SUGGESTIONS Fail2ban possible bug?

[progs_00]

Hello guys,

I need a confirmation on that because I'm not sure. I'm on IncrediblePBX 13-12.2 on Centos 6.7 and have been having troubles with fail2ban not banning anything on ssh. After checking jail.conf I saw that the ssh filter was inserted and enabled twice (once right at the top at line 17 and once at line 97). The lines are practically the same with the difference being that the entry at line 97 sends an email after ban. After commenting the entry at line 17, fail2ban starts working again.

Edit: It seems that fail2ban also doesn't ban wrong password entries from the web interface

 

[tbrummell]

Ummm, by default nothing should be able to even get to those ports (exept what you opened during install and using TravlinMan), unless you have messed with IPtables yourself. If that is this case, I imagine Ward will say you are on your own as you have moved outside of his packaged product.

 

[progs_00]

Hi tbrummell and thanks for replying. You are definitely right here and in fact nothing is getting close to my ports as they are on the inside of my network and my ssh port is not even the default one. However fail2ban is another layer of security and if it is there I expect it to do its work as it should.
Can you please confirm if your fail2ban blocks ssh access after some wrong entries so as to verify that it's not only my issue?
I've also managed to ban access to http and https and if there is interest I'm gonna prep a jail.local with all the corrections

 

[tbrummell]

Right! Secure from the internal users as well. My systems are all in lab environments, or my home, so no worry on the internal users.

That being said, I do have my latest install on a C@C instance, open to the world. Yeah, insert standard disclaimer here. I am using Fail2Ban to block SIP passwords and SSH, both work as expected. BUT, I don't believe they did out of the box. Pretty sure I had to modify jail.local quite heavily to get it working to my satisfaction.

 

[progs_00]

Nooooo! I trust my beloved users. Mostly because they are probably reading this
Jokes aside I don't have any particular issue from my lan users but you know how security works. I'm prepared so I don't have to
suffer consequences.
If you don't mind me asking how come you left your box open?
You also gave me an idea. Instead of reinventing the wheel and modifying the same stuff everytime, why don't we post a sample jail.local that we can work on (meaning everyone in the forum who is interested) and adapt it to pbxiaf needs and maybe Ward can inlude it in the final distro?

 

[tbrummell]

If you don't mind me asking how come you left your box open?

I travel, and I wanted SIP/IAX access whenever, wherever, without having to deal with Travlinman. Everything else is locked down, it's just SIP & IAX open to the world.

 

[tycho]

I sometimes enable non-travelin' man access to IAX2 on my C-a-C PBX when leaving on a trip. But I also then use a non-standard IAX2 port, total call length limits, cost-per-minute limits, total call cost limits, populated with a single VSOP that has only a few bucks in the account, no auto-replenish and no associated payment credentials. The likelihood that someone figures out it is IAX2 (the overwhelming majority of scanners and scammers are looking for SIP) on a weird port is pretty darn slim. If they do, oh well, there goes my $5.

Knocking on wood - hasn't (as yet) ever even been noticed.

One of the beauties of a lifetime $3.50 C-a-C server...