I've just been switching over to ClearOS 7.2 today and hit a similar
issue. I found the default action in
/etc/fail2ban/jail.d/00-firewalld.conf which was set to "banaction =
firewallcmd-ipset" which is no good for me as ClearOS uses iptables. To
correct it I've created a /etc/fail2ban/jail.d/00-firewalld.local and in
it I've put:
[DEFAULT]
banaction = iptables-multiport
HTH
On 20/10/2016 15:41, Anthony Griffiths wrote:
> I'm running iptables-1.4.7-16.el6.x86_64 but I don't know what default
> action is. I dug a little deeper and discovered others hare having
> similar problems with the [pbx-gui] jail in fail2ban so it may be a
> problem with the freepbx build itself. In the meantime I've gone back
> up to fail2ban-0.9 like you said and I've locked the pbx gui logon
> down to just one ip address in iptables.This will keep me safe until I
> can sort this thing out. Thanks, Tony
>
> On Thu, Oct 20, 2016 at 11:47 AM, Nick Howitt <[email protected]> wrote:
>> Please make sure you do a reply-to-all or a reply-to-list as all your
>> replies are bypassing the mailing lists and coming straight to me.
>>
>> Which firewall are you running and what is your default action?
>>
>> Try increasing your loglevel to get more information. You say your
>> fail2ban log looks perfect. What are you seeing in it when you make a
>> few failed attempts? Can you post a snippet?
>>
>> I'd also stick with 0.9.x as its set up is slightly different from 0.8.x
>> (lots more defaulting).
>>
>> On 20/10/2016 09:13, Anthony Griffiths wrote:
>>> something is really wrong here. I uninstalled fail2ban 0.9 and
>>> completely deleted all remaining traces. Then I downloaded and
>>> installed this:
>>> http://yum.schmoozecom.net/schmooze-commercial/6/x86_64/RPMS/fail2ban/fail2ban-0.8.14-1.shmz65.1.129.noarch.rpm
>>> this is fail2ban specifically designed around freepbx. But it still
>>> doesn't work.
>>> The new fail2ban-0.8 starts fine, the fail2ban.log looks perfect, I do
>>> some deliberate failed logins to the freepbx-gui and nothing happens.
>>> I'm watching the log while doing the failed logins and it just sits
>>> there doing nothing.
>>> If I run:
>>> fail2ban-regex /var/log/asterisk/freepbx_security.log
>>> /etc/fail2ban/filter.d/freepbx.conf
>>> I get:
>>> ----------------------------------------------------------
>>> Running tests
>>> =============
>>>
>>> Use failregex file : /etc/fail2ban/filter.d/freepbx.conf
>>> Use log file : /var/log/asterisk/freepbx_security.log
>>>
>>>
>>> Results
>>> =======
>>>
>>> Failregex: 87 total
>>> |- #) [# of hits] regular expression
>>> | 1) [87] Authentication failure for .* from <HOST>
>>> `-
>>>
>>> Ignoreregex: 0 total
>>>
>>> Date template hits:
>>> |- [# of hits] date format
>>> | [262] Year-Month-Day Hour:Minute:Second
>>> `-
>>>
>>> Lines: 262 lines, 0 ignored, 87 matched, 175 missed
>>> Missed line(s): too many to print. Use --print-all-missed to print
>>> all 175 lines
>>> --------------------------------------------------------
>>>
>>> In jail.local I have 'ignoreip = 127.0.0.1' and that's all.
>>>
>>> this to me looks correct. If you can shed any light on this I'd be
>>> really grateful. Fail2ban-regex is the only troubleshooting command i
>>> know. Are there any others I could use?
>>>
>>> ps: and to make matters worse the sshd jail doesn't work either.
>>> Thanks for any further thoughts.
>>>
>>> On Wed, Oct 19, 2016 at 10:19 PM, Nick Howitt <[email protected]> wrote:
>>>> On 19/10/2016 22:08, Anthony Griffiths wrote:
>>>>>> From the changelog, 0.9.4 is not much different from 0.9.3
>>>>>> syntax-wise
>>>>>> so my jail and filter should be OK.
>>>>>>
>>>>>> When doing your failed logins, are they from any IP covered by the
>>>>>> ignoreip parameter in jail.conf or jail.local? If loglevel is set to
>>>>>> INFO you should get an f2b message every time you get a filter hit, but
>>>>>> I'm not sure if it is covered by your ignoreip.
>>>>> I've double check jail.local and all I have is: ignoreip = 127.0.0.1/8
>>>>> There is one thing at the back of my mind though, I assumed the failed
>>>>> login was on port 80 however this could be wrong. I've asked on the
>>>>> freepbx forum but no response yet.
>>>> Even then you should still be able to see the banning in the logs. Also,
>>>> if you're using iptables you can do an "iptables -nvL" and see if your
>>>> f2b-pbx-gui lists your IP. It won't be effective if it is blocking the
>>>> wrong ports but it will be there.
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Fail2ban-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Fail2ban-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
