Issue with Fail2Ban

VitalPBX Community Support General Discussion Issue with Fail2Ban

  • Post
    TheG-Man
    Participant

    Greetings!

    Seem like there is an issue with fail2ban. I have it set to ban for 31536000, however, they don’t stay banned for that long. Banned IP’s disappear from ipset list and I can see them in asterisk log. 

    Here is what it shows after I restart it.

    Name: fail2ban-apache-badbots
    Type: hash:ip
    Revision: 1
    Header: family inet hashsize 1024 maxelem 65536 timeout 172800
    Size in memory: 16528
    References: 1
    Members:

    Name: fail2ban-asterisk-tcp
    Type: hash:ip
    Revision: 1
    Header: family inet hashsize 1024 maxelem 65536 timeout 600
    Size in memory: 17552
    References: 1
    Members:
    94.75.249.2 timeout 471
    94.177.238.211 timeout 470
    51.15.78.254 timeout 468
    93.115.29.150 timeout 469
    185.40.4.126 timeout 442
    212.129.46.199 timeout 443
    46.17.46.147 timeout 445
    134.255.214.152 timeout 416
    104.218.49.162 timeout 406
    5.196.44.33 timeout 466
    185.22.153.104 timeout 441
    212.32.250.134 timeout 443
    176.32.32.134 timeout 428
    212.83.160.155 timeout 444
    107.155.186.131 timeout 415
    145.239.140.193 timeout 417

    Name: fail2ban-asterisk-udp
    Type: hash:ip
    Revision: 1
    Header: family inet hashsize 1024 maxelem 65536 timeout 600
    Size in memory: 17552
    References: 1
    Members:
    104.218.49.162 timeout 406
    93.115.29.150 timeout 469
    94.75.249.2 timeout 471
    134.255.214.152 timeout 416
    46.17.46.147 timeout 445
    212.129.46.199 timeout 443
    5.196.44.33 timeout 466
    185.40.4.126 timeout 442
    51.15.78.254 timeout 468
    212.83.160.155 timeout 444
    145.239.140.193 timeout 417
    212.32.250.134 timeout 444
    185.22.153.104 timeout 441
    107.155.186.131 timeout 415
    94.177.238.211 timeout 470
    176.32.32.134 timeout 428

    And here is what I see about 10 minutes later.

    Name: fail2ban-apache-badbots
    Type: hash:ip
    Revision: 1
    Header: family inet hashsize 1024 maxelem 65536 timeout 172800
    Size in memory: 16528
    References: 1
    Members:

    Name: fail2ban-asterisk-tcp
    Type: hash:ip
    Revision: 1
    Header: family inet hashsize 1024 maxelem 65536 timeout 600
    Size in memory: 17552
    References: 1
    Members:

    Name: fail2ban-asterisk-udp
    Type: hash:ip
    Revision: 1
    Header: family inet hashsize 1024 maxelem 65536 timeout 600
    Size in memory: 17552
    References: 1
    Members:

     

    Attached is screenshot that shows IP’s banned in GUI.

     

    Best Regards,

    -G

    0
Viewing 15 replies - 1 through 15 (of 17 total)
  • Replies
    Up
    0
    Down

    What version of VitalPBX do you have?

    0
    TheG-Man
    Participant
    Up
    0
    Down

    VitalPBX 2.0.0-6

    0
    Up
    0
    Down

    Try setting up the ban-time to -1.

    According to fail2ban documentation setting up the ban-time to -1, will ban the IP Addresses forever

    0
    TheG-Man
    Participant
    Up
    0
    Down

    I think there is more to this issue. Looks like fail2ban is passing to ipset and ipset is configured to ban for 600 seconds. So in this case the number in web gui doesn’t mean anything as the ipset will dictate for how long the ip’s will be banned.

    0
    Up
    0
    Down

    i don’t think so, I have configure fail2ban with -1, and all the banned IP Addresses remain banned.

    0
    TheG-Man
    Participant
    Up
    0
    Down

    Can you post your ipset list?

    I just tested and changing the bantime in ipset config from 600 to anything higher changes the actual bantime. The thing is, IP’s show up in the webgui banlist and fail2ban as banned, but the list is blank in the ipset.  So in the end it is a false sense of security, as in two places it says IP’s are banned, but the tool that actually keeps them banned, bans them only for the predefined time in the config file.

    The file is located in /etc/fail2ban/action.d/firewallcmd-ipset.local

    0
    Up
    0
    Down

    That configuration is overwritten by the following file: /etc/fail2ban/jail.d/10-vitalpbx.local 

    To see what IP addresses are banned execute the following command:

    fail2ban-client status asterisk
    0
    TheG-Man
    Participant
    Up
    0
    Down

    I already used fail2ban-client status asterisk command. That’s how I discovered that they were not being blocked. Fail2ban would show them all banned, but in asterisk console I would see scrolling lines with those IP’s saying wrong password.

    0
    Up
    0
    Down

    We will check it, Thanks for reporting it

    0
    Up
    0
    Down

    What’s the output of the following command: rpm -qi vitalpbx-fail2ban-config

    0
    TheG-Man
    Participant
    Up
    0
    Down

    Name : vitalpbx-fail2ban-config
    Version : 1.0.0
    Release : 3
    Architecture: noarch
    Install Date: Wed 04 Apr 2018 01:58:51 PM EDT
    Group : Applications/System
    Size : 4982
    License : GPLv2
    Signature : (none)
    Source RPM : vitalpbx-fail2ban-config-1.0.0-3.src.rpm
    Build Date : Wed 14 Mar 2018 01:36:42 PM EDT
    Build Host : devel.vitalpbx.com
    Relocations : (not relocatable)
    Packager : Jose Rivera <miguel@aplitel.com>
    Vendor : VitalPBX
    URL : https://vitalpbx.org
    Summary : VitalPBX Fail2ban configuration files
    Description :
    VitalPBX Fail2ban configuration files.

    0
    Up
    0
    Down

    May you provide the full message of the asterisk console saying wrong password??

    0
    Up
    0
    Down

    don’t you have any IP address in the white list?

    0
    TheG-Man
    Participant
    Up
    0
    Down

    Yes, I do, so I don’t lock myself out.

    Can you remove the IP from my previous post?

    0
    Up
    0
    Down

    It is hidden know!!!

    0
Viewing 15 replies - 1 through 15 (of 17 total)
  • You must be logged in to reply to this topic.