System Admin-Intrusion Detection

Owned by Nathaniel Halbrooks
Dec 12, 2023
3 min read

THIS WIKI HAS BEEN UPDATED FOR VERSION 13 OF YOUR PBX GUI

Overview

When the service is running, attempts to compromise your system are logged. If the attempts exceed the Max Retry limit, the remote IP is blocked from accessing the system for the length of Ban Time. The number of attempts are reset after the Find Time is exceeded. We recommend this service always run.

Logging in

  • On the top menu click Admin

  • In the drop down click System Admin

  • In the right side navigation menu click Intrusion Detection

Status

Here you can start, stop, restart, and see the status of Fail2Ban. It is recommended to always leave this running.

If the status is running, you will have the option to Stop or Restart the service.

If the status is stopped, you will have the option to Start the service.

Settings

Ban Time

Amount of time, in seconds, to ban the remote IP of the potential intruder before being reset. Default = 1800 seconds (30 minutes)

Max Retry

How many times a remote IP can try to connect during the find time. This is the number of attempts a potential intruder has within the find time before they are banned. This should never be too low, as it could lock you out for a simple mistake. You should use passwords that are complex enough not to be guessed by an intruder within the max retry count.

Find Time

The window of time before resetting failed attempts to 0. Default = 600 seconds (10 minutes).  For example, with the Max Retry set to 8, the system will ban any IP that fails 8 times in a 10-minute period. Most scanners will burn out the attempts in seconds.

E-mail

The e-mail address to send intrusion detection notifications to.

Whitelist

This is a list of addresses/networks that can bypass the above restrictions. These IPs will not be banned.

  • Enter addresses one per line.

  • You can add an individual addresses, for example 192.168.1.1.

  • You can add a subnet, for example 192.168.1.0/24.

This is useful when provisioning phones. If you enter the incorrect secret, your phone may retry several times after failure, blocking out the phone.

Save

To save changes, click the Submit button.

Banned IPs

If the system has banned any IPs, they will appear here.

APPLICATION NOTE

Bans are NOT persistent and only last until iptables is restarted.

Return to Documentation Home I Return to Sangoma Support