BUG Fail2Ban not running

Discussion in 'Bug Reporting and Fixes' started by awair, Jan 5, 2015.

  1. awair

    awair Member

    Joined:
    Mar 10, 2009
    Messages:
    86
    Likes Received:
    4
    I am on a fairly recent installation of 3.6.5, and have just noticed that Fail2Ban is not running and will not start.

    I have re-run update-fixes today & restarted the system, but still no joy.

    Is there any way to reset this to a 'clean' config, to fix start errors?

    These are the last log entries, after a couple of IPs were banned/unbanned. There are no entries in the log for the failed start attempts, even with log level set to 'Debug'.

    No idea what, if anything happened on Dec 19, don't believe I made any changes to the system - it has just stopped...

    Many thanks for any advice available.
     
  2. awair

    awair Member

    Joined:
    Mar 10, 2009
    Messages:
    86
    Likes Received:
    4
    Looks like it is (partly) fixed, thanks to this post:
    http://pbxinaflash.com/community/index.php?threads/fail2ban-wont-enable.15301/

    Didn't see that with a Forum search, but google pulled it up.

    I now have numerous errors, in the format:
     
  3. howardsl2

    howardsl2 Guru

    Joined:
    Aug 5, 2013
    Messages:
    88
    Likes Received:
    25
    Here's how to fix the errors:

    Edit /etc/fail2ban/jail.local, replace every asterisk-security with asterisk. You can find them on the filter lines. This solves the errors in your logs. In addition, you will find two "name=PBX-GUI" in that file. Replace the second one with e.g. "name=PBX-GUI-2". Then save and restart fail2ban.

    Unfortunately your changes to that file will be reverted by the sysadmin module at every FreePBX reload. You may want to backup jail.local or make it immutable.
     
  4. awair

    awair Member

    Joined:
    Mar 10, 2009
    Messages:
    86
    Likes Received:
    4
    Many thanks for the fix - can we expect anything permanent with a further update?
     
  5. billsimon

    billsimon Experienced in Asterisk, FreePBX, and SIP

    Joined:
    Jan 2, 2011
    Messages:
    906
    Likes Received:
    274

    This is not necessary. I was troubleshooting this same problem tonight and found that the source of the error is incorrect regex in the asterisk-security filter.

    Check /etc/fail2ban/filter.d/asterisk-security.conf. On mine, lines 34-37 are the SECURITY lines and have an error. Where you see SIP|AMI it should be (SIP|AMI). Look farther down the line at the (UDP|TCP|TLS) part for an example.

    Just fix those four lines by putting ( ) around SIP|AMI, save, and restart fail2ban.
     
    hwdsl2 and wardmundy like this.
  6. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    awair: Which version of Asterisk and FreePBX are running on your server??
     
  7. awair

    awair Member

    Joined:
    Mar 10, 2009
    Messages:
    86
    Likes Received:
    4
    Running 3.6.5 with Asterisk 11.7.0 & FreePBX 2.11.0.42. Can't remember which colour I selected during setup, but think it was recommended (at the time).
     
  8. graybans

    graybans Member

    Joined:
    Oct 22, 2007
    Messages:
    35
    Likes Received:
    1
    I am having the same issue, except Webmin is also affected.
    Running 3.0.6.5 on Scientific Linux 6.6 with Asterisk 1.15.0 & FreePBX 2.11.0.42 => PIAF Green (Modified w/ no changes per nerdvittles instructions.
     
  9. awair

    awair Member

    Joined:
    Mar 10, 2009
    Messages:
    86
    Likes Received:
    4
    I am somewhat fortunate in this respect, in that I have two 'identical' systems to compare: both installed at the same time on identical hardware. The only difference has been their usage (and update status).

    Having inspected both systems, the contents of jail.local are quite different & and asterisk-secuirty.conf are almost identical. However, only the above system has the error. The other system is running 3.6.5 with Asterisk 11.7.0 & FreePBX 2.11.0.38.

    I will check FreePBX on both systems to try to determine the cause, and delay upgrading the 'older' system.
     
    wardmundy likes this.
  10. awair

    awair Member

    Joined:
    Mar 10, 2009
    Messages:
    86
    Likes Received:
    4
    FYI:

    In jail.local the following 'Filter Action Jails' do not exist in the prior version:
    pbx-gui
    recidive

    In asterisk-security.conf there is 'back-slash/forward-slash' between items (\/), instead of only forward slash (/):
    I don't know enough to determine if there are any errors/omissions...
     
  11. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    Up until now, we have included direct access to Schmooze's repo as a means of allowing users that wanted to use commercial modules to have access to the latest RPMs to support those modules. This was with the understanding that the repo would only be used for RPMs that directly affected the commercial modules. Since the "asterisk" user does not have permissions to the fail2ban directory structure, the only possible way these config files could be changed is through an RPM update to fail2ban itself.

    We believe the new jail.conf and asterisk-security setup is used to support a redesigned error log setup with FreePBX Distro. Reportedly, the purpose was to speed up the ability of Fail2Ban to scan the error log for intrusions. However, that presupposes that all of the pieces were in place to support the new error log setup, none of which has been documented so far as we know. Perhaps one of the Schmooze/Sangoma folks will comment when they get an opportunity.

    We've chosen to go the IPtables WhiteList route because Fail2Ban has been notoriously unreliable over the years. We will continue to investigate the cause of this. In the meantime, we plan to rework the PIAF repo setup and directly implement an IPtables whitelist for new installs to better protect our users.
     
  12. awair

    awair Member

    Joined:
    Mar 10, 2009
    Messages:
    86
    Likes Received:
    4
    Thanks, Ward for the update.
     
  13. awair

    awair Member

    Joined:
    Mar 10, 2009
    Messages:
    86
    Likes Received:
    4
    On 4th January I ran the commands:

    As indicated by my earlier post:

    I have just run these commands again today (9th January), received another new patch (0.8.8... version 121), and the problem seems to have disappeared.

     
  14. howardsl2

    howardsl2 Guru

    Joined:
    Aug 5, 2013
    Messages:
    88
    Likes Received:
    25
    FYI, an updated fail2ban package was released today in the schmooze-commercial repo. I compared the files and see that the new version includes the fix mentioned above by billsimon for asterisk-security.conf. That bug was introduced in Aug. 2014 fail2ban version.

    http://issues.freepbx.org/browse/FREEPBX-8277

    To update, run command "yum update fail2ban" (make sure it installs from the repo above), and then restart fail2ban.
     
  15. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    hwdsl2: Suspicion (quietly) confirmed. Thanks for the heads up and an FYI to darmock.
     
  16. billsimon

    billsimon Experienced in Asterisk, FreePBX, and SIP

    Joined:
    Jan 2, 2011
    Messages:
    906
    Likes Received:
    274
    From the linked FreePBX ticket:

    Suspected reasons for $6000 bill:
    • incorrect configuration of dial plan
    • short/simple passwords on extensions
    • exploitable web interface (unpatched Apache and/or FreePBX)
    Not really to blame:
    • fail2ban
    fail2ban can slow down an attacker but not prevent an intrusion. Get your system secure first and then add fail2ban for a warm fuzzy outer layer.
     
  17. darmock

    darmock PIAF Developer

    Joined:
    Oct 18, 2007
    Messages:
    2,892
    Likes Received:
    98
    I like warm and fuzzy! Yep we are reworking the repos for PIAF. We will include the latest stable (according to PIAF) version of fail2ban in our repo. Ward and I are working on some other little surprises for our distro also.


    Tom
     
  18. awair

    awair Member

    Joined:
    Mar 10, 2009
    Messages:
    86
    Likes Received:
    4
    As of 1/10/15, after running:
    Fail2ban now appears to be working correctly.

    As I was replacing an ancient Trixbox installation, I presume that I was still more secure with PIAF even without fail2ban during this interim period?

    I am now receiving dozens of emails about 'bans' - should I leave fail2ban to deal with these, or should I add any recurring IP addresses to a blacklist or (router) firewall?

    Thanks again for the great support.
     
  19. darmock

    darmock PIAF Developer

    Joined:
    Oct 18, 2007
    Messages:
    2,892
    Likes Received:
    98
    I tend to blacklist recurring ip's however the way to go is the whitelist. Be patient we are working on bringing it to piaf base systems


    Tom
     
  20. awair

    awair Member

    Joined:
    Mar 10, 2009
    Messages:
    86
    Likes Received:
    4
    Thanks Tom.