VitalPBX how to manually unban yourself from the command line



  • It is not uncommon to lock yourself out of things when you are exploring them new.

    VitalPBX is no exception. It uses fail2ban and there are some simple commands you need to know how to use from the command line to get yourself back in.

    Log in to the console of your VM where ever it is hosted, switch to root and use the fail2ban-client status command.

    This will list all of the jails that are currently set up.

    [root@vpbx ~]# fail2ban-client status
    Status
    |- Number of jail:	11
    `- Jail list:	apache-auth, apache-badbots, apache-modsecurity, apache-overflows, apache-shellshock, asterisk-vpbx, dropbear, recidive, sshd, sshd-ddos, vitalpbx-gui
    

    You can then look at the jails individually. The fail2ban-client command does not have a way to list everything at once, if you want to get into that, you are looking at parsing the iptables rules with grep.

    To look at a single jail, you simply add that jail name after status.
    I have no hits on ssh because I have it restricted with a Vultr firewall.

    [root@vpbx ~]# fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed:	0
    |  |- Total failed:	0
    |  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
    `- Actions
       |- Currently banned:	0
       |- Total banned:	0
       `- Banned IP list:	
    

    On the other hand, asterisk.....
    And yes, my IP was in there because I messed up something.

    root@vpbx ~]# fail2ban-client status asterisk-vpbx
    Status for the jail: asterisk-vpbx
    |- Filter
    |  |- Currently failed:	6
    |  |- Total failed:	183
    |  `- File list:	/var/log/asterisk/fail2ban
    `- Actions
       |- Currently banned:	9
       |- Total banned:	10
       `- Banned IP list:	185.53.88.253 102.165.52.90 77.247.110.17 212.83.129.111 102.165.52.107 77.247.110.127 102.165.51.161 185.53.88.210 77.247.110.19
    

    To clear a ban, is simple enough fail2ban-client set asterisk-vpbx unbanip ip.to.un.ban

    [root@vpbx ~]# fail2ban-client set asterisk-vpbx unbanip 185.53.88.253
    185.53.88.253
    

    It is important to note for beginners. It does not matter which service you get an IP banned for. The ban is for the IP. This mean once on the list for any service, the IP is blocked from hitting the system for any service.



  • @JaredBusch said in VitalPBX how to manually unban yourself from the command line:

    It is important to note for beginners. It does not matter which service you get an IP banned for. The ban is for the IP. This mean once on the list for any service, the IP is blocked from hitting the system for any service.

    Do you have to use the service that banned it to unban it?



  • @Dashrender said in VitalPBX how to manually unban yourself from the command line:

    Do you have to use the service that banned it to unban it?

    That's unrelated to what he mentioned. Fail2ban is the service that does the banning. The service you are banned for are things like httpd, asterisk, etc.



  • @scottalanmiller said in VitalPBX how to manually unban yourself from the command line:

    @Dashrender said in VitalPBX how to manually unban yourself from the command line:

    Do you have to use the service that banned it to unban it?

    That's unrelated to what he mentioned. Fail2ban is the service that does the banning. The service you are banned for are things like httpd, asterisk, etc.

    What he meant was the jail. That would be my fault for being unspecific.

    Yes @Dashrender, you need to specify the jail.

    Look at my unbanip example.



  • @JaredBusch said in VitalPBX how to manually unban yourself from the command line:

    @scottalanmiller said in VitalPBX how to manually unban yourself from the command line:

    @Dashrender said in VitalPBX how to manually unban yourself from the command line:

    Do you have to use the service that banned it to unban it?

    That's unrelated to what he mentioned. Fail2ban is the service that does the banning. The service you are banned for are things like httpd, asterisk, etc.

    What he meant was the jail. That would be my fault for being unspecific.

    Yes @Dashrender, you need to specify the jail.

    Look at my unbanip example.

    I did - that's why I asked the question, do you have to use a specific jail to unban or can you use any jail to unban? The reason I ask is because you said - once any jail bans you - you're ban for all jails.

    I'm assuming yes, you have to use the specific jail that has you listed as banned. but I'm asking anyhow.



  • Handy one for white listing a IP is to edit the jail.conf file and add: ignoreip = 127.0.0.1/8 - (Replace this with your IP)



  • @Dashrender said in VitalPBX how to manually unban yourself from the command line:

    I'm assuming yes, you have to use the specific jail that has you listed as banned. but I'm asking anyhow.

    Yes because that is where it will find it listed to unban.



  • @StuartJordan said in VitalPBX how to manually unban yourself from the command line:

    Handy one for white listing a IP is to edit the jail.conf file and add: ignoreip = 127.0.0.1/8 - (Replace this with your IP)

    Never, ever, do this.

    Work within the product that you are using. Never go around it like this.

    By doing this, you lose all accountability within the product for how it is configured.

    Just like FreePBX, VitalPBX has a specific location within the GUI to whitelist things. You do it there. I simply had not done it yet as I was only testing the solution fairly randomly.



  • @JaredBusch fair enough, I haven't used the product itself as of yet and wasn't aware it had whitelisting inside the product, if this was specific to just fail2ban then that method would be suitable, but in this case I agree with you, my mistake.