I'm running iptables-1.4.7-16.el6.x86_64 but I don't know what default action is. I dug a little deeper and discovered others hare having similar problems with the [pbx-gui] jail in fail2ban so it may be a problem with the freepbx build itself. In the meantime I've gone back up to fail2ban-0.9 like you said and I've locked the pbx gui logon down to just one ip address in iptables.This will keep me safe until I can sort this thing out. Thanks, Tony
On Thu, Oct 20, 2016 at 11:47 AM, Nick Howitt <n...@howitts.co.uk> wrote: > Please make sure you do a reply-to-all or a reply-to-list as all your > replies are bypassing the mailing lists and coming straight to me. > > Which firewall are you running and what is your default action? > > Try increasing your loglevel to get more information. You say your > fail2ban log looks perfect. What are you seeing in it when you make a > few failed attempts? Can you post a snippet? > > I'd also stick with 0.9.x as its set up is slightly different from 0.8.x > (lots more defaulting). > > On 20/10/2016 09:13, Anthony Griffiths wrote: >> something is really wrong here. I uninstalled fail2ban 0.9 and >> completely deleted all remaining traces. Then I downloaded and >> installed this: >> http://yum.schmoozecom.net/schmooze-commercial/6/x86_64/RPMS/fail2ban/fail2ban-0.8.14-1.shmz65.1.129.noarch.rpm >> this is fail2ban specifically designed around freepbx. But it still >> doesn't work. >> The new fail2ban-0.8 starts fine, the fail2ban.log looks perfect, I do >> some deliberate failed logins to the freepbx-gui and nothing happens. >> I'm watching the log while doing the failed logins and it just sits >> there doing nothing. >> If I run: >> fail2ban-regex /var/log/asterisk/freepbx_security.log >> /etc/fail2ban/filter.d/freepbx.conf >> I get: >> ---------------------------------------------------------- >> Running tests >> ============= >> >> Use failregex file : /etc/fail2ban/filter.d/freepbx.conf >> Use log file : /var/log/asterisk/freepbx_security.log >> >> >> Results >> ======= >> >> Failregex: 87 total >> |- #) [# of hits] regular expression >> | 1) [87] Authentication failure for .* from <HOST> >> `- >> >> Ignoreregex: 0 total >> >> Date template hits: >> |- [# of hits] date format >> | [262] Year-Month-Day Hour:Minute:Second >> `- >> >> Lines: 262 lines, 0 ignored, 87 matched, 175 missed >> Missed line(s): too many to print. Use --print-all-missed to print >> all 175 lines >> -------------------------------------------------------- >> >> In jail.local I have 'ignoreip = 127.0.0.1' and that's all. >> >> this to me looks correct. If you can shed any light on this I'd be >> really grateful. Fail2ban-regex is the only troubleshooting command i >> know. Are there any others I could use? >> >> ps: and to make matters worse the sshd jail doesn't work either. >> Thanks for any further thoughts. >> >> On Wed, Oct 19, 2016 at 10:19 PM, Nick Howitt <n...@howitts.co.uk> wrote: >>> On 19/10/2016 22:08, Anthony Griffiths wrote: >>>>> From the changelog, 0.9.4 is not much different from 0.9.3 syntax-wise >>>>> so my jail and filter should be OK. >>>>> >>>>> When doing your failed logins, are they from any IP covered by the >>>>> ignoreip parameter in jail.conf or jail.local? If loglevel is set to >>>>> INFO you should get an f2b message every time you get a filter hit, but >>>>> I'm not sure if it is covered by your ignoreip. >>>> I've double check jail.local and all I have is: ignoreip = 127.0.0.1/8 >>>> There is one thing at the back of my mind though, I assumed the failed >>>> login was on port 80 however this could be wrong. I've asked on the >>>> freepbx forum but no response yet. >>> Even then you should still be able to see the banning in the logs. Also, >>> if you're using iptables you can do an "iptables -nvL" and see if your >>> f2b-pbx-gui lists your IP. It won't be effective if it is blocking the >>> wrong ports but it will be there. >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fail2ban-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
