Fail2Ban

Status
Not open for further replies.
busy4sure

busy4sure

New Member
Apr 20, 2018
13
0
1
44
I am new to fusion and tried searching before I post this question but figure it out.

I setup my gateway and it would register fine and work for a day then show fail_wait on the status. I then tried to ping the domain for the provider and it would not ping but I can ping other sites. I then ran this command (service fail2ban restart) and it started pinging before I ran the command I ran (iptables -L) and did not see my site block in it. This it for the provider is not in the iptables -L

Any suggestion to where it’s being block?




root@CNSPBX:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-nginx-dos tcp -- anywhere anywhere multiport dports http,https
fail2ban-nginx-404 tcp -- anywhere anywhere multiport dports http,https
fail2ban-fusionpbx-mac tcp -- anywhere anywhere multiport dports http,https
fail2ban-fusionpbx tcp -- anywhere anywhere multiport dports http,https
fail2ban-fusionpbx-404 all -- anywhere anywhere
fail2ban-freeswitch-dos-tcp tcp -- anywhere anywhere multiport dports sip:5090
fail2ban-freeswitch-dos-udp udp -- anywhere anywhere multiport dports sip:5090
fail2ban-freeswitch-ip-udp udp -- anywhere anywhere multiport dports sip:5090
fail2ban-freeswitch-ip-tcp tcp -- anywhere anywhere multiport dports sip:5090
fail2ban-freeswitch-tcp tcp -- anywhere anywhere multiport dports sip:5090
fail2ban-freeswitch-udp udp -- anywhere anywhere multiport dports sip:5090
fail2ban-sshd all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP udp -- anywhere anywhere udp dpts:sip:5090 STRING match "friendly-scanner" ALGO name bm TO 65535
DROP udp -- anywhere anywhere udp dpts:sip:5090 STRING match "sipcli/" ALGO name bm TO 65535
DROP udp -- anywhere anywhere udp dpts:sip:5090 STRING match "VaxSIPUserAgent/" ALGO name bm TO 65535
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpts:sip:5090
ACCEPT udp -- anywhere anywhere udp dpts:sip:5090
ACCEPT udp -- anywhere anywhere udp dpts:16384:32768
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp dpt:eek:penvpn

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-freeswitch-dos-tcp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-freeswitch-dos-udp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-freeswitch-ip-tcp (1 references)
target prot opt source destination
REJECT all -- 85.195.96.110 anywhere reject-with icmp-port-unreachable
REJECT all -- 51-15-149-61.rev.poneytelecom.eu anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere

Chain fail2ban-freeswitch-ip-udp (1 references)
target prot opt source destination
REJECT all -- 85.195.96.110 anywhere reject-with icmp-port-unreachable
REJECT all -- 51-15-149-61.rev.poneytelecom.eu anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere

Chain fail2ban-freeswitch-tcp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-freeswitch-udp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-fusionpbx (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-fusionpbx-404 (1 references)
target prot opt source destination
REJECT all -- 8d.94.1732.ip4.static.sl-reverse.com anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere

Chain fail2ban-fusionpbx-mac (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-nginx-404 (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-nginx-dos (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-sshd (1 references)
target prot opt source destination
REJECT all -- 61.177.172.63 anywhere reject-with icmp-port-unreachable
REJECT all -- 23.236.91.206 anywhere reject-with icmp-port-unreachable
REJECT all -- 27.184.216.134 anywhere reject-with icmp-port-unreachable
REJECT all -- 93-42-228-214.ip88.fastwebnet.it anywhere reject-with icmp-port-unreachable
REJECT all -- 42.7.26.60 anywhere reject-with icmp-port-unreachable
REJECT all -- 1-171-58-178.dynamic-ip.hinet.net anywhere reject-with icmp-port-unreachable
REJECT all -- d23-16-230-104.bchsia.telus.net anywhere reject-with icmp-port-unreachable
REJECT all -- ua-85-229-185-142.cust.bredbandsbolaget.se anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
root@CNSPBX:~# ^C
 
S

smn

Member
Jul 18, 2017
201
20
18
Hard to read that. Maybe try "iptables -vnL" and post it inside a code block.

I see rejections from poneytelecom.eu which may be on IP 51.15.149.61 based on the RDNS. Is that the provider? Maybe add it to the fail2ban whitelist or just whitelist it in iptables. This is one of the reasons I don't like to rely on fail2ban too much.

Hard to know why it's being banned without knowing more about your setup.
 
Last edited:
busy4sure

busy4sure

New Member
Apr 20, 2018
13
0
1
44
I added my provider IP address to the fail2ban ignoreip list and so far my gateway is still registered. I am watching it for now to see if it unregister and will let you know. Below is the iptables -vnL






root@CNSPBX:~# iptables -vnL
Chain INPUT (policy DROP 34 packets, 2093 bytes)
pkts bytes target prot opt in out source destination
5510 2222K fail2ban-nginx-dos tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
5510 2222K fail2ban-nginx-404 tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
5510 2222K fail2ban-fusionpbx-mac tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
5510 2222K fail2ban-fusionpbx tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
49000 11M fail2ban-fusionpbx-404 all -- * * 0.0.0.0/0 0.0.0.0/0
19 1275 fail2ban-freeswitch-dos-tcp tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5060:5090
2737 425K fail2ban-freeswitch-dos-udp udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5060:5090
2737 425K fail2ban-freeswitch-ip-udp udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5060:5090
19 1275 fail2ban-freeswitch-ip-tcp tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5060:5090
19 1275 fail2ban-freeswitch-tcp tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5060:5090
2737 425K fail2ban-freeswitch-udp udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5060:5090
49000 11M fail2ban-sshd all -- * * 0.0.0.0/0 0.0.0.0/0
52065 17M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
58343 9561K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
46 20296 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5090 STRING match "friendly-scanner" ALGO name bm TO 65535
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5090 STRING match "sipcli/" ALGO name bm TO 65535
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5090 STRING match "VaxSIPUserAgent/" ALGO name bm TO 65535
1104 65208 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
219 12396 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
812 44148 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
17 700 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5090
2149 1218K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5090
775 162K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:16384:32768
31 1092 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
1 42 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 515 packets, 247K bytes)
pkts bytes target prot opt in out source destination

Chain fail2ban-freeswitch-dos-tcp (1 references)
pkts bytes target prot opt in out source destination
19 1275 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-freeswitch-dos-udp (1 references)
pkts bytes target prot opt in out source destination
2737 425K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-freeswitch-ip-tcp (1 references)
pkts bytes target prot opt in out source destination
19 1275 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-freeswitch-ip-udp (1 references)
pkts bytes target prot opt in out source destination
2737 425K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-freeswitch-tcp (1 references)
pkts bytes target prot opt in out source destination
19 1275 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-freeswitch-udp (1 references)
pkts bytes target prot opt in out source destination
2737 425K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-fusionpbx (1 references)
pkts bytes target prot opt in out source destination
5510 2222K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-fusionpbx-404 (1 references)
pkts bytes target prot opt in out source destination
49000 11M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-fusionpbx-mac (1 references)
pkts bytes target prot opt in out source destination
5510 2222K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-nginx-404 (1 references)
pkts bytes target prot opt in out source destination
5510 2222K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-nginx-dos (1 references)
pkts bytes target prot opt in out source destination
5510 2222K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-sshd (1 references)
pkts bytes target prot opt in out source destination
17 980 REJECT all -- * * 119.191.117.77 0.0.0.0/0 reject-with icmp-port-unreachable
19 1840 REJECT all -- * * 68.164.103.122 0.0.0.0/0 reject-with icmp-port-unreachable
707 42600 REJECT all -- * * 61.177.172.63 0.0.0.0/0 reject-with icmp-port-unreachable
48257 11M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
root@CNSPBX:~#
 
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,076
578
113
What he means is you use code tags to make it look pretty in the forums. You do it like this:

Code: 
Chain fail2ban-sshd (1 references)
pkts bytes target prot opt in out source destination
17 980 REJECT all -- * * 119.191.117.77 0.0.0.0/0 reject-with icmp-port-unreachable
19 1840 REJECT all -- * * 68.164.103.122 0.0.0.0/0 reject-with icmp-port-unreachable
707 42600 REJECT all -- * * 61.177.172.63 0.0.0.0/0 reject-with icmp-port-unreachable
48257 11M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
root@CNSPBX:~#
 
D

dougs

New Member
Mar 1, 2018
29
2
3
43
smn said:
Hard to read that. Maybe try "iptables -vnL" and post it inside a code block.

I see rejections from poneytelecom.eu which may be on IP 51.15.149.61 based on the RDNS. Is that the provider? Maybe add it to the fail2ban whitelist or just whitelist it in iptables. This is one of the reasons I don't like to rely on fail2ban too much.

Hard to know why it's being banned without knowing more about your setup.
Click to expand...

I see poneytelecom.eu addresses trying to hack into my systems all the time.
 
busy4sure

busy4sure

New Member
Apr 20, 2018
13
0
1
44
So far, my Fusion is still registered, I can assum by me adding it to the ignore list stop my provider from being block by fail2ban.
 
Status
Not open for further replies.
Top Bottom