fail2ban not banning

VitalPBX Community Support General Discussion fail2ban not banning

Up
0
Down
  • Post
    crankshaft
    Participant

    As you can see from the logs, fail2 ban is detecting the intrusion and says that the ip is still banned, but it keeps detecting which means that it is not banned by the firewall.

    The ban settings are 1 attempt, and ban for 86400 seconds over a 600 seconds period.

    I have tried re-installing fail2ban but it makes no difference.

    This is using the virtual-pbx ready made setup on digital ocean.

     

    2020-04-13 11:00:11,760 fail2ban.actions        [22086]: NOTICE  [asterisk-vpbx] 45.56.172.55 already banned

    2020-04-13 11:00:16,078 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:16

    2020-04-13 11:00:16,082 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:16

    2020-04-13 11:00:24,244 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:24

    2020-04-13 11:00:24,245 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:24

    2020-04-13 11:00:24,378 fail2ban.actions        [22086]: NOTICE  [asterisk-vpbx] 45.56.172.55 already banned

    2020-04-13 11:00:24,627 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:24

    2020-04-13 11:00:24,628 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:24

    2020-04-13 11:00:37,093 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:37

    2020-04-13 11:00:37,104 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:37

    2020-04-13 11:00:37,196 fail2ban.actions        [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned

    2020-04-13 11:00:37,276 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:37

    2020-04-13 11:00:37,277 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:37

    2020-04-13 11:00:49,789 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:49

    2020-04-13 11:00:49,791 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:49

    2020-04-13 11:00:49,816 fail2ban.actions        [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned

    2020-04-13 11:01:02,513 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:02

    2020-04-13 11:01:02,516 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:02

    2020-04-13 11:01:15,957 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:15

    2020-04-13 11:01:15,958 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:15

    2020-04-13 11:01:16,454 fail2ban.actions        [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned

    2020-04-13 11:01:28,493 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:28

    2020-04-13 11:01:28,494 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:28

    2020-04-13 11:01:41,058 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:41

    2020-04-13 11:01:41,059 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:41

    2020-04-13 11:01:41,288 fail2ban.actions        [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned

    2020-04-13 11:01:53,785 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:53

    2020-04-13 11:01:53,786 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:53

    2020-04-13 11:02:06,713 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:02:06

    2020-04-13 11:02:06,714 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:02:06

    2020-04-13 11:02:07,327 fail2ban.actions        [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned

     

    0
Viewing 15 replies - 1 through 15 (of 16 total)
  • Replies
    crankshaft
    Participant

    When I check IP tables, it shows that the IP is not banned:

     

    # iptables -L INPUT -v -n | grep "45.56.172.55"
    0
    crankshaft
    Participant

    Seems there are quite a few errors:

     

    # cat /var/log/fail2ban.log | grep ERROR

    2020-04-13 10:59:30,387 fail2ban.utils          [1119]: ERROR   7f61a9354978 -- exec: iptables -w -F f2b-asterisk-vpbx

    2020-04-13 10:59:30,388 fail2ban.utils          [1119]: ERROR   7f61a9354978 -- stderr: 'iptables: No chain/target/match by that name.'

    2020-04-13 10:59:30,388 fail2ban.utils          [1119]: ERROR   7f61a9354978 -- returned 1

    2020-04-13 10:59:30,388 fail2ban.actions        [1119]: ERROR   Failed to flush bans in jail 'asterisk-vpbx' action 'firewallcmd-ipset': Error flushing action Jail('asterisk-vpbx')/firewallcmd-ipset: 'Script error'

    2020-04-13 10:59:31,801 fail2ban.transmitter    [22086]: ERROR   Jail 'sshd-ddos' skipped, because of wrong configuration: Unable to read the filter 'sshd-ddos'

     

    0
    crankshaft
    Participant

    Also, why does ipset list show almost 46,000 blocked ip addresses, given that this system has only been up for a little over a week. is the ipset populated automatically with a default block list during installation ?

    # ipset list | wc -l

    45992

     

    0

    VitalPBX comes by default with a list of most common VoIP attackers, that’s why you see 46,000 blocked IP addresses.

    About why you don’t see the banned IP on the IP tables, is because we use IP sets to block attackers. 

    Chain vpbx_fail2ban (1 references)
    target prot opt source destination
    REJECT all -- anywhere anywhere match-set fail2ban-apache-noscript src reject-with icmp-port-unreachable
    REJECT all -- anywhere anywhere match-set fail2ban-sshd src reject-with icmp-port-unreachable
    REJECT all -- anywhere anywhere match-set fail2ban-vitalpbx-gui src reject-with icmp-port-unreachable
    REJECT all -- anywhere anywhere match-set fail2ban-asterisk-vpbx src reject-with icmp-port-unreachable
    REJECT all -- anywhere anywhere match-set fail2ban-apache-auth src reject-with icmp-port-unreachable

    So, if you want to see the blocked IP addresses you must use the following command:

    ipset list fail2ban-sshd
    0
    crankshaft
    Participant

    Thanks, but the real issue is in post #1.

     Fail2ban says the ip is blocked, yet the hacking attempts continue from that IP and are not being blocked.

    This suggests that the ip is listed in the fail2ban database but is not being used by iptables.

     

     

    0
    MAX202
    Participant

    same problem here

    https://vitalpbx.org/en/community/postid/6275/

    a workaround is to block it on firewall i.e pfsense

    0

    Are u using the latest version of VitalPBX, did you already perform a full update of the Server?

    0
    crankshaft
    Participant

    Yes, that would be the first thing that I would do before posting !

     

     Version        : 2.4.1-3
    Asterisk       : Asterisk 16.6.2
    Linux Version : CentOS Linux release 7.7.1908 (Core)

     

    Just a reminder that this is the ready-made installation droplet for digital ocean.

     

    0

    Why do you believe the IP is not blocked? Do you see any activity on the Asterisk console generated by that IP address?

    0
    crankshaft
    Participant

    Yes, the asterisk console showed the repeated attempts to guess the extension and password.

    Besides, if the IP was blocked, then the logs would not continue to show every second, another attempt !

     

    [2020-04-13 10:58:33] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8742@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:61594' - Wrong password
    [2020-04-13 10:58:35] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:9189@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62429' - Wrong password
    [2020-04-13 10:58:40] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8384@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:64811' - Wrong password
    [2020-04-13 10:58:41] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:7782@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:65380' - Wrong password
    [2020-04-13 10:58:41] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8835@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:65457' - Wrong password
    [2020-04-13 10:58:42] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:5679@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:49941' - Wrong password
    [2020-04-13 10:58:46] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:1637@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:52098' - Wrong password
    [2020-04-13 10:58:47] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:3122@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:52638' - Wrong password
    [2020-04-13 10:58:53] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:2791@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:55574' - Wrong password
    [2020-04-13 10:58:53] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8690@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:55669' - Wrong password
    [2020-04-13 10:58:53] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:5901@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:55733' - Wrong password
    [2020-04-13 10:58:55] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:2941@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:56537' - Wrong password
    [2020-04-13 10:59:00] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:2927@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:59032' - Wrong password
    [2020-04-13 10:59:06] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:622@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62131' - Wrong password
    [2020-04-13 10:59:06] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:1581@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62169' - Wrong password
    [2020-04-13 10:59:07] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:1939@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62736' - Wrong password
    [2020-04-13 10:59:08] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:7559@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:63548' - Wrong password
    [2020-04-13 10:59:13] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8406@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:59050' - Wrong password
    [2020-04-13 10:59:18] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:9318@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:61989' - Wrong password
    [2020-04-13 10:59:18] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:2251@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62003' - Wrong password
    [2020-04-13 10:59:19] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:6150@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62555' - Wrong password

     

    0

    Try the following:

     

    In the file: /etc/fail2ban/filter.d/asterisk-vpbx.conf, replace the line:

    log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:[C-[da-f]*])? [^:]+:d*( in w+:)?

    with:

    log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:[C-[da-f]*])? [^:]+:d*(?:(?: in)? w+:)?

    then restart the fail2ban:

    systemctl restart fail2ban.service

     

    0
    crankshaft
    Participant

    Thanks, just done that, but I wont know whether it makes any difference until another hack is attempted.

     

    0
    crankshaft
    Participant

    But the issue appears to be that IPTABLES is not using the ban list, as fail2ban reports that the ip is blocked, you can see that from the logs !

    ipset sowed that the ip was listed, but IP tables did not appear to use it

     

    # ipset list | grep "45.56.172.55"
    45.56.172.55

     

     

    0

    If the attacks stopped means that the change in the filters is working

    0
    crankshaft
    Participant

    Still not working:

     

    2020-04-17 23:31:02,406 fail2ban.actions        [27662]: NOTICE  [asterisk-vpbx] Ban 5.183.92.98

    2020-04-17 23:31:02,414 fail2ban.filter         [27662]: INFO    [recidive] Found 5.183.92.98 - 2020-04-17 23:31:02

    2020-04-17 23:55:44,375 fail2ban.filter         [27662]: INFO    [asterisk-vpbx] Found 5.183.92.98 - 2020-04-17 23:55:44

    2020-04-17 23:55:44,376 fail2ban.filter         [27662]: INFO    [asterisk-vpbx] Found 5.183.92.98 - 2020-04-17 23:55:44

    2020-04-17 23:58:04,905 fail2ban.filter         [27662]: INFO    [asterisk-vpbx] Found 5.183.92.98 - 2020-04-17 23:58:04

    2020-04-17 23:58:04,906 fail2ban.filter         [27662]: INFO    [asterisk-vpbx] Found 5.183.92.98 - 2020-04-17 23:58:04

    2020-04-17 23:58:05,527 fail2ban.actions        [27662]: WARNING [asterisk-vpbx] 5.183.92.98 already banned

     

    0
Viewing 15 replies - 1 through 15 (of 16 total)
  • You must be logged in to reply to this topic.