TIPS Can i Stop Fail2ban from banning my ip?

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,133
Reaction score
2,628
TM3 firewall doesn't touch Fail2Ban rules. Nor does it add to the Fail2Ban whitelist. Like I said before, if you've whitelisted an IP address in TM3 and it's still getting blocked by Fail2Ban because users incorrectly enter their credentials regularly, why use Fail2Ban at all?? We've been doing this for over decade, and yours is the first reported problem with the design. So don't expect a fix anytime soon. Train your users better or manually add their IP addresses to jail.conf. :angel:
 
  • Like
Reactions: ostridge and dicko

mainenotarynet

Not really a Guru - Just a long time user
Joined
May 29, 2010
Messages
602
Reaction score
74
Location
Bangor, ME USA
I think you are ALL missing his concern. Happens to me too -- I just restart from host and quickly turn off fail2ban temporarily until I 'jail.conf ignoreip' my IP of where my phones are.

What the OP is saying is that he may have Hard phones or Soft phones that are always on or Smart phones with CSipSimple, GSWave or whatever., and he had to reinstall the Server or maybe upgrading or whatever, and BECAUSE these phones are STILL plugged in and the NEW system doesn't have the extensions yet that this NEW SYSTEM is Banning his IPTAbles Whitelisted IP because Fail2Ban is triggering the ban.

Happened to me A LOT when I was experimenting with Wazo and Issabel and now have my Incredible 13 back but never deactivated the accounts on my hard phones until set to the new extensions.

I think a solution is on the install script to add (along with the 3 IPs of Public, private, setupIP to add an echo or sed or whatever the command is to edit one line of a file -- to something like echo "ignoreip=127.0.0.1 {publicIP} {PrivateIP} {SetupIP}" >> etc/fail2ban/jail.conf or the equivalent sed command to replace the line already there and then restart Fail2ban

If this makes any sense.
 
  • Like
Reactions: JFrost

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
649
Reaction score
237
I think what is being misunderstoop is that fail2ban will ban any ip it can identify by the regexes in

/etc/fail2ban/filter.d/asterisk.conf

in my case

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>:)\d+)?' - (Wrong password|Username/auth name mismatch|No matching endpoint found|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@][email protected]<HOST>\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$


So if and ONLY if you have a host that violates any of those rules for 'maxretry' times in any 'findime' period they will be banned for 'bantime', that is very simply just how it works!!

So as Ward said if your clients are doing ANY of that, they plain shouldn't, a valid extension needs a valid password,if they have that then NONE of those regexes could possibly match, NO?, the only solution is to add anything that misbehaves ( or preferably their underlying CIDR) either to the ignoreip= line OR PREFERABLY and this is as I have said CRITICAL, "ALLOW" them in a part of iptables BEFORE the fail2ban chains, so if TM3 or CSF or your personal IPSET rules preceded fail2ban and has "ALLOWED" that host, then fail2ban will never see it so will never ban it., The same of course goes for every other jail you enable in fail2ban.

(CSF/LFD are well worth looking at, if you like the extra protection then just start TM3 and THEN fail2ban in /etc/csf/csfpost.sh and stop them in /etc/csf/csfpre.sh, it will be seemless, no harm and no foul, it will just simply reorder your ipchains in a sane fashion)

If you don't like CSF/LFD then just make sure TM3 is started BEFORE fail2ban, Ward assures us that is really good, and so is fail2ban, but if you have anything that is really bad then fail2ban will likely catch it if TM3 misses it
 
Last edited:

JFrost

Member
Joined
Oct 1, 2016
Messages
65
Reaction score
4
@mainenotarynet hit on the head for me:
  • In regular practice this is a non-issue.
  • When forced to rebuild a box and if you haven't disabled all the phones fail2ban will block you. If you and the phones are sharing the lan/fqdn then fail2ban becomes a pest locking you out.
    • If this happens mid install you lose shell and who can be certain of the success/condition of the install then? (the first few times it happened to I didn't even know WHY it happened - I just assumed the install blew up.)
  • The real reason this ever even became an issue was because it wasn't clear that using add-ip or add-fqdn doesn't impact fail2ban.
    • The articles I read and discussions around TM3 make it seem like it's all wrapped up in one place but TM3 and F2B are clearly separate things and currently managed separately. Maybe if I were a more seasoned Linux hand I'd know that offhand but the docs and i
My conclusion - Either
a) the scripts could (should?) have an option among those already presented that includes adding a white to f2b or
b) the documentation/articles on TM3 (and the UI in the scripts - which offers to whitelist ssh) should be clearer that the scripts' whitelisting doesn't affect f2b and in certain [maybe rare] cases this could be an issue. If user encounters issue, add your ip/fqdn to jail.conf either permanently or till you get all the extensions set back up.


Basically if I'd had that bit of info at the start I could have avoided pulling out hair and/or failing so many installs from this and that info could've come from the docs or in the scripts' ui or both.

hth.
 
  • Like
Reactions: Lonnon

JFrost

Member
Joined
Oct 1, 2016
Messages
65
Reaction score
4
I think what is being misunderstoop is that fail2ban will ban any ip it can identify by the regexes in

/etc/fail2ban/filter.d/asterisk.conf

in my case

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>:)\d+)?' - (Wrong password|Username/auth name mismatch|No matching endpoint found|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@][email protected]<HOST>\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$


So if and ONLY if you have a host that violates any of those rules for 'maxretry' times in any 'findime' period they will be banned for 'bantime', that is very simply just how it works!!

So as Ward said if your clients are doing ANY of that, they plain shouldn't, a valid extension needs a valid password,if they have that then NONE of those regexes could possibly match, NO?, the only solution is to add anything that misbehaves ( or preferably their underlying CIDR) either to the ignoreip= line OR PREFERABLY and this is as I have said CRITICAL, "ALLOW" them in a part of iptables BEFORE the fail2ban chains, so if TM3 or CSF or your personal IPSET rules preceded fail2ban and has "ALLOWED" that host, then fail2ban will never see it so will never ban it., The same of course goes for every other jail you enable in fail2ban.

(CSF/LFD are well worth looking at, if you like the extra protection then just start TM3 and THEN fail2ban in /etc/csf/csfpost.sh and stop them in /etc/csf/csfpre.sh, it will be seemless, no harm and no foul, it will just simply reorder your ipchains in a sane fashion)

If you don't like CSF/LFD then just make sure TM3 is started BEFORE fail2ban, Ward assures us that is really good, and so is fail2ban, but if you have anything that is really bad then fail2ban will likely catch it if TM3 misses it
It is understod *now* but was not then. As in my other post this is ONLY an issue for me in the limited circumstance of reinstalling a system without having access to cut off the phones somehow during install. There may be ways to integrate and incorporate these two or maybe it's best they stay as they are. The biggest issue here imo was just one of knowing. To that end I made my suggestions above how I think can improve it.

J.
 

Lonnon

New Member
Joined
Sep 23, 2016
Messages
26
Reaction score
1
So... i have been playing around with issabel and when ever one of my devices or i use the wrong password 3 times i am locked out permanently until i reinstall the server i have purposely tried locking myself out to try all the fixes and whitelisting an ip does not work i also added my ip to the jail.conf like dicko has sugested and all to no avail so still looking for some advice.

P.S. my wazo installation only bans for a time period not permanently.
 
Last edited:

mainenotarynet

Not really a Guru - Just a long time user
Joined
May 29, 2010
Messages
602
Reaction score
74
Location
Bangor, ME USA
One reason I can't don't use Issabel: It has it's own Fail2Ban and the one we are used to is not honored when the jail.conf is updated with the IP of your computer.

Wazo Honors it but is so confusing to do ANYTHING in unless you are REALLY into IT or Telephony as a career, then it is probably as simple as Pi. Although Pi is not simple, it's neverending (3.14159..........)
 
  • Like
Reactions: wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,133
Reaction score
2,628
One reason I can't don't use Issabel: It has it's own Fail2Ban and the one we are used to is not honored when the jail.conf is updated with the IP of your computer.

Wazo Honors it but is so confusing to do ANYTHING in unless you are REALLY into IT or Telephony as a career, then it is probably as simple as Pi. Although Pi is not simple, it's neverending (3.14159..........)
@Lonnon: Did you modify the jail settings for bantime and ignoreip in the correct whitelist file for Issabel??

/usr/share/issabel/module_installer/issabel-security-4.0.0-2/setup/etc/fail2ban/jail.d/issabel.conf
 

Lonnon

New Member
Joined
Sep 23, 2016
Messages
26
Reaction score
1
I don know if i did but i will try and Report.

P.S. I love having such a great community of helpers.
 
  • Like
Reactions: wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,133
Reaction score
2,628
Keep in mind that there are separate settings for each jail so you have to change ALL of them!
 

Lonnon

New Member
Joined
Sep 23, 2016
Messages
26
Reaction score
1
Deal, do i just look for a .conf for every jail, ie asterisk Jail.conf or something similar to that?
 

JFrost

Member
Joined
Oct 1, 2016
Messages
65
Reaction score
4
@wardmundy There is a lot of good info in these forums, some of it (like this thread amongst others) should be "standard" reading/knowledge for anyone embarking out or maintaining these systems. The challenge (from a user's perspective) is that a) much of it is scattered around in various threads and b) you don't know to look for something until after it "bites you in the @ss".

Is there currently any single repo for this? If so I don't think it's highlighted/obvious engouh.
If not, let me suggest that this is a useful endeavor and should be created.

Imho not only would it cut down on some of the threads for what may seem like basic knowledge to you seasoned PBX and/or Linux admins, it would also just generally make for a smoother experience for the hobbyists and those hoping to join the ranks of seasoned PBX admins one day.

I know from my own experiences I've had to plow through some very frustrating moments in my PBX "journey" and with hindsight I see that a lot of it was down to me not knowing some 'x' or 'y' detail. Had there been one comprehensive repository (a wiki or any suitable for 'living' document) I probably could have avoided much of it not to mention not annoying the forum with my seemingly "n00b" questions.

Anyway, food for thought.
J.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,133
Reaction score
2,628
We've tried a wiki before. For whatever reasons, 99% of folks prefer to ask their question and get a prompt reply. I'm not saying it's a bad idea, but someone has to create it AND maintain it. Are you volunteering?
 

JFrost

Member
Joined
Oct 1, 2016
Messages
65
Reaction score
4
We've tried a wiki before. For whatever reasons, 99% of folks prefer to ask their question and get a prompt reply. I'm not saying it's a bad idea, but someone has to create it AND maintain it. Are you volunteering?
If PBX was my day job perhaps but I'm neither capable of contributing much (I'm far from even "power user" let alone any sort of expert) nor am I flush with time. I hear you about the maintenance and it's not trivial for sure - don't think I'm blind to that :).

You say it was tried before. I guess before my time here so, question: Was it a user contributed wiki or was it all on you?
My initial thought above would be for something initially created/seeded by you (perhaps with help from forum vets/regulars?) and then maintained/kept 'living' and expanded as needed by the user base (users with 'x' level of karma/posts/reputation/whatever.)

Yes users "prefer to ask their question and get a prompt reply." By that same token however, if instead of a thread where users [may need to] ask multiple 'levels' or 'clarfications' of the same question/topic they got an answer just linking to a cohesive documentation it might save the back and forth freeing up the forum from noise and centering on better/bigger questions. When such a topic comes along, someone (you, forum vets/regulars who may be made as 'moderators' or just interested parties like the one asking) can add it to the wiki (or whatever.)

Not downplaying the effort but I'm also considering that it takes effort to answer (sometimes repeatedly) these questions in the forum. To some extent I imagine an eventual shift of the effort from answering forum questions thoroughly to maintaining the wiki instead.

Maybe there are others here that WOULD volunteer for such an effort if they were approached about it? Idk.
As I said, food for thought.

J.
 

Tiwiex

New Member
Joined
Jul 14, 2018
Messages
1
Reaction score
0
The whole purpose of Fail2Ban is to block those who make unsuccessful attempts to log into SIP or web resources. If this is that frequent a problem and you've whitelisted the IP addresses, then perhaps you should just turn off Fail2Ban. The firewall will block strangers from attacks anyway.
Hello,
I am having issues with a erpnext. a web based erp solution. i get this connection issues sometimes. and i have narrowed down the problem to fail2ban at last. I make some changes i can't predict on the server config, then connection just stops. I am sure I am not trying login attempts. I suspect the algorithm of fail2ban is faulty checking some irrelevant trend because it was my ip that was banned.

I like your suggestion on stopping fail2ban. I see no other sensible work around unless i can tell it to ignore the FQDN of the particular instance else it will remain an unpredictable behavior with users connecting from anywhere and any IP. Like you said, stop fail2ban and count on hardening the server. But seriously, what's the purpose of fail2ban if it keeps getting in the way?

I will try your suggestion and keep my fingers crossed.
Thanks for also agreeing with my thoughts.
 

tycho

Guru (not...)
Joined
Aug 9, 2011
Messages
593
Reaction score
229
But seriously, what's the purpose of fail2ban if it keeps getting in the way?
Well, most of the time it =doesn't= get in the way. I have Fail2Ban running on 4 boxes right now, each doing different things, and it performs well and as it should. Your particular scenario may just be something that doesn't agree with Fail2Ban...
 

Members online

Latest Posts

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,364
Messages
137,341
Members
14,574
Latest member
ipv6freely