[FREEPBX-22453] When RFW enabled create option to bypass IP in Fail2Ban - Sangoma Issue Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 15, 16
Fix Version/s: 15, 16
Component/s: Firewall
Labels:
None

ToDo:

Asterisk Version:
16
Distro Version:
SNG7
Distro:
FreePBX Distro
Module Fix Version:
- 15.0.8.13
- 16.0.23

Description

Currently, Fail2Ban runs alongside Responsive Firewall to provide additional protection. Since Fail2Ban rules supersede RFW, it is possible that allowed IP's in RFW can still be blocked by Fail2Ban, with no indication in the GUI. Furthermore, a misconfigured device can DoS an entire site that is relying on RFW.

This issue has be debated several times throughout the years on the forums, one example is here:

Responsive Firewall always blocks "good" external users - FreePBX / Security - FreePBX Community Forums

On the one hand, Fail2Ban can provide protection from an attacker with access to the same IP as a registered device, or utilize stolen SIP credentials to further attack a server with no limitations. However, the more common scenario is that a Sysadmin misconfigures a device and this results in a site lockout.

Gliffy Diagrams

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

f2bbypasson.PNG
28 kB
06/May/21 12:26 PM
image-2021-05-06-12-53-54-641.png
47 kB
06/May/21 7:23 AM

Activity

People

Assignee:

Unassigned

Reporter:

Yois

Votes:

0 Vote for this issue

Watchers:

5 Start watching this issue

Dates

Created:

11/Apr/21 5:10 AM

Updated:

07/Mar/22 12:17 PM

Resolved:

12/May/21 2:25 PM

NextupJiraPlusStatus

Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.