I’ve been messing with this off and on yesterday and for a few hours today, and am a bit stumped: It appears that we have multiple FreePBX Distro systems where fail2ban is not working properly. These systems are being hammered with the usual brute-force attacks but they are not being blocked by fail2ban as they should be. 
We do have fail2ban working nicely on some older, legacy (non-FreePBX, everything done by hand) systems, so I am familiar enough with fail2ban and such to work with it. Just this little incident has me stumped.
First, here’s the version info from the System Admin module:
PBX Firmware: 5.211.65-6
PBX Service Pack: 1.0.0.0
I do have intrusion detection enabled in that module as well.
Looking at the fail2ban configuration file (/etc/fail2ban/jail.local) it appears to be using the asterisk-security filter, reading /var/log/asterisk/fail2ban for its input.
If you look at the asterisk-security.conf file, here’s the line that I’m thinking should be matching the invalid password attempts:
SECURITY.* .*: SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP|AMI".*,RemoteAddress="IPV[46]\/(UDP|TCP|TLS)\/<HOST>\/[0-9]+"
All of the above on one line, of course,
Now, here’s a log entry from an invalid attempt:
[2014-11-04 10:20:32] SECURITY[18562] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1415114432-783120",Severity="Error",Service="SIP",EventVersion="2",AccountID="1111",SessionID="0x7f14c05769f8",LocalAddress="IPV4/UDP/54.xxx.xx.xxx/5060",RemoteAddress="IPV4/UDP/192.155.xx.xxx/53029",Challenge="0adbf336",ReceivedChallenge="0adbf336",ReceivedHash="b31baa1d37d7e9a2e4e57143ac3485d0"
Now, in the /var/log/fail2ban.log file, I end up with this:
2014-11-04 10:20:34,696 fail2ban.filter : ERROR No 'host' found in '[] SECURITY[18562] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1415114432-783120",Severity="Error",Service="SIP",EventVersion="2",AccountID="1111",SessionID="0x7f14c05769f8",LocalAddress="IPV4/UDP/54.xxx.xx.xxx/5060",RemoteAddress="IPV4/UDP/192.155.xx.xxx/53029",Challenge="0adbf336",ReceivedChallenge="0adbf336",ReceivedHash="b31baa1d37d7e9a2e4e57143ac3485d0"
So, it appears that fail2ban can’t figure out what host (IP) it should be blocking. As if there’s something wrong with the expression in the filter file. That expression looks OK to me, but I’m not an expert at it, so I thought I’d post here and see. All of these files are stock FreePBX Distro as far as I am aware (I haven’t customized any.)
That said, I did find that editing /etc/fail2ban/jail.local to use the filter “asterisk” as opposed to “asterisk-security” seems to make fail2ban block these attempts. But, at that point, it’s using a whole different filter and set of expressions. I’d rather avoid doing that, too, as jail.local specifically says not to edit it by hand.
I don’t want to have to do something that’ll end up overwritten by a module or an update later on, if at all possible.
Any ideas? I figure I’m just missing something simple/stupid here, but I’m about to pull my hair out over it!
Thanks in advance. 
Jeremy