail2ban at the moment but when I enter iptables -L -n below is the output.
- Can I just simply flush (iptables -F) and put my iptables rules?
- Is it needed to edit the fail2ban file or I can use the default rule ? If I can use the default rule, will that be enough?

OUTPUT:

target prot opt source destination
fail2ban-FTP tcp – 0.0.0.0/0 0.0.0.0/0
fail2ban-apache-auth tcp – 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fail2ban-PBX-GUI all – 0.0.0.0/0 0.0.0.0/0
fail2ban-BadBots tcp – 0.0.0.0/0 0.0.0.0/0
fail2ban-SSH tcp – 0.0.0.0/0 0.0.0.0/0
fail2ban-recidive all – 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-FTP (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-PBX-GUI (1 references)
target prot opt source destination
DROP all – 183.90.36.84 0.0.0.0/0
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SIP (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-apache-auth (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-recidive (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

If changing the default port numbers such as HTTP,HTTPS,SIP , do I need to include this on the default fail2ban statement?

Example:
action = iptables-allports[name=BadBots, port=“http,https,<mycustomport>”]

How I can remove a banned IP from the list ? I have tried DROP and it was successfully remove however when I reboot the system it goes back.
In our Intrusion detection page it shows 3 banned IP already but upon checking the iptables -L , it shows only 1 banned IP and others are not there.

Thank you for taking a time to read my post and hopefully I can get advise or help from you guys.

celson

Overkill · August 8, 2015, 2:01pm

All of that looks fine. I would recommend AT LEAST adding some manual changes to iptables that ban (drop) france, russia, palestine, israel, and china. If you can help it, make access to the server whitelist only (accept from your whitelist then drop 0.0.0.0/0).

I don’t know if changing the ports automatically changes the fail2ban rules, but it should if it doesn’t. Try it!

To answer your other questions…1:

fail2ban-client set asterisk-iptables unbanip xx.xx.xx.xx

2: That’s strange. Try manually banning the IPs using fail2ban-client (running w/o params will give you all you need to figure out the syntax). If they got themselves banned, they could probably stand to stay banned.

dicko · August 9, 2015, 3:18am

Its not france you need to block, most French people are quite well mannered: -), its ovh and iliad, etc. Etc. It’s all about hosted/cloud servers no matter what country they are in, that are largely unmonitored by the provider (go bitch at [email protected] and see what happens )
There are more chinese attackers now using datashack, volumedrive et al mostly in the US, but also UK NL and DE, than the universities back behind the bamboo curtain anymore, they are all lighter on their heels than we are and way better funded . . . Identify the network and block at that level not by geoip ( which is now completely fu’d)

The palestinians will do that also when they catch on,

If you want a list of the bad-guys networks I am prepared to share, show me your rogue ip’s and compare them with such list . . .

Start with

37.59.0.0/16 # OHV
46.105.0.0/16 # OHV
107.150.32.0/19 # datashack
5.39.218.201/32    # RIPE    NL HOSTKEY-NET                              HOSTKEY B.V.abuse-mailbox
37.8.0.0/18        # RIPE    PS HBSAGAZA                                 Hadara Gaza BSA
88.150.240.0/23    # RIPE    GB IOMARTHOSTING                            iomart Hosting Limited
119.81.182.16/29   # APNIC   US NETBLK-SOFTLAYER-APNIC-CUST-JD933-AP     June  Denney
146.0.77.0/24      # RIPE    NL NL-HOSTKEY                               HOSTKEY B.V.
188.161.128.0/17   # RIPE    PS PALTEL-DSL                               Palestine Telecommunications Company (PALTEL)httpDSL

Go that route and you are blocking at a way higher level /16 ( that’s 64k hosts at one blow) and higher without pissing off good but foreign users of VOIP.

Without bogging down iptables install and properly use ipset for more efficiency.

celson · August 9, 2015, 4:52am

Hi Overkill,

Thank you for your response, I will try that command for unbanning and yes I did some test and I want to know from other users if the result are the same as mine. Today the ban IP was remove which in this case it should not because I set my ban time to 1 year (31536000) it was banned only for 2 days.

celson

celson · August 9, 2015, 5:05am

Hi Dicko,

Thank you for sharing! I will list and share it here. Would you mind if you can help to answer some of my questions? I still have doubts of the things above.

Thank you in advance.

celson

Overkill · August 9, 2015, 9:32am

bans seem to get removed on restart of fail2ban

deanot26508 · August 9, 2015, 1:55pm

I have noticed that, pretty lame if you ask me. Even putting a ban time of -1 still wipes them out on a reboot. I have started to ban the ranges at my PFSense router, at least it does not dump the banned IP’s.

dicko · August 9, 2015, 3:11pm

Fail2ban as you are apparently using is packaged by Sangoma under sysadmin which is commercial and closed source so I can’t really answer specifics, but if you go to

fail2ban.org

it is all explained there,

by default fail2ban inserts it’s chains at the start of iptables,

there is not one rule but a set of jails you can add to and/or enable to suit your environment

IMHO there are predefined jails that are not on in your deployment like apache-nohome and apache-noscript that should be enabled

the http,https are read from /etc/services but many if not most jails just glean IP <host>'s from your logfiles so probably not necessary

There are a couple of programs fail2 ban has to manually manipulate it’s chains

fail2ban-client

and

fail2ban-regex

to check whether your jails are catching what you think they should be .

The fail2ban you have drops it’s bans on restart, however the currently developed version is 0.9.1 that now uses sqlite3 to store it’s state so current ban’s are picked up on start, my solution is to use fail2ban 0.9.1 in conjunction with CSF, which is a highly configurable full blown firewall I suggest you add your rules in there, it is documented in the wiki

http://wiki.freepbx.org/pages/viewpage.action?pageId=41386033
and
http://wiki.freepbx.org/display/RN/CSF+with+FreePBX+on+any+Debian+or+RH+based+OS

and uses csfpre.sh and csfpost.sh scripts to start and stop fail2ban in an orderly fashion, I cannot say I have tried it with the version of fail2ban that “the distro” includes.

celson · August 18, 2015, 4:05am

Hi Dicko,

I took a logs from one of our server, I can provide more but I just need time to consolidate it.

Cheers,
Celson