fail2ban not banning

This topic has 16 replies, 4 voices, and was last updated 8 months, 3 weeks ago by PitzKey.

Post

April 13, 2020 at 3:11 am

Quote

crankshaft

Participant

As you can see from the logs, fail2 ban is detecting the intrusion and says that the ip is still banned, but it keeps detecting which means that it is not banned by the firewall.

The ban settings are 1 attempt, and ban for 86400 seconds over a 600 seconds period.

I have tried re-installing fail2ban but it makes no difference.

This is using the virtual-pbx ready made setup on digital ocean.

2020-04-13 11:00:11,760 fail2ban.actions        [22086]: NOTICE  [asterisk-vpbx] 45.56.172.55 already banned

2020-04-13 11:00:16,078 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:16

2020-04-13 11:00:16,082 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:16

2020-04-13 11:00:24,244 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:24

2020-04-13 11:00:24,245 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:24

2020-04-13 11:00:24,378 fail2ban.actions        [22086]: NOTICE  [asterisk-vpbx] 45.56.172.55 already banned

2020-04-13 11:00:24,627 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:24

2020-04-13 11:00:24,628 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:24

2020-04-13 11:00:37,093 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:37

2020-04-13 11:00:37,104 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:37

2020-04-13 11:00:37,196 fail2ban.actions        [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned

2020-04-13 11:00:37,276 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:37

2020-04-13 11:00:37,277 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:37

2020-04-13 11:00:49,789 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:49

2020-04-13 11:00:49,791 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:00:49

2020-04-13 11:00:49,816 fail2ban.actions        [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned

2020-04-13 11:01:02,513 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:02

2020-04-13 11:01:02,516 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:02

2020-04-13 11:01:15,957 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:15

2020-04-13 11:01:15,958 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:15

2020-04-13 11:01:16,454 fail2ban.actions        [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned

2020-04-13 11:01:28,493 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:28

2020-04-13 11:01:28,494 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:28

2020-04-13 11:01:41,058 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:41

2020-04-13 11:01:41,059 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:41

2020-04-13 11:01:41,288 fail2ban.actions        [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned

2020-04-13 11:01:53,785 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:53

2020-04-13 11:01:53,786 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:01:53

2020-04-13 11:02:06,713 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:02:06

2020-04-13 11:02:06,714 fail2ban.filter         [22086]: INFO    [asterisk-vpbx] Found 45.56.172.55 - 2020-04-13 11:02:06

2020-04-13 11:02:07,327 fail2ban.actions        [22086]: WARNING [asterisk-vpbx] 45.56.172.55 already banned

Viewing 15 replies - 1 through 15 (of 16 total)

1 2 →

Replies

April 13, 2020 at 3:17 am

Quote

crankshaft

Participant

Down

When I check IP tables, it shows that the IP is not banned:

# iptables -L INPUT -v -n | grep "45.56.172.55"

April 13, 2020 at 3:26 am

Quote

crankshaft

Participant

Down

Seems there are quite a few errors:

# cat /var/log/fail2ban.log | grep ERROR

2020-04-13 10:59:30,387 fail2ban.utils          [1119]: ERROR   7f61a9354978 -- exec: iptables -w -F f2b-asterisk-vpbx

2020-04-13 10:59:30,388 fail2ban.utils          [1119]: ERROR   7f61a9354978 -- stderr: 'iptables: No chain/target/match by that name.'

2020-04-13 10:59:30,388 fail2ban.utils          [1119]: ERROR   7f61a9354978 -- returned 1

2020-04-13 10:59:30,388 fail2ban.actions        [1119]: ERROR   Failed to flush bans in jail 'asterisk-vpbx' action 'firewallcmd-ipset': Error flushing action Jail('asterisk-vpbx')/firewallcmd-ipset: 'Script error'

2020-04-13 10:59:31,801 fail2ban.transmitter    [22086]: ERROR   Jail 'sshd-ddos' skipped, because of wrong configuration: Unable to read the filter 'sshd-ddos'

April 13, 2020 at 3:58 am

Quote

crankshaft

Participant

Down

Also, why does ipset list show almost 46,000 blocked ip addresses, given that this system has only been up for a little over a week. is the ipset populated automatically with a default block list during installation ?

# ipset list | wc -l

45992

April 13, 2020 at 9:48 pm

Quote

Jose Miguel Rivera

Keymaster

Down

VitalPBX comes by default with a list of most common VoIP attackers, that’s why you see 46,000 blocked IP addresses.

About why you don’t see the banned IP on the IP tables, is because we use IP sets to block attackers.

Chain vpbx_fail2ban (1 references)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             match-set fail2ban-apache-noscript src reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             match-set fail2ban-sshd src reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             match-set fail2ban-vitalpbx-gui src reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             match-set fail2ban-asterisk-vpbx src reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             match-set fail2ban-apache-auth src reject-with icmp-port-unreachable

So, if you want to see the blocked IP addresses you must use the following command:

ipset list fail2ban-sshd

April 13, 2020 at 11:15 pm

Quote

crankshaft

Participant

Down

Thanks, but the real issue is in post #1.

Fail2ban says the ip is blocked, yet the hacking attempts continue from that IP and are not being blocked.

This suggests that the ip is listed in the fail2ban database but is not being used by iptables.

April 14, 2020 at 4:16 am

Quote

MAX202

Participant

Down

same problem here

https://vitalpbx.org/en/community/postid/6275/

a workaround is to block it on firewall i.e pfsense

April 15, 2020 at 4:23 am

Quote

Jose Miguel Rivera

Keymaster

Down

Are u using the latest version of VitalPBX, did you already perform a full update of the Server?

April 15, 2020 at 5:02 am

Quote

crankshaft

Participant

Down

Yes, that would be the first thing that I would do before posting !

 Version        : 2.4.1-3
 Asterisk       : Asterisk 16.6.2
 Linux Version : CentOS Linux release 7.7.1908 (Core)

Just a reminder that this is the ready-made installation droplet for digital ocean.

April 15, 2020 at 5:07 am

Quote

Jose Miguel Rivera

Keymaster

Down

Why do you believe the IP is not blocked? Do you see any activity on the Asterisk console generated by that IP address?

April 15, 2020 at 5:16 am

Quote

crankshaft

Participant

Down

Yes, the asterisk console showed the repeated attempts to guess the extension and password.

Besides, if the IP was blocked, then the logs would not continue to show every second, another attempt !

[2020-04-13 10:58:33] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8742@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:61594' - Wrong password
[2020-04-13 10:58:35] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:9189@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62429' - Wrong password
[2020-04-13 10:58:40] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8384@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:64811' - Wrong password
[2020-04-13 10:58:41] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:7782@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:65380' - Wrong password
[2020-04-13 10:58:41] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8835@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:65457' - Wrong password
[2020-04-13 10:58:42] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:5679@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:49941' - Wrong password
[2020-04-13 10:58:46] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:1637@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:52098' - Wrong password
[2020-04-13 10:58:47] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:3122@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:52638' - Wrong password
[2020-04-13 10:58:53] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:2791@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:55574' - Wrong password
[2020-04-13 10:58:53] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8690@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:55669' - Wrong password
[2020-04-13 10:58:53] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:5901@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:55733' - Wrong password
[2020-04-13 10:58:55] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:2941@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:56537' - Wrong password
[2020-04-13 10:59:00] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:2927@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:59032' - Wrong password
[2020-04-13 10:59:06] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:622@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62131' - Wrong password
[2020-04-13 10:59:06] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:1581@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62169' - Wrong password
[2020-04-13 10:59:07] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:1939@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62736' - Wrong password
[2020-04-13 10:59:08] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:7559@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:63548' - Wrong password
[2020-04-13 10:59:13] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:8406@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:59050' - Wrong password
[2020-04-13 10:59:18] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:9318@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:61989' - Wrong password
[2020-04-13 10:59:18] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:2251@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62003' - Wrong password
[2020-04-13 10:59:19] NOTICE[1790]: chan_sip.c:28939 handle_request_register: Registration from '<sip:6150@xxx.xxx.xxx.xxx>' failed for '45.56.172.55:62555' - Wrong password

April 15, 2020 at 5:52 am

Quote

Jose Miguel Rivera

Keymaster

Down

Try the following:

In the file: /etc/fail2ban/filter.d/asterisk-vpbx.conf, replace the line:

log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:[C-[da-f]*])? [^:]+:d*( in w+:)?

with:

log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:[C-[da-f]*])? [^:]+:d*(?:(?: in)? w+:)?

then restart the fail2ban:

systemctl restart fail2ban.service

April 15, 2020 at 6:26 am

Quote

crankshaft

Participant

Down

Thanks, just done that, but I wont know whether it makes any difference until another hack is attempted.

Screenshot-2020-04-15-at-2.28.20-PM.png

April 15, 2020 at 6:27 am

Quote

crankshaft

Participant

Down

But the issue appears to be that IPTABLES is not using the ban list, as fail2ban reports that the ip is blocked, you can see that from the logs !

ipset sowed that the ip was listed, but IP tables did not appear to use it

# ipset list | grep "45.56.172.55"
45.56.172.55

April 15, 2020 at 3:44 pm

Quote

Jose Miguel Rivera

Keymaster

Down

If the attacks stopped means that the change in the filters is working

April 18, 2020 at 8:09 am

Quote

crankshaft

Participant

Down

Still not working:

2020-04-17 23:31:02,406 fail2ban.actions        [27662]: NOTICE  [asterisk-vpbx] Ban 5.183.92.98

2020-04-17 23:31:02,414 fail2ban.filter         [27662]: INFO    [recidive] Found 5.183.92.98 - 2020-04-17 23:31:02

2020-04-17 23:55:44,375 fail2ban.filter         [27662]: INFO    [asterisk-vpbx] Found 5.183.92.98 - 2020-04-17 23:55:44

2020-04-17 23:55:44,376 fail2ban.filter         [27662]: INFO    [asterisk-vpbx] Found 5.183.92.98 - 2020-04-17 23:55:44

2020-04-17 23:58:04,905 fail2ban.filter         [27662]: INFO    [asterisk-vpbx] Found 5.183.92.98 - 2020-04-17 23:58:04

2020-04-17 23:58:04,906 fail2ban.filter         [27662]: INFO    [asterisk-vpbx] Found 5.183.92.98 - 2020-04-17 23:58:04

2020-04-17 23:58:05,527 fail2ban.actions        [27662]: WARNING [asterisk-vpbx] 5.183.92.98 already banned