Hi,
I update fail2ban with yum update and System Admin Pro stop to show banned IP’s, but the iptables -L -v show banned ip’s and I receive e-mails. What I can do to return Banned IP’s in Intrusion Detection to be visible again
FreePBX 6.12.65-28 with Asterisk (Ver. 11.18.0)
Thank you very much
Artur
Hi Bryan, thank you
I install today System Admin 12.0.30.4, but problem start with previous version. The system is with last module updates.
Hello,
The problem still exists. And I did last update System Admin 12.0.30.5 and framework 12.0.74.
I want to understand which file systemadmin module reads for banned ip’s?
Can you paste the output of /sbin/iptables-save
Confirmed. Here is the requested output with my banned ip address redacted with x’s:
[root@lgaetzdev2 ~]# /sbin/iptables-save
# Generated by iptables-save v1.4.7 on Mon Jul 20 11:42:29 2015
*filter
:INPUT ACCEPT [234:26841]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [294:97570]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -s xxx.xxx.xx.xxx/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
COMMIT
# Completed on Mon Jul 20 11:42:29 2015Hi Bryan,
*filter
:INPUT ACCEPT [46375:13276677]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38256:13333091]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -s 212.83.129.145/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 62.210.251.134/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 91.236.75.157/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 198.204.240.178/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 192.187.109.154/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 194.12.239.81/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
COMMIT
thx Lorne
I just pushed a new beta Sysadmin (12.0.30.6) which should resolve this issue. Can you try installing that and let me know if you have any issues or if the issue is not resolved.
Hi Bryan,
I install new beta Sysadmin (12.0.30.6) and now I see "Banned IP’s Array"
this is new /sbin/iptables-save
[root@sip ~]# /sbin/iptables-save
*filter
:INPUT ACCEPT [23378:5507059]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19092:5675603]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -s 63.141.243.74/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 91.236.75.157/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 194.12.239.81/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 192.187.109.154/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
COMMIT
[root@sip ~]#
Don’t mean to interrupt a thread, but I wanted to report that after installing System Admin 12.0.30.6 Beta on FreePBX 6.12.65-28 with Asterisk (v. 11.18.0)
The web gui (Admin > Intrusion Detection > Banned IP’s) shows “Array Array” instead of the banned IPs now.
Here is the output of /sbin/iptables-save
# Generated by iptables-save v1.4.7 on Wed Jul 22 14:22:38 2015
*filter
:INPUT ACCEPT [14111:5162269]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14725:8482075]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-PBX-GUI - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -j fail2ban-FTP
-A INPUT -p tcp -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-PBX-GUI
-A INPUT -p tcp -j fail2ban-BadBots
-A INPUT -p tcp -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-PBX-GUI -j RETURN
-A fail2ban-SIP -s 62.210.7.145/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 5.189.144.92/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 146.0.77.50/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 69.30.230.90/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -s 198.58.94.250/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 182.100.67.112/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 24.189.83.80/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
COMMIT
Ok looks like there were two separate issues here. We have fixed the second issue where it is showing “Array Array” and have rolled a new beta of sysadmin which is version 12.0.30.7.
Hi Bryan,
I update all modules and I install sysadmin 12.0.30.7 beta, now show “No Banned IP’s”.
in case you need:
[root@sip ~]# /sbin/iptables-save
*filter
:INPUT ACCEPT [966:269284]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [810:231755]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -s 194.12.239.81/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 107.150.57.2/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
COMMIT
[root@sip ~]#
I think this could be my fault, I’ve been trying to clean up a bunch of horrible old buggy code, but sometimes I’ve been a bit TOO enthusiastic about cleaning them up 
I’ll look at this now.
Edit, A few mins later: Nope, it seems fine to me:
I’m intrigued as to what the problem could be. The only thing that jumps out at me is that I moved it from the old-and-busted hooks to the new simple-and-secure hooks.
If you’re good with your shell, can you please do this, and paste the output:
[root@12-dev-cluster sysadmin]# cd /var/www/html/admin/modules/sysadmin/hooks
[root@12-dev-cluster hooks]# ./fail2ban-getbanned
[root@12-dev-cluster hooks]# cat /var/spool/asterisk/sysadmin/banned
{"_timestamp":1437973180,“SIP”:[“1.2.3.4/32”]}[root@12-dev-cluster hooks]#
[root@12-dev-cluster hooks]#
That part in bold is what should be visible in the GUI (formatted correctly, of course).
Preemptive warning: Don’t try to edit that file, as it’ll immediately stop working, and cause FreePBX to crash when it tries to run it. (This is me in my paranoid ‘someone is trying to hack your machine, and I’m just going to sit in the corner and cry’ response.)
Hi Rob,
I do this like you
[root@sip ~]# cd /var/www/html/admin/modules/sysadmin/hooks/
[root@sip hooks]# ./fail2ban-getbanned
[root@sip hooks]# cat /var/spool/asterisk/sysadmin/banned
{"_timestamp":1437979665}[root@sip hooks]#
[root@sip hooks]#
and after
[root@sip ~]# /sbin/iptables-save
# Generated by iptables-save v1.4.7 on Mon Jul 27 09:50:56 2015
*filter
:INPUT ACCEPT [11806:2836109]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9758:2486378]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -s 62.210.251.134/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 195.154.157.126/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 194.12.239.81/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 107.150.57.2/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
COMMIT
# Completed on Mon Jul 27 09:50:56 2015
And I see "Banned IP’s No Banned IP’s "
Thank you so much for helping me
Hi Bryan and Rob
now everything is ok
Thank you one more time
