One important item which I notice is not mentioned is what version of FreePBX is being used.
When Sangoma bought out Schmooze, and with the introduction of FreePBX 13, they started putting a new module in it called Sangoma Firewall. Fail2ban uses IP tables, but Sangoma Firewall does not. When Sangoma Firewall is enabled, IP Tables is disabled. Just something to consider. -----Original Message----- From: Anthony Griffiths [mailto:[email protected]] Sent: Thursday, October 20, 2016 9:42 AM To: [email protected] Subject: Re: [Fail2ban-users] need help creating a freepbx-gui jail I'm running iptables-1.4.7-16.el6.x86_64 but I don't know what default action is. I dug a little deeper and discovered others hare having similar problems with the [pbx-gui] jail in fail2ban so it may be a problem with the freepbx build itself. In the meantime I've gone back up to fail2ban-0.9 like you said and I've locked the pbx gui logon down to just one ip address in iptables.This will keep me safe until I can sort this thing out. Thanks, Tony On Thu, Oct 20, 2016 at 11:47 AM, Nick Howitt <[email protected]> wrote: > Please make sure you do a reply-to-all or a reply-to-list as all your > replies are bypassing the mailing lists and coming straight to me. > > Which firewall are you running and what is your default action? > > Try increasing your loglevel to get more information. You say your > fail2ban log looks perfect. What are you seeing in it when you make a > few failed attempts? Can you post a snippet? > > I'd also stick with 0.9.x as its set up is slightly different from > 0.8.x (lots more defaulting). > > On 20/10/2016 09:13, Anthony Griffiths wrote: >> something is really wrong here. I uninstalled fail2ban 0.9 and >> completely deleted all remaining traces. Then I downloaded and >> installed this: >> http://yum.schmoozecom.net/schmooze-commercial/6/x86_64/RPMS/fail2ban >> /fail2ban-0.8.14-1.shmz65.1.129.noarch.rpm >> this is fail2ban specifically designed around freepbx. But it still >> doesn't work. >> The new fail2ban-0.8 starts fine, the fail2ban.log looks perfect, I >> do some deliberate failed logins to the freepbx-gui and nothing happens. >> I'm watching the log while doing the failed logins and it just sits >> there doing nothing. >> If I run: >> fail2ban-regex /var/log/asterisk/freepbx_security.log >> /etc/fail2ban/filter.d/freepbx.conf >> I get: >> ---------------------------------------------------------- >> Running tests >> ============= >> >> Use failregex file : /etc/fail2ban/filter.d/freepbx.conf >> Use log file : /var/log/asterisk/freepbx_security.log >> >> >> Results >> ======= >> >> Failregex: 87 total >> |- #) [# of hits] regular expression >> | 1) [87] Authentication failure for .* from <HOST> >> `- >> >> Ignoreregex: 0 total >> >> Date template hits: >> |- [# of hits] date format >> | [262] Year-Month-Day Hour:Minute:Second >> `- >> >> Lines: 262 lines, 0 ignored, 87 matched, 175 missed Missed line(s): >> too many to print. Use --print-all-missed to print all 175 lines >> -------------------------------------------------------- >> >> In jail.local I have 'ignoreip = 127.0.0.1' and that's all. >> >> this to me looks correct. If you can shed any light on this I'd be >> really grateful. Fail2ban-regex is the only troubleshooting command i >> know. Are there any others I could use? >> >> ps: and to make matters worse the sshd jail doesn't work either. >> Thanks for any further thoughts. >> >> On Wed, Oct 19, 2016 at 10:19 PM, Nick Howitt <[email protected]> wrote: >>> On 19/10/2016 22:08, Anthony Griffiths wrote: >>>>> From the changelog, 0.9.4 is not much different from 0.9.3 >>>>> syntax-wise so my jail and filter should be OK. >>>>> >>>>> When doing your failed logins, are they from any IP covered by the >>>>> ignoreip parameter in jail.conf or jail.local? If loglevel is set >>>>> to INFO you should get an f2b message every time you get a filter >>>>> hit, but I'm not sure if it is covered by your ignoreip. >>>> I've double check jail.local and all I have is: ignoreip = >>>> 127.0.0.1/8 There is one thing at the back of my mind though, I >>>> assumed the failed login was on port 80 however this could be >>>> wrong. I've asked on the freepbx forum but no response yet. >>> Even then you should still be able to see the banning in the logs. >>> Also, if you're using iptables you can do an "iptables -nvL" and see >>> if your f2b-pbx-gui lists your IP. It won't be effective if it is >>> blocking the wrong ports but it will be there. >>> >>> -------------------------------------------------------------------- >>> ---------- Check out the vibrant tech community on one of the >>> world's most engaging tech sites, SlashDot.org! >>> http://sdm.link/slashdot >>> _______________________________________________ >>> Fail2ban-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ---------------------------------------------------------------------- > -------- Check out the vibrant tech community on one of the world's > most engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ---------------------------------------------------------------------------- -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
