I think what is being misunderstoop is that fail2ban will ban any ip it can identify by the regexes in
/etc/fail2ban/filter.d/asterisk.conf
in my case
failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>\d+)?' - (Wrong password|Username/auth name mismatch|No matching endpoint found|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
So if and ONLY if you have a host that violates any of those rules for 'maxretry' times in any 'findime' period they will be banned for 'bantime', that is very simply just how it works!!
So as Ward said if your clients are doing ANY of that, they plain shouldn't, a valid extension needs a valid password,if they have that then NONE of those regexes could possibly match, NO?, the only solution is to add anything that misbehaves ( or preferably their underlying CIDR) either to the ignoreip= line OR PREFERABLY and this is as I have said CRITICAL, "ALLOW" them in a part of iptables BEFORE the fail2ban chains, so if TM3 or CSF or your personal IPSET rules preceded fail2ban and has "ALLOWED" that host, then fail2ban will never see it so will never ban it., The same of course goes for every other jail you enable in fail2ban.
(CSF/LFD are well worth looking at, if you like the extra protection then just start TM3 and THEN fail2ban in /etc/csf/csfpost.sh and stop them in /etc/csf/csfpre.sh, it will be seemless, no harm and no foul, it will just simply reorder your ipchains in a sane fashion)
If you don't like CSF/LFD then just make sure TM3 is started BEFORE fail2ban, Ward assures us that is really good, and so is fail2ban, but if you have anything that is really bad then fail2ban will likely catch it if TM3 misses it
One reason I can't don't use Issabel: It has it's own Fail2Ban and the one we are used to is not honored when the jail.conf is updated with the IP of your computer.
Wazo Honors it but is so confusing to do ANYTHING in unless you are REALLY into IT or Telephony as a career, then it is probably as simple as Pi. Although Pi is not simple, it's neverending (3.14159..........)
Deal, do i just look for a .conf for every jail, ie asterisk Jail.conf or something similar to that?
We've tried a wiki before. For whatever reasons, 99% of folks prefer to ask their question and get a prompt reply. I'm not saying it's a bad idea, but someone has to create it AND maintain it. Are you volunteering?
Hello,The whole purpose of Fail2Ban is to block those who make unsuccessful attempts to log into SIP or web resources. If this is that frequent a problem and you've whitelisted the IP addresses, then perhaps you should just turn off Fail2Ban. The firewall will block strangers from attacks anyway.
Well, most of the time it =doesn't= get in the way. I have Fail2Ban running on 4 boxes right now, each doing different things, and it performs well and as it should. Your particular scenario may just be something that doesn't agree with Fail2Ban...But seriously, what's the purpose of fail2ban if it keeps getting in the way?
Link up your team and customers Phone System Live Chat Video Conferencing
Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.
Check your inbox!
We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).
Upon verification you will be directed to the 3CX setup wizard.