Fail2ban is banning the freepbx servers address instead of ip trying to reg

Hi,

cli is showing failures to register coming from 62.210.250.141 but fail2ban is banning the freepbx servers address

No matching peer for ‘501’ from ‘62.210.250.141:5110’
[2015-09-03 13:03:26] NOTICE[7280][C-00012a8a]: chan_sip.c:25526 handle_request_invite: Failed to authenticate device 501sip:[email protected];tag=f40d1547

/var/log/asterisk/full shows:

[2015-09-03 10:28:31] NOTICE[7280][C-000128d0] chan_sip.c: Failed to authenticate device 501sip:[email protected];tag=19758342

the 107.6.xxx.xxx = our freepbx server.

Thanks.

Is this a FreePBX distro server, or is this compiled from source?

Try whitelisting your server’s IP address in the sysadmin module, and check your regular expressions in the fail2ban config.

FreePBX Distro. Currently at 6.12.65-28
Asterisk 13.4.0

Whitelisting is not the solution because fail2ban should be banning the offending IP. What’s more strange is the fact in a cli output showing sip:[email protected];tag=19758342.

I would have thought the following from /var/log/asterisk/full would cause it to ban the offending IP address:

[2015-09-04 06:42:13] VERBOSE[7280][C-00013273] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5075’
[2015-09-04 06:42:13] VERBOSE[7280][C-00013273] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5075’
[2015-09-04 06:42:14] VERBOSE[7280][C-00013274] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5108’
[2015-09-04 06:42:14] VERBOSE[7280][C-00013274] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5108’
[2015-09-04 06:42:15] VERBOSE[7280][C-00013275] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5070’
[2015-09-04 06:42:15] VERBOSE[7280][C-00013275] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5070’
[2015-09-04 06:42:15] VERBOSE[7280][C-00013276] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5077’
[2015-09-04 06:42:15] VERBOSE[7280][C-00013276] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5077’
[2015-09-04 06:42:16] VERBOSE[7280][C-00013277] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5090’
[2015-09-04 06:42:16] VERBOSE[7280][C-00013277] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5090’
[2015-09-04 06:42:17] VERBOSE[7280][C-00013278] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5096’
[2015-09-04 06:42:17] VERBOSE[7280][C-00013278] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5096’
[2015-09-04 06:42:18] VERBOSE[7280][C-00013279] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5071’
[2015-09-04 06:42:18] VERBOSE[7280][C-00013279] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5071’
[2015-09-04 07:10:20] VERBOSE[7280][C-0001329e] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5091’
[2015-09-04 07:10:20] VERBOSE[7280][C-0001329e] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5091’
[2015-09-04 07:10:20] VERBOSE[7280][C-0001329f] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5071’
[2015-09-04 07:10:20] VERBOSE[7280][C-0001329f] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5071’
[2015-09-04 07:10:21] VERBOSE[7280][C-000132a0] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5080’
[2015-09-04 07:10:21] VERBOSE[7280][C-000132a0] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5080’
[2015-09-04 07:10:22] VERBOSE[7280][C-000132a1] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5110’
[2015-09-04 07:10:22] VERBOSE[7280][C-000132a1] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5110’
[2015-09-04 07:10:23] VERBOSE[7280][C-000132a2] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5107’
[2015-09-04 07:10:23] VERBOSE[7280][C-000132a2] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5107’
[2015-09-04 07:10:24] VERBOSE[7280][C-000132a3] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5106’
[2015-09-04 07:10:24] VERBOSE[7280][C-000132a3] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5106’
[2015-09-04 07:10:24] VERBOSE[7280][C-000132a4] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5108’
[2015-09-04 07:10:24] VERBOSE[7280][C-000132a4] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5108’

Below is cli output from another call coming in from same IP that causes fail2ban to ban it’s own IPs

<--- SIP read from UDP:62.210.250.141:5071 --->
INVITE sip:[email protected] SIP/2.0
To: 01141445209396<sip:[email protected]>
From: 4003<sip:[email protected]>;tag=e2105358
Via: SIP/2.0/UDP 62.210.250.141:5071;branch=z9hG4bK-3397ebb400ad1bb000169bbfb7fcf784;rport
Call-ID: c6944e65f32efbbdbc45d8669060996d
CSeq: 2 INVITE
Contact: <sip:[email protected]:5071>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Authorization: Digest username="4003",realm="asterisk",nonce="5bd016b7",uri="sip:[email protected]",response="757a226fca45b8f30eba70236a212ae7",algorithm=MD5
Content-Length: 284
 
v=0
o=sipcli-Session 514273047 2086817246 IN IP4 62.210.250.141
s=sipcli
c=IN IP4 62.210.250.141
t=0 0
m=audio 5073 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv
<------------->
— (13 headers 13 lines) —
Sending to 62.210.250.141:5071 (no NAT)
Using INVITE request as basis request - c6944e65f32efbbdbc45d8669060996d
No matching peer for '4003' from '62.210.250.141:5071'
[2015-09-04 07:10:20] NOTICE[7280][C-0001329f]: chan_sip.c:25526 handle_request_invite: Failed to authenticate device 4003<sip:[email protected]>;tag=e2105358
 
 
Chain fail2ban-SIP (2 references)
target prot opt source destination
REJECT all – 107.6.xx.xxx 0.0.0.0/0 reject-with icmp-port-unreachable

Thanks,

This will stop the banning of your own IPs in the meantime, which should be your first goal. Second, we need to get the correct IPs banned.

cat /etc/fail2ban/filter.d/asterisk.conf

post the prefix/regexes

log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:[C-[\da-f]])? \S+:\d( in \w+:)?

failregex = ^(%(__prefix_line)s|[]\s*)%(log_prefix)s Registration from ‘[^’]’ failed for ‘(:\d+)?’ - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error (permit/deny)|Not a local domain)$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Call from ‘[^’]’ (:\d+) to extension ‘\d+’ rejected because extension not found in context ‘default’.$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Host failed to authenticate as ‘[^’]’$
^(%(__prefix_line)s|[]\s)%(log_prefix)s No registration for peer ‘[^’]’ (from )$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Host failed MD5 authentication for ‘[^’]’ ([^)]+)$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$
^(%(__prefix_line)s|[]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@>;tag=\w+\S*$
^(%(__prefix_line)s|[]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID=“0x[\da-f]+”,LocalAddress=“IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+”,RemoteAddress=“IPV[46]/(UD|TC)P//\d+”(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^(%(__prefix_line)s|[]\sWARNING%(__pid_re)s:?(?:[C-[\da-f]])? )Ext. s: "Rejecting unknown SIP connection from "$

ignoreregex =

This is why that’s happening. They’re spoofing the device IP to try and gain access by way of IP ACLs. Whitelist your PBX and move on.

What version of asterisk are you using? I suspect a rather outdated one that your regexes are not appropriate for. You will find

http://www.fail2ban.org/wiki/index.php/Asterisk

for asterisk 1.8 and before.

Hi Dicko,
Yes its an outdated version: ]# cat /etc/schmooze/pbx-version
10.13.66-6

Euh, not really, as far as I know it’s the latest version…

Have a nice day!

Nick

An outdated version of Fail2ban

Had the same issue…white listing appeared to be a fix for it.

Hey Dicko,
It’s the fail2ban which is included in the FreePBX Distro 10.13.66 which is the latest.