Best Practices for Fail2Ban and Event Guard Configuration in FusionPBX?

B

bradgarrison

Member
Feb 20, 2023
52
10
8
49
For the last few weeks, I’ve been experiencing intermittent call issues on one of my smaller FusionPBX servers. After investigating, I discovered that my Fail2Ban setup had been disabled. This allowed repeated scans of my server from different IPs. At some point during the scanning, my GUI would become unresponsive, and outgoing calls would eventually fail until the scanning stopped or the server was rebooted.

While updating the jail.local file today, I noticed that Fail2Ban operates independently from the Event Guard process visible within FusionPBX.

At a high level, is Event Guard specifically designed to protect SIP traffic? If so, should Fail2Ban focus on securing other ports (non-SIP) to avoid potential overlap? I want to ensure these two processes aren’t conflicting with each other.
 
Last edited:
C

Cysec

New Member
Jul 26, 2024
2
1
3
45
I would personally be digging through logs to find out when and why it stopped. Some suggestions would be to check the fail2ban logs (usually in /val/log/fail2ban) and the contents of the journal:
Bash: 
sudo journalctl -xeu fail2ban
# if you haven't restarted the service (though, probably too late as it's a day later.
sudo systemctl status fail2ban
 
M

markjcrane

Active Member
Staff member
Jul 22, 2018
543
189
43
50
Fail2ban has been both good and bad for FusionPBX. I think many people gave up on FusionPBX because of Fail2ban.

Fail2ban has hurt nearly everyone who has used FusionPBX. That is why it's no longer protecting FreeSWITCH by default. You can change that by updating your jail.conf file in /etc/fail2ban/jail.conf. But be warned fail2ban has tons of false positives and you end up usually having to white list all customer IP addresses. Unfortunately, the fail2ban design should have had a dedicated file for whitelisting IP addresses but that is not the case. You white list the IP addresses in the jail.conf with ignoreip value which is required to all be on one line. This is another flaw in my opinion. There is a command line way to do this but it has to be applied to all rules which seems like another flaw.

For these reasons, I can no longer recommend fail2ban. I'm tired of it blocking valid SIP registrations. Event-established locations with many SIP registrations can get shut down and broken by fail2ban. So now you know why FusionPBX isn't using it by default as it has caused much harm to those using the system. You can of course use fail2ban if you want and just update your jail.conf to work how you want it to work.

Event Guard specifically designed to protect SIP traffic?
Click to expand...

Event Guard is designed to specifically protect FreeSWITCH currently.

Event Guard in FusionPBX is different from the access control list anything allowed is whitelisted. Event Guard service watches FreeSWITCH events. With the event_guard service if someone has a failed registration or registration to an IP address then it's checked against the white list. If something is blocked it is added to the event guard log in the web interface. Addresses can be unblocked from the web interface on the server that blocked it. Event Guard currently uses iptables on Linux and on FreeBSD it uses PF.
 
  • Like
Reactions: babak, voipBull and bradgarrison
whut

whut

Active Member
Dec 23, 2022
266
29
28
Fail2ban recommends that you never edit the .conf files. The recommendation is to make the edits in your .local files instead. This works very well.
 
M

markjcrane

Active Member
Staff member
Jul 22, 2018
543
189
43
50
We have mostly been using jail.local only exception was for ignoreip list used jail.conf. The reason is if you used the fail2ban.sh script to update fail2ban you wouldn't loose your white-listed IP addresses that are in the jail.conf file.

Update: Just checked and it maybe possible for fail2ban to use an INCLUDE parameter to include file into the fail2ban config. This might be a possible way to fix one of my complaints about fail2ban.
 
Last edited:
  • Like
Reactions: babak
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,078
580
113
OK, still a bit scabby but create a file: /etc/fail2ban/jail.d/ignoreip.conf
NOTE: you need each ip address after the first line indented with a space.

Inside it, this kind of thing:
Code: 
[DEFAULT]
ignoreip = 127.0.0.1/8
 215.155.52.118
 179.22.139.77
 182.63.140.77
 182.63.142.77
 183.63.141.77
 184.63.143.77
 81.69.9.236
 91.136.12.37
 82.7.81.42
 185.224.136.74
 79.77.50.9
 212.69.50.167
 212.69.50.85
 81.149.191.123
 195.224.142.163
 87.226.99.50
 91.134.14.131
 84.67.197.138
 85.216.159.171
 62.30.163.32
 82.30.32.214
 86.1.222.35
 195.74.198.50
 31.123.42.224
 86.168.110.211
 178.251.54.201
 212.69.62.71
 88.150.231.59

Restart fail2ban:
Code: 
systemctl status fail2ban.service
Check the list is included:
Code: 
fail2ban-client get fusionpbx ignoreip

This file will be loaded after jail.conf and jail.local so should override any other ignoreip statements.
 
  • Like
Reactions: babak
W

wouam31

Member
Jul 1, 2022
115
17
18
Hi, for Fail2Ban, I created a script to add addresses to the ignoreIP list.
I’m not sure if it’s the best solution...
Have a great day, everyone!



#!/bin/bash

# Retrieve IP addresses connected to FusionPBX
registrations=$(fs_cli -x 'show registrations' | awk -F',' 'NR>1{print $6}')

# Create a list of unique IP addresses with /32 appended to each address
ip_list=()
for ip in $registrations; do
ip_with_mask="$ip/32"
if [[ ! " ${ip_list[@]} " =~ " ${ip_with_mask} " ]]; then
ip_list+=("$ip_with_mask")
fi
done

# Convert list of IP addresses to space separated string
ignore_ips=$(printf "%s " "${ip_list[@]}")

# Update jail.conf file with ignored IPs
awk -v ips="$ignore_ips" '/^ignoreip =/{print "ignoreip = " ips; next} 1' /etc/fail2ban/jail.conf > /etc/fail2ban/jail.conf.tmp
mv /etc/fail2ban/jail.conf.tmp /etc/fail2ban/jail.conf

# Restart the fail2ban service
service fail2ban restart

echo "Script completed successfully."
Click to expand...
 
whut

whut

Active Member
Dec 23, 2022
266
29
28
DigitalDaz said:
OK, still a bit scabby but create a file: /etc/fail2ban/jail.d/ignoreip.conf
NOTE: you need each ip address after the first line indented with a space.

Inside it, this kind of thing:
Code: 
[DEFAULT]
ignoreip = 127.0.0.1/8
 215.155.52.118
 179.22.139.77
 182.63.140.77
 182.63.142.77
 183.63.141.77
 184.63.143.77
 81.69.9.236
 91.136.12.37
 82.7.81.42
 185.224.136.74
 79.77.50.9
 212.69.50.167
 212.69.50.85
 81.149.191.123
 195.224.142.163
 87.226.99.50
 91.134.14.131
 84.67.197.138
 85.216.159.171
 62.30.163.32
 82.30.32.214
 86.1.222.35
 195.74.198.50
 31.123.42.224
 86.168.110.211
 178.251.54.201
 212.69.62.71
 88.150.231.59

Restart fail2ban:
Code: 
systemctl status fail2ban.service
Check the list is included:
Code: 
fail2ban-client get fusionpbx ignoreip

This file will be loaded after jail.conf and jail.local so should override any other ignoreip statements.
Click to expand...
This is what I do. But I also add a comment in line with the ip addresses to better keep track.
 
You must log in or register to reply here.
Top Bottom