System Admin Pro does not show banned IP's

Hi,
I update fail2ban with yum update and System Admin Pro stop to show banned IP’s, but the iptables -L -v show banned ip’s and I receive e-mails. What I can do to return Banned IP’s in Intrusion Detection to be visible again
FreePBX 6.12.65-28 with Asterisk (Ver. 11.18.0)

Thank you very much

Artur

@arturxps, Can you please tell me what version of the Sysadmin module you have installed?

Hi Bryan, thank you
I install today System Admin 12.0.30.4, but problem start with previous version. The system is with last module updates.

Hello,

The problem still exists. And I did last update System Admin 12.0.30.5 and framework 12.0.74.
I want to understand which file systemadmin module reads for banned ip’s?

Can you paste the output of /sbin/iptables-save

Confirmed. Here is the requested output with my banned ip address redacted with x’s:

[[email protected] ~]# /sbin/iptables-save
# Generated by iptables-save v1.4.7 on Mon Jul 20 11:42:29 2015
*filter
:INPUT ACCEPT [234:26841]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [294:97570]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -s xxx.xxx.xx.xxx/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
COMMIT
# Completed on Mon Jul 20 11:42:29 2015

Hi Bryan,

Generated by iptables-save v1.4.7 on Mon Jul 20 20:06:06 2015

*filter
:INPUT ACCEPT [46375:13276677]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38256:13333091]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -s 212.83.129.145/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 62.210.251.134/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 91.236.75.157/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 198.204.240.178/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 192.187.109.154/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 194.12.239.81/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
COMMIT

Completed on Mon Jul 20 20:06:06 2015

thx Lorne

I just pushed a new beta Sysadmin (12.0.30.6) which should resolve this issue. Can you try installing that and let me know if you have any issues or if the issue is not resolved.

Hi Bryan,
I install new beta Sysadmin (12.0.30.6) and now I see "Banned IP’s Array"
this is new /sbin/iptables-save
[[email protected] ~]# /sbin/iptables-save

Generated by iptables-save v1.4.7 on Tue Jul 21 09:51:48 2015

*filter
:INPUT ACCEPT [23378:5507059]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19092:5675603]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -s 63.141.243.74/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 91.236.75.157/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 194.12.239.81/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 192.187.109.154/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
COMMIT

Completed on Tue Jul 21 09:51:48 2015

[[email protected] ~]#

Don’t mean to interrupt a thread, but I wanted to report that after installing System Admin 12.0.30.6 Beta on FreePBX 6.12.65-28 with Asterisk (v. 11.18.0)

The web gui (Admin > Intrusion Detection > Banned IP’s) shows “Array Array” instead of the banned IPs now.

Here is the output of /sbin/iptables-save

# Generated by iptables-save v1.4.7 on Wed Jul 22 14:22:38 2015

*filter
:INPUT ACCEPT [14111:5162269]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14725:8482075]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-PBX-GUI - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -j fail2ban-FTP
-A INPUT -p tcp -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-PBX-GUI
-A INPUT -p tcp -j fail2ban-BadBots
-A INPUT -p tcp -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-PBX-GUI -j RETURN
-A fail2ban-SIP -s 62.210.7.145/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 5.189.144.92/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 146.0.77.50/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 69.30.230.90/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -s 198.58.94.250/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 182.100.67.112/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -s 24.189.83.80/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
COMMIT

Completed on Wed Jul 22 14:22:38 2015

Ok looks like there were two separate issues here. We have fixed the second issue where it is showing “Array Array” and have rolled a new beta of sysadmin which is version 12.0.30.7.

1 Like

Hi Bryan,
I update all modules and I install sysadmin 12.0.30.7 beta, now show “No Banned IP’s”.
in case you need:
[[email protected] ~]# /sbin/iptables-save

Generated by iptables-save v1.4.7 on Mon Jul 27 06:24:27 2015

*filter
:INPUT ACCEPT [966:269284]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [810:231755]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -s 194.12.239.81/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 107.150.57.2/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
COMMIT

Completed on Mon Jul 27 06:24:27 2015

[[email protected] ~]#

I think this could be my fault, I’ve been trying to clean up a bunch of horrible old buggy code, but sometimes I’ve been a bit TOO enthusiastic about cleaning them up :sunglasses:

I’ll look at this now.

Edit, A few mins later: Nope, it seems fine to me:

I’m intrigued as to what the problem could be. The only thing that jumps out at me is that I moved it from the old-and-busted hooks to the new simple-and-secure hooks.

If you’re good with your shell, can you please do this, and paste the output:

[[email protected] sysadmin]# cd /var/www/html/admin/modules/sysadmin/hooks
[[email protected] hooks]# ./fail2ban-getbanned
[[email protected] hooks]# cat /var/spool/asterisk/sysadmin/banned
{"_timestamp":1437973180,“SIP”:[“1.2.3.4/32”]}[[email protected] hooks]#
[[email protected] hooks]#

That part in bold is what should be visible in the GUI (formatted correctly, of course).

Preemptive warning: Don’t try to edit that file, as it’ll immediately stop working, and cause FreePBX to crash when it tries to run it. (This is me in my paranoid ‘someone is trying to hack your machine, and I’m just going to sit in the corner and cry’ response.)

Hi Rob,
I do this like you

[[email protected] ~]# cd /var/www/html/admin/modules/sysadmin/hooks/
[[email protected] hooks]# ./fail2ban-getbanned
[[email protected] hooks]# cat /var/spool/asterisk/sysadmin/banned
{"_timestamp":1437979665}[[email protected] hooks]#
[[email protected] hooks]#

and after

[[email protected] ~]# /sbin/iptables-save
# Generated by iptables-save v1.4.7 on Mon Jul 27 09:50:56 2015
*filter
:INPUT ACCEPT [11806:2836109]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9758:2486378]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SIP -s 62.210.251.134/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 195.154.157.126/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 194.12.239.81/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 107.150.57.2/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN
COMMIT
# Completed on Mon Jul 27 09:50:56 2015

And I see "Banned IP’s No Banned IP’s "

Thank you so much for helping me

Looking good! thanks!

Hi Bryan and Rob
now everything is ok
Thank you one more time