Fail2ban not banning, Firewall not firewalling

I did a clean install of FreePBX 13 with Asterisk 13 on a new machine (older machine, same version, system crashed so I decided to change server computers)… Anonymous and guest are disabled. Fail2ban isn’t catching attempted hacks, and Firewall isn’t blocking them either. Here’s a part of the call log. None of these are extensions on my system.

2015-12-01 06:27:56 1448980076.62 101 Congestion s [from-sip-external] ANSWERED 00:12
2015-12-01 06:27:55 1448980075.61 5000 Congestion s [from-sip-external] ANSWERED 00:12
2015-12-01 06:18:10 1448979490.60 5000 Congestion s [from-sip-external] ANSWERED 00:13
2015-12-01 06:08:31 1448978911.59 5000 Congestion s [from-sip-external] ANSWERED 00:13
2015-12-01 05:58:41 1448978321.58 5000 Congestion s [from-sip-external] ANSWERED 00:13
2015-12-01 05:48:52 1448977732.57 1002 Congestion s [from-sip-external] ANSWERED 00:13
2015-12-01 05:47:58 1448977678.56 300 Congestion s [from-sip-external] ANSWERED 00:12
2015-12-01 05:47:49 1448977669.55 300 Congestion s [from-sip-external] ANSWERED 00:13
2015-12-01 05:39:00 1448977140.54 1002 Congestion s [from-sip-external] ANSWERED 00:12
2015-12-01 05:29:18 1448976558.53 1002 Congestion s [from-sip-external] ANSWERED 00:13
2015-12-01 05:19:26 1448975966.52 1002 Congestion s [from-sip-external] ANSWERED 00:12
2015-12-01 05:09:35 1448975375.51 4000 Congestion s [from-sip-external] ANSWERED 00:13
2015-12-01 04:59:49 1448974789.50 4000 Congestion s [from-sip-external] ANSWERED 00:13
2015-12-01 04:49:56 1448974196.49 4000 Congestion s [from-sip-external] ANSWERED 00:12
2015-12-01 04:39:42 1448973582.48 4000 Congestion s [from-sip-external] ANSWERED 00:12
2015-12-01 04:29:42 1448972982.47 3000 Congestion s [from-sip-external] ANSWERED 00:13
2015-12-01 04:19:50 1448972390.46 3000 Congestion s [from-sip-external] ANSWERED 00:12
2015-12-01 04:09:55 1448971795.45 3000 Congestion s [from-sip-external] ANSWERED 00:12
2015-12-01 04:00:03 1448971203.44 3000 Congestion s [from-sip-external] ANSWERED 00:13
2015-12-01 03:50:05 1448970605.43 2000 Congestion s [from-sip-external] ANSWERED 00:13
2015-12-01 03:40:13 1448970013.42 2000 Congestion s [from-sip-external] ANSWERED 00:13

There’s a bunch of stuff missing from that log (like the src and dest, and what’s congested, and who answered what), but that’s not enough to trigger the firewall to block the host.

Assuming it’s from the same IP address, that’s not in a defined zone, and responsive firewall is on for traffic coming from that host, It’s about half way there. The limits are explained here

http://wiki.freepbx.org/display/FPG/Responsive+Firewall

That’s also far too slow for fail2ban to ever pick up on it, too. Which is why Firewall exists 8)

Responsive firewall is on, at least one of the hacking IP addresses is in the firewall’s blacklist. Fail2ban is set to ban 3 attempts in 30 minutes, permanently. I’ll set the asterisk log to verbose and see if I can pick up src and dest. As for congestion, nothing is congested. This PBX services 10 extensions, 6 internal and 4 external, but only used by me and my wife, and the relevant trunks are 3-channel – the likelihood of ever hitting congestion is nil. I suspect that FPBX shows the hack attempts as congested because it defaults down to it.

What do you have the SIP and PJSIP services set to on the Firewall, Services tab? If you are using responsive, they should be set to internal.

1 Like

Thanks, Igaetz. That did it.

1 Like

I am having similar issues. I don’t have responsive firewall active, but I have the eth1 interface (only interface) set as EXTERNAL, and I have set unauthorizep sip pjsip requests to be dropped. But I see there being repeated allowed attempts by malicious IPs that are not being blocked. Here is an example:
74.91.31.170 SIP/SDP 963 Status: 200 OK | , with session description

Also I don’t see them appearing in the blacklist portion.