Fail to ban

  • Post
    novapcjau
    Participant

    Hello, I have a server that the intruder detector always restarts it, the intruder detector is disabled, and also the CPU usage of my VPS is all the time at 100% getting very slow and only has a trunk and an extension.
    Do you have any updates that can solve this?

    0
Viewing 15 replies - 1 through 15 (of 15 total)
  • Replies
    Up
    0
    Down

    what version of VitalPBX are you running?

    0
    novapcjau
    Participant
    Up
    0
    Down

    2.1.0-6 

    0
    Up
    0
    Down

    You must to enable the fail2ban service, this will block to the attackers, also, you should check the Intrusion detection settings.

    0
    toxicfusion
    Participant
    Up
    0
    Down

    same issue for me…  suddenly latest release has issues.   Customers complaining now due to high CPU. as causing dropped calls.

     

    fail2ban running,  intrustion detection (same as fail2ban) is OK….  but tearing into CPU.  Doesnt seem as if by default logrotate is working. I have manually done it via logrotate -f /etc/logrotate.conf

     

     

    0
    toxicfusion
    Participant
    Up
    0
    Down

    — Unit fail2ban.service has finished shutting down.
    Dec 27 12:15:40 systemd[1]: Starting Fail2Ban Service…
    — Subject: Unit fail2ban.service has begun start-up
    — Defined-By: systemd
    — Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

    — Unit fail2ban.service has begun starting up.
    Dec 27 12:15:41 fail2ban-client[24178]: 2018-12-27 12:15:41,128 fail2ban.server [24179]: INFO Starting Fail2ban v0.9.7
    Dec 27 12:15:41 fail2ban-client[24178]: 2018-12-27 12:15:41,128 fail2ban.server [24179]: INFO Starting in daemon mode
    Dec 27 12:15:44 firewalld[5119]: WARNING: ALREADY_ENABLED: rule ‘(‘-m’, ‘set’, ‘–match-set’, ‘fail2ban-sshd’, ‘src’, ‘-j’, ‘REJECT’, ‘–reject-with’, ‘icmp-port-unreachable’)’ already is in ‘ipv4:filter:ombu_fail2ban’
    Dec 27 12:15:46 firewalld[5119]: WARNING: ALREADY_ENABLED: rule ‘(‘-m’, ‘set’, ‘–match-set’, ‘fail2ban-sshd-ddos’, ‘src’, ‘-j’, ‘REJECT’, ‘–reject-with’, ‘icmp-port-unreachable’)’ already is in ‘ipv4:filter:ombu_fail2ban’
    Dec 27 12:15:48 firewalld[5119]: WARNING: ALREADY_ENABLED: rule ‘(‘-m’, ‘set’, ‘–match-set’, ‘fail2ban-dropbear’, ‘src’, ‘-j’, ‘REJECT’, ‘–reject-with’, ‘icmp-port-unreachable’)’ already is in ‘ipv4:filter:ombu_fail2ban’
    Dec 27 12:15:49 firewalld[5119]: WARNING: ALREADY_ENABLED: rule ‘(‘-m’, ‘set’, ‘–match-set’, ‘fail2ban-apache-auth’, ‘src’, ‘-j’, ‘REJECT’, ‘–reject-with’, ‘icmp-port-unreachable’)’ already is in ‘ipv4:filter:ombu_fail2ban’

     

    appears after awhile, fail2ban does start, then CPU drops down away from 100% and normalizes. At first, fail2ban failed to restart.

     

     

    0
    Rodrigo Cuadra
    Keymaster
    NI
    Up
    0
    Down

    If you have this problem, it is because you have a massive attack, check your firewall better and try to only allow IPs that you know.

    0
    Up
    0
    Down

    Someone already fix this issue?

    0
    dsmagghe
    Participant
    Up
    0
    Down

    well, struggling with this issue since ombutel, following script helps out, I know it is not the best solution, but I cronjob it every 6 hours and it helps. Since it is mostly the fail2ban database getting corrupted.

     

    F2Blog=”/var/log/fail2ban.log”
    F2Bdb=”/var/lib/fail2ban/fail2ban.sqlite3″

    # Now let us clean up
    echo “Stopping Fail2Ban Service”
    sudo service fail2ban stop
    echo “Truncating Fail2Ban Log File”
    sudo truncate -s 0 $F2Blog
    echo “Deleting Fail2Ban SQLite Database”
    sudo rm $F2Bdb
    echo “Restarting Fail2Ban Service”
    sudo service fail2ban restart
    echo “All Done”

    0
    toxicfusion
    Participant
    Up
    0
    Down
    Posted by: dsmagghe

    well, struggling with this issue since ombutel, following script helps out, I know it is not the best solution, but I cronjob it every 6 hours and it helps. Since it is mostly the fail2ban database getting corrupted.

     

    F2Blog=”/var/log/fail2ban.log”
    F2Bdb=”/var/lib/fail2ban/fail2ban.sqlite3″

    # Now let us clean up
    echo “Stopping Fail2Ban Service”
    sudo service fail2ban stop
    echo “Truncating Fail2Ban Log File”
    sudo truncate -s 0 $F2Blog
    echo “Deleting Fail2Ban SQLite Database”
    sudo rm $F2Bdb
    echo “Restarting Fail2Ban Service”
    sudo service fail2ban restart
    echo “All Done”

    Thank you for this tip.  Fixed issue I was having with one of my VPS’s…. fail2ban was consuming 95-100% cpu for no reason.  I’ll keep eye on it for next few days.

    0
    kbohannon
    Participant
    Up
    0
    Down

    When I am viewing asterisk -rvv on some of mays servers I am seeing hundreds of password guesses by a single IP. Fail2Ban is configured -1 to ban forever. Is the asterisk-vpbx jail not working? Do I need to change something in jail.local to get this to work? SSH I simply drop; it’s brute force SIP password guesses I am getting hammered by, and Fail2Ban doesn’t seem to do anything. 

    0
    Up
    0
    Down

    kbohannon what version of VitalPBX are you using it? 

    0
    kbohannon
    Participant
    Up
    0
    Down

    The latest. Here’s a screenshot. This is happening on several of my servers. I really wish I could just put in an IP somewhere in the GUI and have it be blacklisted everywhere.

    0
    Up
    0
    Down

    May you check the status of Fail2ban service

    systemctl status fail2ban

    if is running try to restart

    systemctl restart fail2ban
    0
    kbohannon
    Participant
    Up
    0
    Down

    No effect. Thoughts? Fail2Ban seems to be not doing anything.

    0
    Up
    0
    Down

    kbohannon, we just release a new version of VitalPBX who fixed up some issues regarding fail2ban

    0
Viewing 15 replies - 1 through 15 (of 15 total)
  • You must be logged in to reply to this topic.