Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug]: When Sync Firewall rules enabled, fail2ban whitelist is not populated #591

Open
lgaetz opened this issue Dec 13, 2024 · 3 comments
Open

[bug]: When Sync Firewall rules enabled, fail2ban whitelist is not populated #591

lgaetz opened this issue Dec 13, 2024 · 3 comments
Assignees
@ramarajan222
Labels
needs-information Further information is requested

Comments

@lgaetz
Copy link

lgaetz commented Dec 13, 2024

FreePBX Version

FreePBX 17

Issue Description

Reproduced with firewall module ver. 17.0.1.30

With the firewall advanced setting “Intrusion Detection Sync Firewall” is set to enabled, the firewall module does not properly populate the ignoreip whitelist in fail2ban. THIS IS THE DEFAULT SETTING IN FPBX 17, so that means fail2ban whitelist is broken out of the box.

To reproduce
Confirm Firewall Advanced setting “Intrusion Detection Sync Firewall” is set to enabled
Browse to Firewall -> Networks tab and add IP/Subnets to trusted zone if not already there
Browse to Firewall -> Intrusion Detection tab and ensure that trusted zone is sync'd to fail2ban whitelist. Enable if necessary.

Now check /etc/fail2ban/jail.local in the default section, the ignoreip line will NOT be updated to include the trusted zone IPs

[DEFAULT]
ignoreip =  127.0.1.1 127.0.0.1 etc.

Now set the advanced setting “Intrusion Detection Sync Firewall” is set to legacy
Browse to the intrusion detection tab and add IPs to the whitelist field
When you check /etc/fail2ban/jail.local default section, you will now see the IPs correctly populated.

Operating Environment

FreePBX 17 on Debian 12 installed using Sangoma 17 install script.

Relevant log output

No response
@lgaetz lgaetz added bug Something isn't working triage Triage labels Dec 13, 2024
@ramarajan222
Copy link

Hi @lgaetz ,

When sync is enabled, the ignored (trusted) IPs will be added using the CLI command (except for the interface IPs). You can confirm this using the Fail2Ban CLI command.

fail2ban-client get apache-api ignoreip

thanks

@ramarajan222 ramarajan222 self-assigned this Dec 17, 2024
@ramarajan222 ramarajan222 added needs-information Further information is requested and removed bug Something isn't working triage Triage labels Dec 17, 2024
@lgaetz
Copy link
Author

lgaetz commented Dec 17, 2024

Hi Ram

While that bash command might be useful to some, it is not the fix for this issue. If an admin enables sync in the GUI, then fpbx MUST auto add the selected zone IPs/subnets to the fail2ban ignoreip list

@ramarajan222
Copy link

Hi @lgaetz, yes. It automatically adds the selected zone IPs to Fail2Ban. However, it does not write them to the configuration file, as they are added to Fail2Ban on the fly.

You can confirm this with the Fail2Ban CLI command to check whether they have been added or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ramarajan222 ramarajan222

Labels
needs-information Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lgaetz @ramarajan222