I originally asked this question in Intrusion detection whitelist: subnets not allowed? - #7 by iac but that topic was closed.
When I come to the intrusion detection tab, it shows some banned addresses.
But when I reload the page for whatever reason, the list clears.
What are the implications of that? Does that mean that the list is now empty? Why would it become empty, while the ban time and find time are set to 86400000?
Thanks everyone!
Something really weird is going on, because since my asking this question, no new addresses have appeared in the ban list, and I received no new notification, even though our SIP is under constant attack by some freeloaders who mistakenly believe that they can place free phone calls through us. I know this for certain, from the firewall logs. This used to work until that unfortunate reloading of the page that cleared the list. Is there any troubleshooting that can help understand whether the intrusion detection still works?
The fail2ban log under /var/log/asterisk fills up very quickly with tons of entries like this:
[2025-11-29 03:20:01] SECURITY[2399] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-11-29T03:20:01.493-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f1138001ec0”,LocalAddress=“IPV4/TCP/127.0.0.1/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/55042”,UsingPassword=“0”,SessionTV=“2025-11-29T03:20:01.493-0500”
[2025-11-29 03:20:01] SECURITY[2399] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-11-29T03:20:01.758-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f11340da030”,LocalAddress=“IPV4/TCP/127.0.0.1/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/55048”,UsingPassword=“0”,SessionTV=“2025-11-29T03:20:01.758-0500”
[2025-11-29 03:20:06] SECURITY[2399] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-11-29T03:20:06.596-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f113c003d60”,LocalAddress=“IPV4/TCP/127.0.0.1/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/55054”,UsingPassword=“0”,SessionTV=“2025-11-29T03:20:06.596-0500”
[2025-11-29 03:20:13] SECURITY[2399] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-11-29T03:20:13.498-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f1148040a40”,LocalAddress=“IPV4/TCP/127.0.0.1/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/55060”,UsingPassword=“0”,SessionTV=“2025-11-29T03:20:13.498-0500”
[2025-11-29 03:20:41] SECURITY[2399] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-11-29T03:20:41.864-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f1140043c30”,LocalAddress=“IPV4/TCP/127.0.0.1/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/55066”,UsingPassword=“0”,SessionTV=“2025-11-29T03:20:41.864-0500”
[2025-11-29 03:21:01] SECURITY[2399] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-11-29T03:21:01.740-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f11440107c0”,LocalAddress=“IPV4/TCP/127.0.0.1/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/55072”,UsingPassword=“0”,SessionTV=“2025-11-29T03:21:01.740-0500”
Is it possible to turn this noise off and not log SuccessfulAuth since it is not something that fail2ban is intended for?
Is Fail2Ban considered something insignificant that is not worth any attention?
