Fail2Ban and EventGuard

Status
Not open for further replies.

AyrshireIT

New Member
Mar 21, 2021
17
2
3
45
Hi all,

I thought when having event guard and fail2ban on; that any IP we hard code in the Access Control Section would be whitelisted.

I only run a small system but its setup using multi / master replication to a spare server.

Recently we accidentally caused all phone registrations on the primary server to get banned after we updated the http_auth password for provisioning.

I'm guessing what happened is the phones systematically all tried to provision over a 24 hour period with the wrong password and fail2ban kicked in and banned them all from our system.

Luckily we only use the primary server for provisioning so the secondary server kept all its registrations.

It took me a good 20 minutes before i noticed that the IP's got banned as i presumed all my tenants would be whitelisted from this.

Has this ever happened to anyone else ?

Cheer
 

Samos95

New Member
Mar 17, 2021
2
0
1
77
I believe the Access Control section is only for sofia configuration by default, fail2ban doesn't look at it. If you want to whitelist anything in fail2ban you have to do so within it's own configuration.
 

AyrshireIT

New Member
Mar 21, 2021
17
2
3
45
I was on the understanding that anything whitelisted on the access controls are added to IP tables.

But after listing the rules i dont see any of the access control list IP's.
 

Samos95

New Member
Mar 17, 2021
2
0
1
77
It's a bit confusing. In order to whitelist in fail2ban you need to put the IPs in the fail2ban configuration, for example:

[DEFAULT]

ignoreip = 1.1.1.1 2.2.2.2 3.3.3.3

And so on.

We manage our firewall elsewhere and have fail2ban disabled to avoid the issue that you had.
 
Status
Not open for further replies.