PIONEERS ADD-IP and Fail2ban

[dhoppy]

Is there a way to have a whitelisted IP address that was added by add-ip override fail2ban? Someone tried fixing their phone by changing their password, and IPBX 2020 (public version) promptly banned the entire office (about 35 phones).

 

[wardmundy]

You can add their IP address in the ignoreip line of /etc/fail2ban/jail.conf and restart Fail2Ban: systemctl restart fail2ban

 

[dhoppy]

You can add their IP address in the ignoreip line of /etc/fail2ban/jail.conf and restart Fail2Ban: systemctl restart fail2ban

Thank you.

 

[ostridge]

add their IP address in the ignoreip line of /etc/fail2ban/jail.conf

can I just query this because the file /etc/ actually says

# Fail2Ban jail base specification file
# HOW TO ACTIVATE JAILS
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwitten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.

 

[wardmundy]

@ostridge: Either way works. We won't be overwriting jail.conf with Incredible PBX updates.

 

[pbxinaflash]

Even better/safer would be to use jail.local to override jail.conf settings.

 

[wardmundy]

When there's a little time, I want to play around with adding jail entries to Fail2Ban with every add-ip execution. And then they could also be deleted with del-acct. One way to do this would be to add custom jail.d files of the format 22.33.44.55.local for a whitelisted IP address. But we don't want the customizations to overwrite existing ignoreip settings. We want the new entry to expand the Fail2Ban whitelist without having to tick off all of the existing ignoreip entries. Need to do some reading to see if this is possible unless we have a Fail2Ban expert in the house.

 

[wardmundy]

UPDATE: Looks like a simpler way may already exist without restarting Fail2Ban:

fail2ban-client set <JAIL> addignoreip <IP>   adds <IP> to the ignore list of <JAIL>

fail2ban-client set <JAIL> delignoreip <IP>   dels <IP> from the ignore list of <JAIL>

For example,

fail2ban-client set sshd addignoreip 8.8.8.8
fail2ban-client get sshd ignoreip

And the following (if not empty) will tell you the JAIL is disabled or doesn't exist:

fail2ban-client get sshd-iptables actions | grep NOK

Unfortunately, whitelist entries added with fail2ban-client only last until Fail2Ban is restarted. So... see below for solution.

 

[wardmundy]

PIONEERS

If you'd like to modify /root/add-ip to include the Fail2Ban Whitelist functionality, add the code below just above the following line on any Incredible PBX 2020 or 2021 server:

echo "# // End entry for $1.iptables" >> $tmpfile

Here's the code to add:

echo "if [ $(/usr/bin/fail2ban-client get ssh-iptables actions | grep NOK) ]; then" >> $tmpfile
echo " /usr/bin/fail2ban-client set sshd addignoreip $2" >> $tmpfile
echo "else" >> $tmpfile
echo " /usr/bin/fail2ban-client set ssh-iptables addignoreip $2" >> $tmpfile
echo "fi" >> $tmpfile

Running /root/del-acct to remove a whitelisted IP address will remove it from both IPtables AND Fail2Ban.

 

[dicko]

UPDATE: Looks like a simpler way may already exist without restarting Fail2Ban:

fail2ban-client set <JAIL> addignoreip <IP>   adds <IP> to the ignore list of <JAIL>

fail2ban-client set <JAIL> delignoreip <IP>   dels <IP> from the ignore list of <JAIL>

For example,

fail2ban-client set sshd addignoreip 8.8.8.8
fail2ban-client get sshd ignoreip

And the following (if not empty) will tell you the JAIL is disabled or doesn't exist:

fail2ban-client get sshd-iptables actions | grep NOK

Unfortunately, whitelist entries added with fail2ban-client only last until Fail2Ban is restarted. So... see below for solution.

Is there any reason you are not using a currently supported fail2ban,? All versions since 0.9 maintain state in an sqlite3 dabase which you can manipulate outside fail2ban with an sqlite3 client followed by a fail2ban-client reload --restart if needed, see the man

 

[wardmundy]

@dicko: No reason other than time and energy to push the upgrade out on multiple platforms. This approach works for now because we already have to generate code for IPtables whitelist entries each time IPtables is restarted. So it's no big deal to handle Fail2Ban simultaneously.