[HOW TO] Help, I’ve been blocked from my PBX!
If your FreePBX instance has suddenly become unreachable, chances are you’ve been blocked by one of the included network security mechanisms in FreePBX. The good news is that it’s working! The bad news is now you have to somehow work out a way to get yourself unblocked, figure out how you got blocked, and stop it from happening again.
What Blocked Me?
Intrusion Detection (fail2ban)
If you’ve suddenly lost access to the server, this is the most likely culprit. Intrusion Detection scans log files and looks for failed login attempts and other types of unauthorized access, and then temporarily bans the IP of the “attacker”.
FreePBX Responsive Firewall
The FreePBX firewall includes some blacklisting / rate limiting features, though these are less aggressive. What is likely to happen relative to the firewall is that your ISP recently changed your public IP address, or you’ve otherwise changed networks. The FreePBX firewall, if properly configured, should only allow trusted networks and/or known endpoints to access the system.
How did I become blocked?
You’re probably blocked by the firewall if:
- Your public IP is dynamic, meaning it can change from time to time. This is common on residential / small business internet connections and mobile devices.
- You’re travelling or accessing FreePBX from someplace new. In this case FreePBX doesn’t know you and rightfully won’t grant you access to privileged services.
You’re probably blocked by Intrusion Detection if:
- You were just trying to setup a new device and programming it manually, rather than provisioning with Endpoint Manager. Sometimes this can result in configuration mistakes that cause the device to register improperly.
- You just set up a new FreePBX 14 server and have not adapted to the new port mapping scheme for CHAN_SIP vs CHAN_PJSIP that’s standard in Asterisk 13
- Someone in your office was trying (and failed) to log into UCP, SSH, Web Admin, or some other password protected resource.
- You deleted an extension from FreePBX but the phone is still online and trying to register.
How can I get unblocked from my FreePBXHosting VPS?
To unblock yourself, the first thing you need is your public IPv4 IP address:
Note: The instructions below will automatically insert this IP address, be sure to change it as needed.
You will also want to prevent any further intrusion attempts against your server by disconnecting any new phones you’re working on, prevent anyone from trying to log into Admin/UCP with an invalid password, etc.
If you have a VPS (virtual private server), we provide VNC console access so even if the firewall/IDS has blocked you, you can still gain access. Alternatively you can simply access your PBX from another network that you’ve trusted in the firewall.
Get Connected via VNC
- Find your “VPS Account Information” email you received on signup.
- Launch your VNC client and connect using the VNC details from the email.
- On Windows/Linux, you can use a VNC client such as TightVNC. On a Mac, you can use Finder via Go > Connect to Server.
- Login as the user “root” and the root password for your server. (be sure to log out when you’re finished!)
Trust & unblock your current IP address
Trust your current IP in the FreePBX Firewall:
fwconsole firewall trust 18.104.22.168 fwconsole firewall stop fwconsole firewall start
Unblock yourself from Intrusion Detection’s most common jails:
fail2ban-client set pbx-gui unbanip 22.214.171.124 fail2ban-client set ssh-iptables unbanip 126.96.36.199 fail2ban-client set asterisk-iptables unbanip 188.8.131.52 fail2ban-client set recidive unbanip 184.108.40.206
By this point you should be able to access your server, but the next steps will help you learn why you were blocked, and avoid getting blocked in the future..
Find out why you got blocked by fail2ban
To find out why your public IP was blocked by fail2ban, you can search for your IP in the fail2ban logs using grep and analyzing the output. Look for things like “wrong password” or “authentication failed” or “no matching endpoint found”.
Find out which jail you were blocked by:
grep 220.127.116.11 /var/log/fail2ban.log* | grep Ban
Find out details about why you were blocked (note this can produce a lot of output!):
For the asterisk-iptables jail:
grep 18.104.22.168 /var/log/asterisk/fail2ban*
For the ssh-iptables jail:
grep 22.214.171.124 /var/log/secure*
For the pbx-gui jail:
grep 126.96.36.199 /var/log/asterisk/freepbx_security.log*
What if I have a FreePBXHosting Dedicated Server?
If you have a dedicated FreePBX server, you can open a support ticket to request we unblock you from your server. This may require rebooting the server if you do not know the root password. Alternatively, you can request a network KVM be placed on your server to give you console access.
How to avoid getting blocked in the first place
To avoid getting blocked you will want to do a few things:
- When configuring new devices, use Endpoint Manager rather than programming manually.
- Need help setting up Endpoint manager? We offer professional services, including Endpoint Manager setup!
- Has your EPM support lapsed and need to update? Head on over to your PBX’s Admin > Module Admin section to renew. It’s only a few bucks a year and is not only completely worth it for this hugely useful tool, but it also helps support the development of FreePBX!
- If you can’t use Endpoint Manager, be sure to verify all your settings carefully before trying to register the phone. Do not use weak/short secrets to make this more convenient, it can cost you a fortune in long distance!
- Add yourself to the Intrusion Detection whitelist and then restart Intrusion Detection to apply the change.
- If you travel or administer your PBX remotely, setup a VPN to your home or office with a static IP, or keep a VNC client handy to add your current location to the firewall (and remove it later when you’re done with it.)
If none of this works, and you still can’t access your FreePBXhosting.com VPS or dedicated server, you’ll need to open a support ticket. To open a support ticket, visit our customer portal at https://secure.cyberlynk.net or email firstname.lastname@example.org.