First, the Intrusion Detection settings have been moved from the System Admin module (sysadmin) to the Firewall module, a more appropriate security settings location.

Immediately after updating the Firewall module, the legacy Intrusion Detection settings will be shown how they have always been in their new location in Firewall, without buttons to select zones or get registered extensions.

Open

The fail2ban service will be started on boot, as it previously was. This behavior remains unchanged.

Open

New Features

Enabling Intrusion Detection Sync

If you wish to activate extended features, go to Advanced Settings in the firewall to set Intrusion Detection Sync Firewall to Enabled or Disabled:

All entries currently populated in the Intrusion Detection whitelist will be moved to the custom whitelist when you switch from Legacy to Enabled. Likewise, all entries you have in the custom whitelist will be moved to the Intrusion Detection whitelist when you switch from Enabled or Disabled to Legacy.

Entries will not be moved when you switch from Enabled to Disabled or Disabled to Enabled.

When you switch to Enabled or Disabled, check the list and verify that all IPs or Hosts are in the correct zone. If you see duplicated entries in another zone, you can remove them from the custom whitelist and leave the system to set zones.

When setting Sync to Enabled, the following options will be shown:

Import

With the new version, Import buttons are available to provide an easy way to build an Intrusion Detection whitelist from existing Firewall zones and IPs from all registered extensions (SIP, PJSIP, IAX).

The Refresh and Clear All buttons can be used to alter the Whitelist entries. Changes to the Whitelist will not be saved unless the page’s Save button is clicked.
Additionally, you can add a custom whitelist entry.

This one will appear with the whitelist in the table below.

You can click the trash icon on the entry’s row to delete one IP address or one entry. After that, the table will be refreshed without this IP address.
If you decide to delete all entries at once, you can click on the Delete button on top of the table here.

Today it’s no longer necessary to restart Intrusion Detection to apply changes. When we save this part, it’s restarted automatically.

You can remove any IP address individually by clicking on the trash icon on the left of the row or the entire list at once by clicking on the Delete All button. You can also move the banned IP address to the custom whitelist by clicking on the arrow on the left of the row.

The IP will be removed from the banned list and added to the custom whitelist like this.

To apply changes immediately, click on the Save button. Otherwise, you can wait for the next syncing (every 5min: at h 00min, h 05min, h 10min ..etc.)

Like the whitelist, we use different colors to make types distinct in the table.

Stop Intrusion Detection Service on Boot

Would you like to permanently disable Intrusion Detection (fail2ban) on boot? The option to disable the service can be found in the Firewall’s Advanced Settings section:

Intrusion Detection will be stopped immediately, and its service on boot will be disabled as well.

A security alert will appear in the Dashboard, like this:

We can click on Resolve to enable this service and start Intrusion detection at the same time.

Automatic Synchronization

In Firewall Advanced Settings, we’ve got some new options about synchronization.

These actions can be done:

• Enabled:
  Automatically synchronize IPs from specific firewall zones to the whitelist. e.g., When you add networks to a trusted zone, local or otherwise, they will be added to the Intrusion Detection whitelist. (*)

• Legacy:
  Intrusion Detection whitelist will work like in the past with no automated synchronization to the whitelist.

Console

We added a new console option to the Firewall module to be available from your system’s command line.

Other…

From the System Admin module

Content filtering

Validation has been included in the field Custom Whitelist and Whitelist to prevent any wrong entries from crashing Intrusion Detection.

If any IP addresses or hosts don’t present a correct format, it will not be allowed to save the content.

Add /etc/hosts as Trusted

Enable / Disable to automatically add any hosts from /etc/hosts to the trusted zone in iptables when used to fix any issue from DNS. IPs can be trusted or not.

Example

Imagine populating a custom whitelist without automatic syncing.

In this case, enable Intrusion Detection, Sync Firewall, and go to the Intrusion Detection tab in the main menu.

1. Click on Registered Extensions IPs, and select some zones.

2. In the table options, disable the columns Action and Type to get only IPs or Host.

3. Click on the export button from the table, and select TXT. Next, open this file and select what you want to copy.

4. Next, paste them into the custom whitelist, and unselect all import buttons.

5. Save Intrusion Detection.

6. The IPs will be saved without any automatic update.

There will be only your custom whitelist.

Intrusion Detection without FreePBX Firewall

If you don't want to use the FreePBX Firewall module. I must to install it anyway and disable it.
Next, Intrusion Detection will be avaiable into the Sysadin module like this.

Only Registered Ext. IPs will be available. Wand you will be allowed to sync them too.

Clicking on gears, you will be allowed to setting up I.D options.

The Firewall module must be installed anyway. If you don't want to use it, just disable it and you could use I.D as well.