BUG Fail2Ban not running

awair

Member
Joined
Mar 10, 2009
Messages
87
Reaction score
4
I am on a fairly recent installation of 3.6.5, and have just noticed that Fail2Ban is not running and will not start.

I have re-run update-fixes today & restarted the system, but still no joy.

Is there any way to reset this to a 'clean' config, to fix start errors?

2014-12-19 07:10:20,360 fail2ban.server : INFO Stopping all jails
2014-12-19 07:10:20,990 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -j fail2ban-PBX-GUI
iptables -F fail2ban-PBX-GUI
iptables -X fail2ban-PBX-GUI returned 100
2014-12-19 07:10:21,329 fail2ban.jail : INFO Jail 'apache-tcpwrapper' stopped
2014-12-19 07:10:22,063 fail2ban.jail : INFO Jail 'apache-badbots' stopped
2014-12-19 07:10:23,080 fail2ban.jail : INFO Jail 'ssh-iptables' stopped
2014-12-19 07:10:23,987 fail2ban.actions.action: ERROR iptables -D INPUT -p all -j fail2ban-SIP
iptables -F fail2ban-SIP
iptables -X fail2ban-SIP returned 100
2014-12-19 07:10:24,001 fail2ban.jail : INFO Jail 'asterisk-iptables' stopped
2014-12-19 07:10:24,796 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ftp -j fail2ban-FTP
iptables -F fail2ban-FTP
iptables -X fail2ban-FTP returned 100
2014-12-19 07:10:24,934 fail2ban.jail : INFO Jail 'vsftpd-iptables' stopped

2014-12-19 07:10:24,936 fail2ban.server : INFO Exiting Fail2ban

These are the last log entries, after a couple of IPs were banned/unbanned. There are no entries in the log for the failed start attempts, even with log level set to 'Debug'.

No idea what, if anything happened on Dec 19, don't believe I made any changes to the system - it has just stopped...

Many thanks for any advice available.
 

awair

Member
Joined
Mar 10, 2009
Messages
87
Reaction score
4
Looks like it is (partly) fixed, thanks to this post:
http://pbxinaflash.com/community/index.php?threads/fail2ban-wont-enable.15301/

Didn't see that with a Forum search, but google pulled it up.

I now have numerous errors, in the format:
2015-01-05 20:37:05,776 fail2ban.filter : ERROR No 'host' found in '[] SECURITY[11464] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1420047284-619517",Severity="Error",Service="SIP",EventVersion="2",AccountID="00970597572760",SessionID="0x61d057c4",LocalAddress="IPV4/UDP/**IP REMOVED**/5060",RemoteAddress="IPV4/UDP/188.138.94.14/5086",Challenge="1fb8a56a",ReceivedChallenge="1fb8a56a",ReceivedHash="af3a66944a03116211a5766c38cf7300"
' using '<_sre.SRE_Pattern object at 0x8919c48>'
2015-01-05 20:37:05,923 fail2ban.filter : ERROR No 'host' found in '[] SECURITY[11464] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1420047320-529282",Severity="Error",Service="SIP",EventVersion="2",AccountID="000970599908140",SessionID="0x61f7843c",LocalAddress="IPV4/UDP/**IP REMOVED**/5060",RemoteAddress="IPV4/UDP/188.138.94.14/5094",Challenge="15bf7380",ReceivedChallenge="15bf7380",ReceivedHash="08392581c77587ce62f10754e597fe1d"
' using '<_sre.SRE_Pattern object at 0x8919c48>'
2015-01-05 20:37:06,419 fail2ban.filter : ERROR No 'host' found in '[] SECURITY[11464] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1420047449-864116",Severity="Error",Service="SIP",EventVersion="2",AccountID="0041445208772",SessionID="0x61d83634",LocalAddress="IPV4/UDP/**IP REMOVED**/5060",RemoteAddress="IPV4/UDP/188.138.94.14/5078",Challenge="3e304a5b",ReceivedChallenge="3e304a5b",ReceivedHash="4404d821641fefc5327f7d3821b20f3b"
' using '<_sre.SRE_Pattern object at 0x8919c48>'
2015-01-05 20:37:07,270 fail2ban.filter : ERROR No 'host' found in '[] SECURITY[11464] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1420047663-535903",Severity="Error",Service="SIP",EventVersion="2",AccountID="800970597572760",SessionID="0x61d7df5c",LocalAddress="IPV4/UDP/**IP REMOVED**/5060",RemoteAddress="IPV4/UDP/188.138.94.14/5071",Challenge="56e0973f",ReceivedChallenge="56e0973f",ReceivedHash="4c92c1299e17141824a0f8f4e8d85952"
' using '<_sre.SRE_Pattern object at 0x8919c48>'
2015-01-05 20:37:08,306 fail2ban.filter : ERROR No 'host' found in '[] SECURITY[11464] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1420047860-903374",Severity="Error",Service="SIP",EventVersion="2",AccountID="900972595557833",SessionID="0x61e04504",LocalAddress="IPV4/UDP/**IP REMOVED**/5060",RemoteAddress="IPV4/UDP/69.30.254.10/5093",Challenge="1f14f5fa",ReceivedChallenge="1f14f5fa",ReceivedHash="2fa1e5db290ea8a7ac80975cda3f1b78"
' using '<_sre.SRE_Pattern object at 0x8919c48>'
2015-01-05 20:37:08,916 fail2ban.filter : ERROR No 'host' found in '[] SECURITY[11464] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1420047970-488319",Severity="Error",Service="SIP",EventVersion="2",AccountID="900972592704966",SessionID="0x61e63424",LocalAddress="IPV4/UDP/**IP REMOVED**/5060",RemoteAddress="IPV4/UDP/69.30.230.2/5083",Challenge="52c7ecd4",ReceivedChallenge="52c7ecd4",ReceivedHash="f674906bf38dba68417e6f18aa56feed"
' using '<_sre.SRE_Pattern object at 0x8919c48>'
 

howardsl2

Guru
Joined
Aug 5, 2013
Messages
88
Reaction score
25
Here's how to fix the errors:

Edit /etc/fail2ban/jail.local, replace every asterisk-security with asterisk. You can find them on the filter lines. This solves the errors in your logs. In addition, you will find two "name=PBX-GUI" in that file. Replace the second one with e.g. "name=PBX-GUI-2". Then save and restart fail2ban.

Unfortunately your changes to that file will be reverted by the sysadmin module at every FreePBX reload. You may want to backup jail.local or make it immutable.
 

awair

Member
Joined
Mar 10, 2009
Messages
87
Reaction score
4
Many thanks for the fix - can we expect anything permanent with a further update?
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
Edit /etc/fail2ban/jail.local, replace every asterisk-security with asterisk.


This is not necessary. I was troubleshooting this same problem tonight and found that the source of the error is incorrect regex in the asterisk-security filter.

Check /etc/fail2ban/filter.d/asterisk-security.conf. On mine, lines 34-37 are the SECURITY lines and have an error. Where you see SIP|AMI it should be (SIP|AMI). Look farther down the line at the (UDP|TCP|TLS) part for an example.

Just fix those four lines by putting ( ) around SIP|AMI, save, and restart fail2ban.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
awair: Which version of Asterisk and FreePBX are running on your server??
 

awair

Member
Joined
Mar 10, 2009
Messages
87
Reaction score
4
Running 3.6.5 with Asterisk 11.7.0 & FreePBX 2.11.0.42. Can't remember which colour I selected during setup, but think it was recommended (at the time).
 

graybans

Member
Joined
Oct 22, 2007
Messages
35
Reaction score
1
I am having the same issue, except Webmin is also affected.
Running 3.0.6.5 on Scientific Linux 6.6 with Asterisk 1.15.0 & FreePBX 2.11.0.42 => PIAF Green (Modified w/ no changes per nerdvittles instructions.
 

awair

Member
Joined
Mar 10, 2009
Messages
87
Reaction score
4
I am somewhat fortunate in this respect, in that I have two 'identical' systems to compare: both installed at the same time on identical hardware. The only difference has been their usage (and update status).

Having inspected both systems, the contents of jail.local are quite different & and asterisk-secuirty.conf are almost identical. However, only the above system has the error. The other system is running 3.6.5 with Asterisk 11.7.0 & FreePBX 2.11.0.38.

I will check FreePBX on both systems to try to determine the cause, and delay upgrading the 'older' system.
 

awair

Member
Joined
Mar 10, 2009
Messages
87
Reaction score
4
FYI:

In jail.local the following 'Filter Action Jails' do not exist in the prior version:
pbx-gui
recidive

In asterisk-security.conf there is 'back-slash/forward-slash' between items (\/), instead of only forward slash (/):
SECURITY.* .*: SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP|AMI".*,RemoteAddress="IPV[46]\/(UDP|TCP|TLS)\/<HOST>\/[0-9]+"
SECURITY.* .*: SecurityEvent="FailedACL".*,Severity="Error",Service="SIP|AMI".*,RemoteAddress="IPV[46]\/(UDP|TCP|TLS)\/<HOST>\/[0-9]+"
SECURITY.* .*: SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP|AMI".*,RemoteAddress="IPV[46]\/(UDP|TCP|TLS)\/<HOST>\/[0-9]+"
SECURITY.* .*: SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP|AMI".*,RemoteAddress="IPV[46]\/(UDP|TCP|TLS)\/<HOST>\/[0-9]+"

I don't know enough to determine if there are any errors/omissions...
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Up until now, we have included direct access to Schmooze's repo as a means of allowing users that wanted to use commercial modules to have access to the latest RPMs to support those modules. This was with the understanding that the repo would only be used for RPMs that directly affected the commercial modules. Since the "asterisk" user does not have permissions to the fail2ban directory structure, the only possible way these config files could be changed is through an RPM update to fail2ban itself.

We believe the new jail.conf and asterisk-security setup is used to support a redesigned error log setup with FreePBX Distro. Reportedly, the purpose was to speed up the ability of Fail2Ban to scan the error log for intrusions. However, that presupposes that all of the pieces were in place to support the new error log setup, none of which has been documented so far as we know. Perhaps one of the Schmooze/Sangoma folks will comment when they get an opportunity.

We've chosen to go the IPtables WhiteList route because Fail2Ban has been notoriously unreliable over the years. We will continue to investigate the cause of this. In the meantime, we plan to rework the PIAF repo setup and directly implement an IPtables whitelist for new installs to better protect our users.
 

awair

Member
Joined
Mar 10, 2009
Messages
87
Reaction score
4
On 4th January I ran the commands:
yum update fail2ban
service fail2ban restart
As indicated by my earlier post:

I have just run these commands again today (9th January), received another new patch (0.8.8... version 121), and the problem seems to have disappeared.

yum update fail2ban
Loaded plugins: fastestmirror, refresh-packagekit
Repository sl is listed more than once in the configuration
Repository sl-security is listed more than once in the configuration
Repository sl-source is listed more than once in the configuration
Repository sl6x is listed more than once in the configuration
Repository sl6x-security is listed more than once in the configuration
Repository sl6x-fastbugs is listed more than once in the configuration
Loading mirror speeds from cached hostfile
* sl: ftp.scientificlinux.org
* sl-security: ftp.scientificlinux.org
* sl6x: ftp.scientificlinux.org
* sl6x-security: ftp.scientificlinux.org
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.8.8-107.shmz65.1.118 will be updated
---> Package fail2ban.noarch 0:0.8.8-108.shmz65.1.121 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
fail2ban noarch 0.8.8-108.shmz65.1.121 schmooze-commercial 137 k

Transaction Summary
================================================================================
Upgrade 1 Package(s)

Total download size: 137 k
Is this ok [y/N]: y
Downloading Packages:
fail2ban-0.8.8-108.shmz65.1.121.noarch.rpm | 137 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : fail2ban-0.8.8-108.shmz65.1.121.noarch 1/2
Cleanup : fail2ban-0.8.8-107.shmz65.1.118.noarch 2/2
Verifying : fail2ban-0.8.8-108.shmz65.1.121.noarch 1/2
Verifying : fail2ban-0.8.8-107.shmz65.1.118.noarch 2/2

Updated:
fail2ban.noarch 0:0.8.8-108.shmz65.1.121

Complete!
 

howardsl2

Guru
Joined
Aug 5, 2013
Messages
88
Reaction score
25
FYI, an updated fail2ban package was released today in the schmooze-commercial repo. I compared the files and see that the new version includes the fix mentioned above by billsimon for asterisk-security.conf. That bug was introduced in Aug. 2014 fail2ban version.

http://issues.freepbx.org/browse/FREEPBX-8277

To update, run command "yum update fail2ban" (make sure it installs from the repo above), and then restart fail2ban.
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
From the linked FreePBX ticket:

We received a $6000 bill last weekend on one of our systems making hundreds of calls to Estonia. Please please please apply this if found to be a valid solution.

Suspected reasons for $6000 bill:
  • incorrect configuration of dial plan
  • short/simple passwords on extensions
  • exploitable web interface (unpatched Apache and/or FreePBX)
Not really to blame:
  • fail2ban
fail2ban can slow down an attacker but not prevent an intrusion. Get your system secure first and then add fail2ban for a warm fuzzy outer layer.
 

darmock

PIAF Developer
Joined
Oct 18, 2007
Messages
2,892
Reaction score
98
I like warm and fuzzy! Yep we are reworking the repos for PIAF. We will include the latest stable (according to PIAF) version of fail2ban in our repo. Ward and I are working on some other little surprises for our distro also.


Tom
 

awair

Member
Joined
Mar 10, 2009
Messages
87
Reaction score
4
As of 1/10/15, after running:
yum update fail2ban

Fail2ban now appears to be working correctly.

As I was replacing an ancient Trixbox installation, I presume that I was still more secure with PIAF even without fail2ban during this interim period?

I am now receiving dozens of emails about 'bans' - should I leave fail2ban to deal with these, or should I add any recurring IP addresses to a blacklist or (router) firewall?

Thanks again for the great support.
 

darmock

PIAF Developer
Joined
Oct 18, 2007
Messages
2,892
Reaction score
98
I tend to blacklist recurring ip's however the way to go is the whitelist. Be patient we are working on bringing it to piaf base systems


Tom
 

Members online

No members online now.

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top