TIPS Can i Stop Fail2ban from banning my ip?

Lonnon

New Member
Joined
Sep 23, 2016
Messages
26
Reaction score
1
I had to reinstall my server today and i forgot to unplug the phones and so they where trying to register when i was done reinstalling and fail2ban immediately locked my ip from accessing ssh and the webserver. i went in from novnc in impactvps and was able to remove it from the jail. Is there a way to stop fail2ban from banning that ip?
 

Lonnon

New Member
Joined
Sep 23, 2016
Messages
26
Reaction score
1
if i do the command "set <JAIL> addignoreip <IP>" for fail2ban, will this cause security issues?
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
in your /etc/fail2ban/jail.conf

you will see something like


# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
Code:
ignoreip = 127.0.0.1/8 22.33.44.55/29


just adjust that to suit
 
Last edited by a moderator:

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
Thanks for the tip. Any way to manage this when the IP is dynamic?
 

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
That's one of the first things done, plus it's the same IP I'm installing from so should automatically be whitelisted for that reason. Still if my phones are trying to register (and on a new install, their passwords are all wrong) I WILL get locked out of remote shell (actually, locked out of everything, webi included.) Only local (ovh) console works till I unban the IP.

If it helps, the ban gets put into the 'asterisk-xivo' jail rather than ssh jail. In 'iptables -nL' it's listed in the 'Asterisk' context.

Edit - the way I've been getting around it is to block all udp traffic to wazo at the firewall but I have to take that rule down once I start adding phones and as soon as I do it's a race against fail2ban.
J.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
Dynamic addresses are awarded within a pool of addresses, If you do a whois on your current ip address, there will be one or more network/netmasks shown, choose the smallest one ,

for example in Phoenix on a Cox service you might get back
.
.
.
NetRange: 184.179.8.0 - 184.179.15.255
CIDR: 184.179.8.0/21
.
.
.

allow 184.179.8.0/21
 

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
Dynamic addresses are awarded within a pool of addresses, If you do a whois on your current ip address, there will be one or more network/netmasks shown, choose the smallest one ,

for example in Phoenix on a Cox service you might get back
.
.
.
NetRange: 184.179.8.0 - 184.179.15.255
CIDR: 184.179.8.0/21
.
.
.

allow 184.179.8.0/21

Thanks but are you saying to open a range because you think my ip is changing (I don't think so - it's always the same IP getting blocked) or because you think supplying a range will fool fail2ban into respecting the whitelist?

Also, how would I handle this CIDR notation whitelisting dynamically?

thanks,
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
no, you are not fooling fail2ban,, you are instructing it to

ignoreip = list of hosts/networks

if your ip falls within one, then it is not fail2ban blocking it.
 

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
Respectfully, I think I have to differ.

I clear the ban with 'fail2ban set asterisk-xivo unbanip 24.xxx.xxx.xxx' and here's what it looks like banned (see image). Note that the same 24.x.x.x is in the ACCEPT list as ALL and 0.0.0.0/0 yet it's still banned in 'Chain fail2ban-ASTERISK' with 'reject-with icmp-port-unreachable'
That certainly looks to me like fail2ban is what's blocking.
This ban took less than 30 seconds from enabling one unregistered client (atm zoiper on my cell).

Please correct me if I'm wrong and point me in the right direction. This is consistently reproducible btw.


EDIT - Sorry, forgot the screenshot -
fail2banned.jpg
fail2banned.jpg
fail2banned.jpg

J.

http://azariatech.com/media/fail2banned.jpg
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
The whole purpose of Fail2Ban is to block those who make unsuccessful attempts to log into SIP or web resources. If this is that frequent a problem and you've whitelisted the IP addresses, then perhaps you should just turn off Fail2Ban. The firewall will block strangers from attacks anyway.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
Respectfully, I think I have to differ.

I clear the ban with 'fail2ban set asterisk-xivo unbanip 24.xxx.xxx.xxx' and here's what it looks like banned (see image). Note that the same 24.x.x.x is in the ACCEPT list as ALL and 0.0.0.0/0 yet it's still banned in 'Chain fail2ban-ASTERISK' with 'reject-with icmp-port-unreachable'
That certainly looks to me like fail2ban is what's blocking.
This ban took less than 30 seconds from enabling one unregistered client (atm zoiper on my cell).

Please correct me if I'm wrong and point me in the right direction. This is consistently reproducible btw.


EDIT - Sorry, forgot the screenshot -
fail2banned.jpg
fail2banned.jpg
fail2banned.jpg

J.

http://azariatech.com/media/fail2banned.jpg

OK we have a little disconnect here, you said

Any way to manage this when the IP is dynamic?

so I told you how, then you said

because you think my ip is changing

but no I don't, that was your inference , if it is not changing then you either don't have a dynamic (DHCP awarded) IP, or you do but it is quite stable. Only you and your ISP will know if you have a static or dynamic IP.

The way iptables works is that it starts at the top of iptables -L , you have an ACCEPT (in an unknown chain, your screenshot cut it off) , and iptables will terminate with that Acceptance, so the later REJECT would not be processed

please post the actual ignoreip = line you have because if ".. . always the same IP getting blocked" is in the ignore list then it would never be in any fail2ban jail, cos' that's how it works.
 

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
The whole purpose of Fail2Ban is to block those who make unsuccessful attempts to log into SIP or web resources. If this is that frequent a problem and you've whitelisted the IP addresses, then perhaps you should just turn off Fail2Ban. The firewall will block strangers from attacks anyway.
Yes, it should block unsuccessful SIP attempts but if those SIP attempts are coming from and address I whitelisted (either by add-fdqn or add-ip) then shouldn't fail2ban ignore those?
My understanding of a whitelist is "do not block these addresses. period."

Btw the problem is encountered only when Wazo/Asterisk isn't working and/or when rebuilding the server (as I am now with the 17.14 thing). In normal operation it doesn't happen, assumedly because no sip failures. But it does make me wonder what what would happen if I or a user changed her password and neglected a device (softphone.) Doesn't seem like that should lock my whole site from access if it's whitelisted but it appears that is what the outcome would be.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
Yes, it should block unsuccessful SIP attempts but if those SIP attempts are coming from and address I whitelisted (either by add-fdqn or add-ip) then shouldn't fail2ban ignore those?
My understanding of a whitelist is "do not block these addresses. period."

Btw the problem is encountered only when Wazo/Asterisk isn't working and/or when rebuilding the server (as I am now with the 17.14 thing). In normal operation it doesn't happen, assumedly because no sip failures. But it does make me wonder what what would happen if I or a user changed her password and neglected a device (softphone.) Doesn't seem like that should lock my whole site from access if it's whitelisted but it appears that is what the outcome would be.


I think you will find that add-fqdn and add ip are NOT part of fail2ban's addition to iptables chains , you would need to make sure that those are added BEFORE fail2ban starts, that would be one for Ward!
 

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
OK we have a little disconnect here, you said

Any way to manage this when the IP is dynamic?

so I told you how, then you said

because you think my ip is changing

Yes, apparently we have a disconnect. I think it's that I didn't realize your suggestion about whitelisting a range was in response to the dynamic IP but in response to the fact that my IP is already whitelisted but still getting blocked.
I had incorrectly assumed the solution to dynamic ips would be based on resolving the DDNS name and updating f2b's whitelist.

When you offered the suggestion to white the CIDR range I thought it was a workaround to f2b not respecting the whitelist rule existing.

but no I don't, that was your inference , if it is not changing then you either don't have a dynamic (DHCP awarded) IP, or you do but it is quite stable. Only you and your ISP will know if you have a static or dynamic IP.
The IP is dynamic but it is fairly stable. It does not change [typically] without a [cable] modem reboot. So my initial question was how to update the whitelist when the IP [infrequently] changes.

The way iptables works is that it starts at the top of iptables -L , you have an ACCEPT (in an unknown chain, your screenshot cut it off) , and iptables will terminate with that Acceptance, so the later REJECT would not be processed

please post the actual ignoreip = line you have because if ".. . always the same IP getting blocked" is in the ignore list then it would never be in any fail2ban jail, cos' that's how it works.

I am running the stock TM3 firewall rules bundled with Wazo/IncrediblePBX. All the ACCEPT are based on IPBX scripts for adding whitelist (either 'add-ip' or 'add-fqdn')
I would assume those should properly place the rules to avoid what you described above but here is the
Code:
iptables -nL
output as requested: https://pastebin.com/FEGt65Br
 

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
I think you will find that add-fqdn and add ip are NOT part of fail2ban's addition to iptables chains , you would need to make sure that those are added BEFORE fail2ban starts, that would be one for Ward!
So you're saying that add-ip and add-fqdn are whitelisting in iptables but not in f2b?

That would explain the behavior but everything I've read never really made that distinction. @wardmundy is that the case? Do I need to whitelist f2b separately from the scripts IPBX provides??

Thanks
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
No, I am saying that order of precedence of iptables as you have it, prefers the fail2ban rules before the add-ip and add-fqdn rules are in place, that would need to be changed for such "whitelists" to work. fail2ban should ONLY be started after all other critical rules are in place, perhaps Ward can comment . . . .
 
Last edited:

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
No, I am saying that order of precedence of iptables as you have it, prefers the fail2ban rules before the add-ip and add-fqdn rules are in place, that would need to be changed for such "whitelists" to work. fail2ban should ONLY be started after all other rules are in place, perhaps Ward can comment . . . .

Ok. That makes sense (and thank you for clarifying. Hard being a newbie sometimes..)

TIL - fail2ban != iptables. They are related but separate.
TIL - I'm greener about Linux firewalls than I thought.
"The more you know, the more you find you don't know."

I found some info saying that f2b's jail.conf will accept a fqdn in the 'ignore' line so I'm gonna try that out now.

EDIT - Yep, that seems to have cleared it up. Wish I'd known this a couple patches of hair ago :)
My conclusion/suggestion is this either needs to be documented with the TM firewall to be clearer or (perhaps preferably) have f2b respect the whitelist rules set by add-ip and add-fqdn.

J.
 
Last edited:

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
Ok. That makes sense (and thank you for clarifying. Hard being a newbie sometimes..)

TIL - fail2ban != iptables. They are related but separate.
TIL - I'm greener about Linux firewalls than I thought.
"The more you know, the more you find you don't know."

I found some info saying that f2b's jail.conf will accept a fqdn in the 'ignore' line so I'm gonna try that out now.


Again NO, they all contribute to iptables effectiveness , fail2ban adds rules to iptables, as does "add-ip and add-fqdn" the order in which this is done is however critical. Think of it as a filter (it is) if rule 1 passes then good and you continue to rule 2 , if it fails, then there is no rule 2, you are SOOL , otherwise you go on to rule 2 . . . .

Yes fail2ban's ignoreip accepts both raw networks/hosts and FQDNs, but fix the order first
 
Last edited:

JFrost

Active Member
Joined
Oct 1, 2016
Messages
351
Reaction score
93
Again NO, they all contribute to iptables effectiveness , fail2ban adds rules to iptables, as does "add-ip and add-fqdn" the order in which this is done is however critical. Think of it as a filter (it is) if rule 1 passes then good and you continue (there is no rule 2) , if not and rule 2 ()denies, then guess what . .

Like a usual filtering firewall, I get that. Rules at top first, etc. Pass through or fall to next till you get to the drop-all rule. My Mikrotik routers filter the same way.

I still don't get f2b's actual specific role or how it does it though so I'll have to make a point of learning some. It's not just a rule-maker for iptables as the ignore/whitelist I added to jail.conf doesn't appear anywhere in the output of iptables -nL yet it still seems to work so f2b has to be running on it's own as well as using/augmenting iptables.

Anyway, I do appreciate you taking the effort to explain me; I might just need to do some more in-depth reading on my own and I don't want to wear you down beating this horse.

Thanks Dicko,
 

Members online

No members online now.

Forum statistics

Threads
25,778
Messages
167,504
Members
19,199
Latest member
leocipriano
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top