SOLVED IPTables or Fail2Ban issue?

[geopeterwc]

I am away from the "home" network used to build the IncrediblePBX 13-13 LEAN system on Hosted Simply. Accessing the system by way of the original network used to build the iPBX, the server continues to be working as intended.

Using ./add-ip to add the IP address of the temporary (remote) network, initially everything was working very well and as expected. But after making some system updates, I appear to be locked out of the VPS server from the remote location.

Following a reboot of the VPS server after adding some system recordings and making some configuration adjustments; the VPS is no longer accessible at this location.

So, I "readded" the local IP address by way of the VPS Control Panel, but now I appear to be locked out of the VPS server from the alternate network. Full access to the VPS is possible via remote control of the "home" network - no problems.

Most recently, when re-adding the local IP address using ./add-ip, at its' conclusion the process reports:

The following iptables rules now are in effect for 109.33.155.199:
ACCEPT all -- 109.33.155.199 0.0.0.0/0
ACCEPT all -- 109.33.155.199 0.0.0.0/0
ACCEPT all -- 109.33.155.199 0.0.0.0/0
REJECT all -- 109.33.155.199 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 109.33.155.199 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 109.33.155.199 0.0.0.0/0 reject-with icmp-port-unreachable

I suspect that the issue is in the "REJECT' lines. How do I remove them, and reduce the "ACCEPT" lines to only one line? Can the iPTABLES (or Fail2Ban) file(s) be edited to make the correction, and where are they located?

Thanks in advance for insight and guidance re. how to resolve this issue.
/Pete./

 

[tbrummell]

fail2ban-client set asterisk unbanip 109.33.155.199

Check /var/log/messages to see if it's really fail2ban knocking 109.33.155.199 out, I assume it is.

Add 109.33.155.199 to ignoreip= in fail2ban.conf or jail.conf/jail.local, it's in there somewhere.

 

[geopeterwc]

Thanks @tbrummell ... your suggestion is on the right path and results in a changed behavior.

The fail2ban-client command worked to allow, though brief, access to the server from the local network before locking out the local IP address. I might be overlooking it, but was unable to find the ignoreip= reference point in fail2ban.conf, and this system doesn't have a jail.conf/jail.local file that in the fail2ban folder.

So, for certain, I'm missing something, here or not looking for the file in the "right" places.

/Pete./

 

[wardmundy]

Try /etc/fail2ban/jail.conf.

 

[geopeterwc]

Thanks, @wardmundy. I found that just after I had posted above, and now if I run the fail2ban-client command as before, I get a "109.33.155.199 is not banned" message. That's progress, I think.

I have restarted both fail2ban and iptables to ensure that the change made 'sticks.'

But when I return to the remote network, I'm still unable to 'see' the server with ping or ssh or access the GUI to the address of the server.

edit: It's likely that this occurred because of an incorrect/invalid configuration of Zoiper on a cell phone that I was intending to use in the remote network while away from the home network!

/Pete./

 

[tbrummell]

It's obvious something on that network is causing F2B to block you. Probably best to figure out what that is. Or you can ignore the IP in the jail file once you find it.

 

[wardmundy]

cat /var/log/fail2ban.log

 

[geopeterwc]

"No such file or directory" ... indeed ... the /var/log folder does not contain a fail2ban log file.

 

[geopeterwc]

So, failing at applying only the fixes above to resolve the connection problem, I resorted to rebooting the VPS server by way of the VPS Control Panel. Duh! And ... yahoo! It WORKS!

I suspect that the problem was ultimately the incorrect configuration of a cell phone with Zoiper installed that was repeatedly causing Fail2Ban to lock out the local IP address. Now, that's working too!

Sometimes, ya' just got'ta kick the tires and hope for the best! And so, the storal of the mory is that when all else fails: reboot!

/Pete./

 

[rick]

Having an similar problem with fresh install of incrediblepbx-13-13-LEAN, after running Phase II
./IncrediblePBX-13-13.sh, I am locked out of everything. I am able to finish installation via console at Vultr. Have tried twice to do the fresh install. Have added my IP to the white list. Have checked the iptables which has my IP and the server IP as accepted. I am able to run fail2ban-client to unban my ip but it is short lived, ban again after 20-30 seconds. There is no /var/log/fail2ban.log. Have tried rebooting. Any ideas? Thanks

 

[wardmundy]

Do you have a softphone or SIP phone that is attempting to register without a proper extension and password??

 

[rick]

That's what it was, SIP phone from previous install. Thanks Ward.