› VitalPBX Community Support › General Discussion › fail2ban not banning
- This topic has 16 replies, 4 voices, and was last updated 3 months, 2 weeks ago by
PitzKey.
- Post
-
- April 13, 2020 at 3:11 am
As you can see from the logs, fail2 ban is detecting the intrusion and says that the ip is still banned, but it keeps detecting which means that it is not banned by the firewall.
The ban settings are 1 attempt, and ban for 86400 seconds over a 600 seconds period.
I have tried re-installing fail2ban but it makes no difference.
This is using the virtual-pbx ready made setup on digital ocean.
2020-04-13 11:00:11,760 fail2ban.actions [22086]: NOTICE [asterisk-vpbx] 45.56.172.55 already banned
2020-04-13 11:00:16,078 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:16
2020-04-13 11:00:16,082 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:16
2020-04-13 11:00:24,244 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:24
2020-04-13 11:00:24,245 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:24
2020-04-13 11:00:24,378 fail2ban.actions [22086]: NOTICE [asterisk-vpbx] 45.56.172.55 already banned
2020-04-13 11:00:24,627 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:24
2020-04-13 11:00:24,628 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:24
2020-04-13 11:00:37,093 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:37
2020-04-13 11:00:37,104 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:37
2020-04-13 11:00:37,196 fail2ban.actions [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned
2020-04-13 11:00:37,276 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:37
2020-04-13 11:00:37,277 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:37
2020-04-13 11:00:49,789 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:49
2020-04-13 11:00:49,791 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:49
2020-04-13 11:00:49,816 fail2ban.actions [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned
2020-04-13 11:01:02,513 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:02
2020-04-13 11:01:02,516 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:02
2020-04-13 11:01:15,957 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:15
2020-04-13 11:01:15,958 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:15
2020-04-13 11:01:16,454 fail2ban.actions [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned
2020-04-13 11:01:28,493 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:28
2020-04-13 11:01:28,494 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:28
2020-04-13 11:01:41,058 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:41
2020-04-13 11:01:41,059 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:41
2020-04-13 11:01:41,288 fail2ban.actions [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned
2020-04-13 11:01:53,785 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:53
2020-04-13 11:01:53,786 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:53
2020-04-13 11:02:06,713 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:02:06
2020-04-13 11:02:06,714 fail2ban.filter [22086]: INFO [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:02:06
2020-04-13 11:02:07,327 fail2ban.actions [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned0
- Replies
-
- April 13, 2020 at 3:17 am
When I check IP tables, it shows that the IP is not banned:
# iptables -L INPUT -v -n | grep "45.56.172.55"0- April 13, 2020 at 3:26 am
Seems there are quite a few errors:
# cat /var/log/fail2ban.log | grep ERROR
2020-04-13 10:59:30,387 fail2ban.utils [1119]: ERROR 7f61a9354978 -- exec: iptables -w -F f2b-asterisk-vpbx
2020-04-13 10:59:30,388 fail2ban.utils [1119]: ERROR 7f61a9354978 -- stderr: 'iptables: No chain/target/match by that name.'
2020-04-13 10:59:30,388 fail2ban.utils [1119]: ERROR 7f61a9354978 -- returned 1
2020-04-13 10:59:30,388 fail2ban.actions [1119]: ERROR Failed to flush bans in jail 'asterisk-vpbx' action 'firewallcmd-ipset': Error flushing action Jail('asterisk-vpbx')/firewallcmd-ipset: 'Script error'
2020-04-13 10:59:31,801 fail2ban.transmitter [22086]: ERROR Jail 'sshd-ddos' skipped, because of wrong configuration: Unable to read the filter 'sshd-ddos'0- April 13, 2020 at 3:58 am
Also, why does ipset list show almost 46,000 blocked ip addresses, given that this system has only been up for a little over a week. is the ipset populated automatically with a default block list during installation ?
# ipset list | wc -l
459920- April 13, 2020 at 9:48 pm
VitalPBX comes by default with a list of most common VoIP attackers, that’s why you see 46,000 blocked IP addresses.
About why you don’t see the banned IP on the IP tables, is because we use IP sets to block attackers.
Chain vpbx_fail2ban (1 references)
target prot opt source destination
REJECT all -- anywhere anywhere match-set fail2ban-apache-noscript src reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere match-set fail2ban-sshd src reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere match-set fail2ban-vitalpbx-gui src reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere match-set fail2ban-asterisk-vpbx src reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere match-set fail2ban-apache-auth src reject-with icmp-port-unreachableSo, if you want to see the blocked IP addresses you must use the following command:
ipset list fail2ban-sshd
0- April 13, 2020 at 11:15 pm
Thanks, but the real issue is in post #1.
Fail2ban says the ip is blocked, yet the hacking attempts continue from that IP and are not being blocked.
This suggests that the ip is listed in the fail2ban database but is not being used by iptables.
0- April 14, 2020 at 4:16 am
same problem here
https://vitalpbx.org/en/community/postid/6275/
a workaround is to block it on firewall i.e pfsense
0- April 15, 2020 at 4:23 am
Are u using the latest version of VitalPBX, did you already perform a full update of the Server?
0- April 15, 2020 at 5:02 am
Yes, that would be the first thing that I would do before posting !
Version : 2.4.1-3
Asterisk : Asterisk 16.6.2
Linux Version : CentOS Linux release 7.7.1908 (Core)Just a reminder that this is the ready-made installation droplet for digital ocean.
0- April 15, 2020 at 5:07 am
Why do you believe the IP is not blocked? Do you see any activity on the Asterisk console generated by that IP address?
0- April 15, 2020 at 5:16 am
Yes, the asterisk console showed the repeated attempts to guess the extension and password.
Besides, if the IP was blocked, then the logs would not continue to show every second, another attempt !
[2020-04-13 10:58:33] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8742@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:61594' - Wrong password
[2020-04-13 10:58:35] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:9189@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62429' - Wrong password
[2020-04-13 10:58:40] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8384@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:64811' - Wrong password
[2020-04-13 10:58:41] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:7782@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:65380' - Wrong password
[2020-04-13 10:58:41] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8835@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:65457' - Wrong password
[2020-04-13 10:58:42] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:5679@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:49941' - Wrong password
[2020-04-13 10:58:46] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:1637@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:52098' - Wrong password
[2020-04-13 10:58:47] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:3122@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:52638' - Wrong password
[2020-04-13 10:58:53] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:2791@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:55574' - Wrong password
[2020-04-13 10:58:53] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8690@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:55669' - Wrong password
[2020-04-13 10:58:53] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:5901@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:55733' - Wrong password
[2020-04-13 10:58:55] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:2941@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:56537' - Wrong password
[2020-04-13 10:59:00] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:2927@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:59032' - Wrong password
[2020-04-13 10:59:06] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:622@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62131' - Wrong password
[2020-04-13 10:59:06] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:1581@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62169' - Wrong password
[2020-04-13 10:59:07] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:1939@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62736' - Wrong password
[2020-04-13 10:59:08] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:7559@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:63548' - Wrong password
[2020-04-13 10:59:13] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8406@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:59050' - Wrong password
[2020-04-13 10:59:18] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:9318@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:61989' - Wrong password
[2020-04-13 10:59:18] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:2251@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62003' - Wrong password
[2020-04-13 10:59:19] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:6150@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62555' - Wrong password0- April 15, 2020 at 5:52 am
Try the following:
In the file: /etc/fail2ban/filter.d/asterisk-vpbx.conf, replace the line:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:[C-[da-f]*])? [^:]+:d*( in w+:)?with:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:[C-[da-f]*])? [^:]+:d*(?:(?: in)? w+:)?
then restart the fail2ban:
systemctl restart fail2ban.service
0- April 15, 2020 at 6:26 am
Thanks, just done that, but I wont know whether it makes any difference until another hack is attempted.
0- April 15, 2020 at 6:27 am
But the issue appears to be that IPTABLES is not using the ban list, as fail2ban reports that the ip is blocked, you can see that from the logs !
ipset sowed that the ip was listed, but IP tables did not appear to use it
# ipset list | grep "45.56.172.55"
45.56.172.550- April 15, 2020 at 3:44 pm
If the attacks stopped means that the change in the filters is working
0- April 18, 2020 at 8:09 am
Still not working:
2020-04-17 23:31:02,406 fail2ban.actions [27662]: NOTICE [asterisk-vpbx] Ban 5.183.92.98
2020-04-17 23:31:02,414 fail2ban.filter [27662]: INFO [recidive] Found 5.183.92.98 - 2020-04-17 23:31:02
2020-04-17 23:55:44,375 fail2ban.filter [27662]: INFO [asterisk-vpbx] Found 5.183.92.98 - 2020-04-17 23:55:44
2020-04-17 23:55:44,376 fail2ban.filter [27662]: INFO [asterisk-vpbx] Found 5.183.92.98 - 2020-04-17 23:55:44
2020-04-17 23:58:04,905 fail2ban.filter [27662]: INFO [asterisk-vpbx] Found 5.183.92.98 - 2020-04-17 23:58:04
2020-04-17 23:58:04,906 fail2ban.filter [27662]: INFO [asterisk-vpbx] Found 5.183.92.98 - 2020-04-17 23:58:04
2020-04-17 23:58:05,527 fail2ban.actions [27662]: WARNING [asterisk-vpbx] 5.183.92.98 already banned0
- You must be logged in to reply to this topic.