1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TIPS Can i Stop Fail2ban from banning my ip?

Discussion in 'Help' started by Lonnon, Oct 11, 2017.

Tags:
  1. Lonnon

    Lonnon New Member

    Joined:
    Sep 23, 2016
    Messages:
    17
    Likes Received:
    1
    I had to reinstall my server today and i forgot to unplug the phones and so they where trying to register when i was done reinstalling and fail2ban immediately locked my ip from accessing ssh and the webserver. i went in from novnc in impactvps and was able to remove it from the jail. Is there a way to stop fail2ban from banning that ip?
     
  2. Lonnon

    Lonnon New Member

    Joined:
    Sep 23, 2016
    Messages:
    17
    Likes Received:
    1
    if i do the command "set <JAIL> addignoreip <IP>" for fail2ban, will this cause security issues?
     
  3. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164
    in your /etc/fail2ban/jail.conf

    you will see something like


    # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
    # ban a host which matches an address in this list. Several addresses can be
    # defined using space (and/or comma) separator.
    Code:
    ignoreip = 127.0.0.1/8 22.33.44.55/29

    just adjust that to suit
     
    #3 dicko, Oct 11, 2017
    Last edited by a moderator: Oct 12, 2017
    wardmundy likes this.
  4. JFrost

    JFrost Member

    Joined:
    Oct 1, 2016
    Messages:
    50
    Likes Received:
    3
    Thanks for the tip. Any way to manage this when the IP is dynamic?
     
  5. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    13,819
    Likes Received:
    2,293
    /root/add-fqdn
     
  6. JFrost

    JFrost Member

    Joined:
    Oct 1, 2016
    Messages:
    50
    Likes Received:
    3
    That's one of the first things done, plus it's the same IP I'm installing from so should automatically be whitelisted for that reason. Still if my phones are trying to register (and on a new install, their passwords are all wrong) I WILL get locked out of remote shell (actually, locked out of everything, webi included.) Only local (ovh) console works till I unban the IP.

    If it helps, the ban gets put into the 'asterisk-xivo' jail rather than ssh jail. In 'iptables -nL' it's listed in the 'Asterisk' context.

    Edit - the way I've been getting around it is to block all udp traffic to wazo at the firewall but I have to take that rule down once I start adding phones and as soon as I do it's a race against fail2ban.
    J.
     
  7. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164
    Dynamic addresses are awarded within a pool of addresses, If you do a whois on your current ip address, there will be one or more network/netmasks shown, choose the smallest one ,

    for example in Phoenix on a Cox service you might get back
    .
    .
    .
    NetRange: 184.179.8.0 - 184.179.15.255
    CIDR: 184.179.8.0/21
    .
    .
    .

    allow 184.179.8.0/21
     
    wardmundy likes this.
  8. JFrost

    JFrost Member

    Joined:
    Oct 1, 2016
    Messages:
    50
    Likes Received:
    3
    Thanks but are you saying to open a range because you think my ip is changing (I don't think so - it's always the same IP getting blocked) or because you think supplying a range will fool fail2ban into respecting the whitelist?

    Also, how would I handle this CIDR notation whitelisting dynamically?

    thanks,
     
  9. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164
    no, you are not fooling fail2ban,, you are instructing it to

    ignoreip = list of hosts/networks

    if your ip falls within one, then it is not fail2ban blocking it.
     
  10. JFrost

    JFrost Member

    Joined:
    Oct 1, 2016
    Messages:
    50
    Likes Received:
    3
    Respectfully, I think I have to differ.

    I clear the ban with 'fail2ban set asterisk-xivo unbanip 24.xxx.xxx.xxx' and here's what it looks like banned (see image). Note that the same 24.x.x.x is in the ACCEPT list as ALL and 0.0.0.0/0 yet it's still banned in 'Chain fail2ban-ASTERISK' with 'reject-with icmp-port-unreachable'
    That certainly looks to me like fail2ban is what's blocking.
    This ban took less than 30 seconds from enabling one unregistered client (atm zoiper on my cell).

    Please correct me if I'm wrong and point me in the right direction. This is consistently reproducible btw.


    EDIT - Sorry, forgot the screenshot - [​IMG][​IMG][​IMG]
    J.

    http://azariatech.com/media/fail2banned.jpg
     
    #10 JFrost, Oct 21, 2017
    Last edited: Oct 21, 2017
  11. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    13,819
    Likes Received:
    2,293
    The whole purpose of Fail2Ban is to block those who make unsuccessful attempts to log into SIP or web resources. If this is that frequent a problem and you've whitelisted the IP addresses, then perhaps you should just turn off Fail2Ban. The firewall will block strangers from attacks anyway.
     
  12. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164
    OK we have a little disconnect here, you said

    Any way to manage this when the IP is dynamic?

    so I told you how, then you said

    because you think my ip is changing

    but no I don't, that was your inference , if it is not changing then you either don't have a dynamic (DHCP awarded) IP, or you do but it is quite stable. Only you and your ISP will know if you have a static or dynamic IP.

    The way iptables works is that it starts at the top of iptables -L , you have an ACCEPT (in an unknown chain, your screenshot cut it off) , and iptables will terminate with that Acceptance, so the later REJECT would not be processed

    please post the actual ignoreip = line you have because if ".. . always the same IP getting blocked" is in the ignore list then it would never be in any fail2ban jail, cos' that's how it works.
     
  13. JFrost

    JFrost Member

    Joined:
    Oct 1, 2016
    Messages:
    50
    Likes Received:
    3
    Yes, it should block unsuccessful SIP attempts but if those SIP attempts are coming from and address I whitelisted (either by add-fdqn or add-ip) then shouldn't fail2ban ignore those?
    My understanding of a whitelist is "do not block these addresses. period."

    Btw the problem is encountered only when Wazo/Asterisk isn't working and/or when rebuilding the server (as I am now with the 17.14 thing). In normal operation it doesn't happen, assumedly because no sip failures. But it does make me wonder what what would happen if I or a user changed her password and neglected a device (softphone.) Doesn't seem like that should lock my whole site from access if it's whitelisted but it appears that is what the outcome would be.
     
  14. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164

    I think you will find that add-fqdn and add ip are NOT part of fail2ban's addition to iptables chains , you would need to make sure that those are added BEFORE fail2ban starts, that would be one for Ward!
     
  15. JFrost

    JFrost Member

    Joined:
    Oct 1, 2016
    Messages:
    50
    Likes Received:
    3
    Yes, apparently we have a disconnect. I think it's that I didn't realize your suggestion about whitelisting a range was in response to the dynamic IP but in response to the fact that my IP is already whitelisted but still getting blocked.
    I had incorrectly assumed the solution to dynamic ips would be based on resolving the DDNS name and updating f2b's whitelist.

    When you offered the suggestion to white the CIDR range I thought it was a workaround to f2b not respecting the whitelist rule existing.

    The IP is dynamic but it is fairly stable. It does not change [typically] without a [cable] modem reboot. So my initial question was how to update the whitelist when the IP [infrequently] changes.

    I am running the stock TM3 firewall rules bundled with Wazo/IncrediblePBX. All the ACCEPT are based on IPBX scripts for adding whitelist (either 'add-ip' or 'add-fqdn')
    I would assume those should properly place the rules to avoid what you described above but here is the
    Code:
    iptables -nL
    output as requested: https://pastebin.com/FEGt65Br
     
  16. JFrost

    JFrost Member

    Joined:
    Oct 1, 2016
    Messages:
    50
    Likes Received:
    3
    So you're saying that add-ip and add-fqdn are whitelisting in iptables but not in f2b?

    That would explain the behavior but everything I've read never really made that distinction. @wardmundy is that the case? Do I need to whitelist f2b separately from the scripts IPBX provides??

    Thanks
     
  17. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164
    No, I am saying that order of precedence of iptables as you have it, prefers the fail2ban rules before the add-ip and add-fqdn rules are in place, that would need to be changed for such "whitelists" to work. fail2ban should ONLY be started after all other critical rules are in place, perhaps Ward can comment . . . .
     
    #17 dicko, Oct 21, 2017
    Last edited: Oct 21, 2017
  18. JFrost

    JFrost Member

    Joined:
    Oct 1, 2016
    Messages:
    50
    Likes Received:
    3
    Ok. That makes sense (and thank you for clarifying. Hard being a newbie sometimes..)

    TIL - fail2ban != iptables. They are related but separate.
    TIL - I'm greener about Linux firewalls than I thought.
    "The more you know, the more you find you don't know."

    I found some info saying that f2b's jail.conf will accept a fqdn in the 'ignore' line so I'm gonna try that out now.

    EDIT - Yep, that seems to have cleared it up. Wish I'd known this a couple patches of hair ago :)
    My conclusion/suggestion is this either needs to be documented with the TM firewall to be clearer or (perhaps preferably) have f2b respect the whitelist rules set by add-ip and add-fqdn.

    J.
     
    #18 JFrost, Oct 21, 2017
    Last edited: Oct 21, 2017
  19. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    461
    Likes Received:
    164

    Again NO, they all contribute to iptables effectiveness , fail2ban adds rules to iptables, as does "add-ip and add-fqdn" the order in which this is done is however critical. Think of it as a filter (it is) if rule 1 passes then good and you continue to rule 2 , if it fails, then there is no rule 2, you are SOOL , otherwise you go on to rule 2 . . . .

    Yes fail2ban's ignoreip accepts both raw networks/hosts and FQDNs, but fix the order first
     
    #19 dicko, Oct 21, 2017
    Last edited: Oct 21, 2017
  20. JFrost

    JFrost Member

    Joined:
    Oct 1, 2016
    Messages:
    50
    Likes Received:
    3
    Like a usual filtering firewall, I get that. Rules at top first, etc. Pass through or fall to next till you get to the drop-all rule. My Mikrotik routers filter the same way.

    I still don't get f2b's actual specific role or how it does it though so I'll have to make a point of learning some. It's not just a rule-maker for iptables as the ignore/whitelist I added to jail.conf doesn't appear anywhere in the output of iptables -nL yet it still seems to work so f2b has to be running on it's own as well as using/augmenting iptables.

    Anyway, I do appreciate you taking the effort to explain me; I might just need to do some more in-depth reading on my own and I don't want to wear you down beating this horse.

    Thanks Dicko,
     

Share This Page