Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-10500

Firewall module and fail2ban

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13
    • Fix Version/s: None
    • Component/s: Fail2Ban, Firewall
    • Labels:
      None
    • ToDo:
    • Asterisk Version:
      13.5.0
    • Distro Version:
      FreePBX 13.0.1RC1.30
    • Distro:
      FreePBX Distro

      Description

      When the FreePBX firewall is enabled, most, but not all fail2ban rules disappear from iptables. It feels like the two modules create somewhat overlapping (conflicting?) rules.

      As far as Linux is concerned, fail2ban is disabled:

      1. chkconfig --list fail2ban
        fail2ban 0:off 1:off 2:off 3:off 4:off 5:off 6:off

      But apparently, FreePBX does start fail2ban during system boot. Below an iptables-save showing the hybrid fail2ban and firewall rules. IP addresses for our systems and clients have been removed or X'ed out.

      *filter
      :INPUT ACCEPT [0:0]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [171:18682]
      :fail2ban-BadBots - [0:0]
      :fail2ban-FTP - [0:0]
      :fail2ban-SIP - [0:0]
      :fail2ban-SSH - [0:0]
      :fail2ban-apache-auth - [0:0]
      :fail2ban-recidive - [0:0]*
      :fpbx-rtp - [0:0]
      :fpbxattacker - [0:0]
      :fpbxblacklist - [0:0]
      :fpbxfirewall - [0:0]
      :fpbxhosts - [0:0]
      :fpbxinterfaces - [0:0]
      :fpbxknownreg - [0:0]
      :fpbxlogdrop - [0:0]
      :fpbxnets - [0:0]
      :fpbxregistrations - [0:0]
      :fpbxrfw - [0:0]
      :fpbxshortblock - [0:0]
      :fpbxsignalling - [0:0]
      :fpbxsmarthosts - [0:0]
      :fpbxsvc-chansip - [0:0]
      :fpbxsvc-ftp - [0:0]
      :fpbxsvc-http - [0:0]
      :fpbxsvc-https - [0:0]
      :fpbxsvc-iax - [0:0]
      :fpbxsvc-nfs - [0:0]
      :fpbxsvc-pjsip - [0:0]
      :fpbxsvc-provis - [0:0]
      :fpbxsvc-restapps - [0:0]
      :fpbxsvc-smb - [0:0]
      :fpbxsvc-ssh - [0:0]
      :fpbxsvc-tftp - [0:0]
      :fpbxsvc-ucp - [0:0]
      :fpbxsvc-webrtc - [0:0]
      :fpbxsvc-xmpp - [0:0]
      :zone-external - [1:0]
      :zone-internal - [0:0]
      :zone-other - [0:0]
      :zone-reject - [0:0]
      :zone-trusted - [0:0]
      -A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
      -A INPUT -p tcp -m multiport --dports 80 -j fail2ban-apache-auth
      -A INPUT -j fail2ban-SIP
      -A INPUT -j fail2ban-SIP
      -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
      -A INPUT -j fail2ban-recidive
      -A INPUT -j fpbxfirewall
      -A fail2ban-BadBots -j RETURN
      -A fail2ban-FTP -j RETURN
      -A fail2ban-SIP -j RETURN
      -A fail2ban-SIP -j RETURN
      -A fail2ban-SSH -j RETURN
      -A fail2ban-apache-auth -j RETURN
      -A fail2ban-recidive -j RETURN
      -A fpbx-rtp -p udp -m udp --dport 10000:20000 -j ACCEPT
      -A fpbx-rtp -p udp -m udp --dport 4000:4999 -j ACCEPT
      -A fpbxattacker -m recent --set --name ATTACKER --rsource
      -A fpbxattacker -j LOG --log-prefix "attacker: "
      -A fpbxattacker -j DROP
      -A fpbxfirewall -i lo -j ACCEPT
      -A fpbxfirewall -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A fpbxfirewall -p udp -m udp --sport 1:1024 -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A fpbxfirewall -p icmp -j ACCEPT
      -A fpbxfirewall -d 255.255.255.255/32 -j ACCEPT
      -A fpbxfirewall -m pkttype --pkt-type multicast -j ACCEPT
      -A fpbxfirewall -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
      -A fpbxfirewall -j fpbx-rtp
      -A fpbxfirewall -j fpbxsignalling
      -A fpbxfirewall -j fpbxsmarthosts
      -A fpbxfirewall -j fpbxregistrations
      -A fpbxfirewall -j fpbxnets
      -A fpbxfirewall -j fpbxhosts
      -A fpbxfirewall -j fpbxblacklist
      -A fpbxfirewall -j fpbxinterfaces
      -A fpbxfirewall -m mark --mark 0x2/0x2 -j fpbxrfw
      -A fpbxfirewall -j fpbxlogdrop
      -A fpbxinterfaces -i eth0 -j zone-external
      -A fpbxknownreg -m mark --mark 0x1/0x1 -j ACCEPT
      -A fpbxknownreg -j fpbxsvc-ucp
      -A fpbxlogdrop -j LOG --log-prefix "logdrop: "
      -A fpbxlogdrop -j REJECT --reject-with icmp-port-unreachable
      -A fpbxnets -s xxx.xxx.xxx.xxx/xx -j zone-trusted
      -A fpbxnets -s xxx.xxx.xxx.xxx/xx -j zone-trusted
      -A fpbxnets -s xxx.xxx.xxx.xxx/xx -j zone-trusted
      -A fpbxnets -s xxx.xxx.xxx.xxx/xx -j zone-trusted
      -A fpbxnets -s xxx.xxx.xxx.xxx/xx -j zone-trusted
      -A fpbxnets -s xxx.xxx.xxx.xxx/xx -j zone-trusted
      -A fpbxregistrations -s xxx.xxx.xxx.xxx/xx -j fpbxknownreg
      -A fpbxrfw -m recent --set --name REPEAT --rsource
      -A fpbxrfw -m recent --rcheck --seconds 10 --hitcount 50 --name REPEAT --rsource -j fpbxattacker
      -A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 1 --name ATTACKER --rsource -j fpbxattacker
      -A fpbxrfw -m recent --rcheck --seconds 60 --hitcount 10 --name SIGNALLING --rsource -j fpbxshortblock
      -A fpbxrfw -m recent --set --name SIGNALLING --rsource
      -A fpbxrfw -m recent --rcheck --seconds 86400 --hitcount 100 --name REPEAT --rsource -j fpbxattacker
      -A fpbxrfw -j ACCEPT
      -A fpbxshortblock -m recent --set --name CLAMPED --rsource
      -A fpbxshortblock -j LOG --log-prefix "clamped: "
      -A fpbxshortblock -j REJECT --reject-with icmp-port-unreachable
      -A fpbxsignalling -p udp -m udp --dport 5060 -j MARK --set-xmark 0x1/0xffffffff
      -A fpbxsignalling -p tcp -m tcp --dport 5061 -j MARK --set-xmark 0x3/0xffffffff
      ... 170 lines deleted ...
      -A fpbxsignalling -p tcp -m tcp --dport 5061 -j MARK --set-xmark 0x3/0xffffffff
      -A fpbxsmarthosts -s xxx.xxx.xxx.xx/xx -m mark --mark 0x1/0x1 -j ACCEPT
      -A fpbxsvc-chansip -p udp -m udp --dport 5061 -j ACCEPT
      -A fpbxsvc-chansip -p tcp -m tcp --dport 9877 -j ACCEPT
      -A fpbxsvc-ftp -p tcp -m tcp --dport 21 -j ACCEPT
      -A fpbxsvc-http -p tcp -m tcp --dport 80 -j ACCEPT
      -A fpbxsvc-https -p tcp -m tcp --dport 443 -j ACCEPT
      -A fpbxsvc-iax -p udp -m udp --dport 4569 -j ACCEPT
      -A fpbxsvc-nfs -j RETURN
      -A fpbxsvc-pjsip -p udp -m udp --dport 5060 -j ACCEPT
      -A fpbxsvc-pjsip -p tcp -m tcp --dport 9876 -j ACCEPT
      -A fpbxsvc-provis -p tcp -m tcp --dport 84 -j ACCEPT
      -A fpbxsvc-restapps -p tcp -m tcp --dport 85 -j ACCEPT
      -A fpbxsvc-smb -p udp -m udp --dport 137 -j ACCEPT
      -A fpbxsvc-smb -p udp -m udp --dport 138 -j ACCEPT
      -A fpbxsvc-smb -p tcp -m tcp --dport 139 -j ACCEPT
      -A fpbxsvc-smb -p tcp -m tcp --dport 445 -j ACCEPT
      -A fpbxsvc-ssh -p tcp -m tcp --dport 22 -j ACCEPT
      -A fpbxsvc-tftp -p udp -m udp --dport 69 -j ACCEPT
      -A fpbxsvc-ucp -p tcp -m tcp --dport 81 -j ACCEPT
      -A fpbxsvc-webrtc -p tcp -m tcp --dport 8088 -j ACCEPT
      -A fpbxsvc-xmpp -p tcp -m tcp --dport 5222 -j ACCEPT
      -A zone-external -j fpbxsvc-https
      -A zone-external -j fpbxsvc-ucp
      -A zone-internal -j fpbxsvc-http
      -A zone-internal -j fpbxsvc-https
      -A zone-internal -j fpbxsvc-ucp
      -A zone-internal -j fpbxsvc-pjsip
      -A zone-internal -j fpbxsvc-chansip
      -A zone-internal -j fpbxsvc-iax
      -A zone-internal -j fpbxsvc-provis
      -A zone-internal -j fpbxsvc-restapps
      -A zone-internal -j fpbxsvc-tftp
      -A zone-other -j fpbxsvc-ucp
      -A zone-other -j fpbxsvc-pjsip
      -A zone-other -j fpbxsvc-provis
      -A zone-reject -j fpbxsvc-webrtc
      -A zone-reject -j fpbxsvc-xmpp
      -A zone-reject -j fpbxsvc-ftp
      -A zone-reject -j fpbxsvc-nfs
      -A zone-reject -j fpbxsvc-smb
      -A zone-trusted -j ACCEPT
      COMMIT

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                xrobau Rob Thomas
                Reporter:
                jreinold Jürgen
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.