cli is showing failures to register coming from 62.210.250.141 but fail2ban is banning the freepbx servers address
No matching peer for ‘501’ from ‘62.210.250.141:5110’
[2015-09-03 13:03:26] NOTICE[7280][C-00012a8a]: chan_sip.c:25526 handle_request_invite: Failed to authenticate device 501sip:[email protected];tag=f40d1547
/var/log/asterisk/full shows:
[2015-09-03 10:28:31] NOTICE[7280][C-000128d0] chan_sip.c: Failed to authenticate device 501sip:[email protected];tag=19758342
FreePBX Distro. Currently at 6.12.65-28
Asterisk 13.4.0
Whitelisting is not the solution because fail2ban should be banning the offending IP. What’s more strange is the fact in a cli output showing sip:[email protected];tag=19758342.
I would have thought the following from /var/log/asterisk/full would cause it to ban the offending IP address:
[2015-09-04 06:42:13] VERBOSE[7280][C-00013273] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5075’
[2015-09-04 06:42:13] VERBOSE[7280][C-00013273] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5075’
[2015-09-04 06:42:14] VERBOSE[7280][C-00013274] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5108’
[2015-09-04 06:42:14] VERBOSE[7280][C-00013274] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5108’
[2015-09-04 06:42:15] VERBOSE[7280][C-00013275] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5070’
[2015-09-04 06:42:15] VERBOSE[7280][C-00013275] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5070’
[2015-09-04 06:42:15] VERBOSE[7280][C-00013276] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5077’
[2015-09-04 06:42:15] VERBOSE[7280][C-00013276] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5077’
[2015-09-04 06:42:16] VERBOSE[7280][C-00013277] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5090’
[2015-09-04 06:42:16] VERBOSE[7280][C-00013277] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5090’
[2015-09-04 06:42:17] VERBOSE[7280][C-00013278] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5096’
[2015-09-04 06:42:17] VERBOSE[7280][C-00013278] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5096’
[2015-09-04 06:42:18] VERBOSE[7280][C-00013279] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5071’
[2015-09-04 06:42:18] VERBOSE[7280][C-00013279] chan_sip.c: No matching peer for ‘803’ from ‘62.210.250.141:5071’
[2015-09-04 07:10:20] VERBOSE[7280][C-0001329e] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5091’
[2015-09-04 07:10:20] VERBOSE[7280][C-0001329e] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5091’
[2015-09-04 07:10:20] VERBOSE[7280][C-0001329f] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5071’
[2015-09-04 07:10:20] VERBOSE[7280][C-0001329f] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5071’
[2015-09-04 07:10:21] VERBOSE[7280][C-000132a0] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5080’
[2015-09-04 07:10:21] VERBOSE[7280][C-000132a0] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5080’
[2015-09-04 07:10:22] VERBOSE[7280][C-000132a1] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5110’
[2015-09-04 07:10:22] VERBOSE[7280][C-000132a1] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5110’
[2015-09-04 07:10:23] VERBOSE[7280][C-000132a2] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5107’
[2015-09-04 07:10:23] VERBOSE[7280][C-000132a2] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5107’
[2015-09-04 07:10:24] VERBOSE[7280][C-000132a3] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5106’
[2015-09-04 07:10:24] VERBOSE[7280][C-000132a3] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5106’
[2015-09-04 07:10:24] VERBOSE[7280][C-000132a4] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5108’
[2015-09-04 07:10:24] VERBOSE[7280][C-000132a4] chan_sip.c: No matching peer for ‘4003’ from ‘62.210.250.141:5108’
Below is cli output from another call coming in from same IP that causes fail2ban to ban it’s own IPs
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:[C-[\da-f]])? \S+:\d( in \w+:)?
failregex = ^(%(__prefix_line)s|[]\s*)%(log_prefix)s Registration from ‘[^’]’ failed for ‘(:\d+)?’ - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error (permit/deny)|Not a local domain)$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Call from ‘[^’]’ (:\d+) to extension ‘\d+’ rejected because extension not found in context ‘default’.$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Host failed to authenticate as ‘[^’]’$
^(%(__prefix_line)s|[]\s)%(log_prefix)s No registration for peer ‘[^’]’ (from )$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Host failed MD5 authentication for ‘[^’]’ ([^)]+)$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$
^(%(__prefix_line)s|[]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@>;tag=\w+\S*$
^(%(__prefix_line)s|[]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID=“0x[\da-f]+”,LocalAddress=“IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+”,RemoteAddress=“IPV[46]/(UD|TC)P//\d+”(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^(%(__prefix_line)s|[]\sWARNING%(__pid_re)s:?(?:[C-[\da-f]])? )Ext. s: "Rejecting unknown SIP connection from "$