Best way to block malicious IP Host when using Firewall Module?

Background:

I’m using FreePBX 13, and I have the firewall module installed.
I have FreePBX in a hosted VMS environment.
I have the Responsive Firewall disabled, and have whitelisted the IPs where my phones and SIP trunks are located.
Filter Type is set to reject.

I also have the Intrusion Detection module running with a max retry of 1, find time of 600, and ban time of 86400.

However in watching the asterisk console in realtime, I see several attempts from IPs (“Friendly scanners”) trying to make SIP connections. Fail2ban IDS does not seem to ban these IPs, nor does the Firewall block attacker or Rate Limited Host.

Question:
Since I’m running both Intrusion Detection and the Firewall… what is the best way to block a known offending IP Host?

  1. Can I insert an iptables entry “iptables -A INPUT -s [badhostIP] -j DROP” ?

  2. Does putting the host in the Firewall Blacklist Zone work, even though I’m not using a responsive firewall?
    (or is the Blacklist Zone ignored unless you use a responsive firewall?)

  3. Should I change my Firewall filter type to DROP instead of REJECT?

So for example, I’m getting hit right now from a couple of IPs… but the FreePBX IDS and the Firewall aren’t blocking these IPs… they are blocking others… but not these:

[2016-03-09 12:01:51] NOTICE[2423] chan_sip.c: Registration from '"41" <sip:[email protected]:5060>' failed for '190.75.143.13:5075' - Wrong password
[2016-03-09 12:02:18] VERBOSE[1817] asterisk.c: -- Remote UNIX connection
[2016-03-09 12:02:19] WARNING[2423] chan_sip.c: Retransmission timeout reached on transmission [email protected][::1]:5060 for seqno 102 (Critical Request) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
[2016-03-09 12:02:20] WARNING[2423] chan_sip.c: Retransmission timeout reached on transmission [email protected][::1]:5060 for seqno 102 (Critical Request) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[2016-03-09 12:02:25] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:[email protected]:5060>' failed for '190.75.143.13:5078' - Wrong password
[2016-03-09 12:02:29] NOTICE[2423] chan_sip.c: Registration from '"343434" <sip:[email protected]:5060>' failed for '190.75.143.13:5066' - Wrong password
[2016-03-09 12:02:37] NOTICE[2423] chan_sip.c: Registration from '"444555" <sip:[email protected]:5060>' failed for '190.75.143.13:5069' - Wrong password
[2016-03-09 12:02:39] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:[email protected]:5060>' failed for '190.75.143.13:5071' - Wrong password
[2016-03-09 12:03:17] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:[email protected]:5060>' failed for '190.75.143.13:5068' - Wrong password
[2016-03-09 12:03:35] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:[email protected]:5060>' failed for '190.75.143.13:5075' - Wrong password
[2016-03-09 12:03:45] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:[email protected]:5060>' failed for '190.75.143.13:5066' - Wrong password
[2016-03-09 12:03:48] NOTICE[2423] chan_sip.c: Registration from '"3388" <sip:[email protected]:5060>' failed for '190.75.143.13:5064' - Wrong password
[2016-03-09 12:04:13] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:[email protected]:5060>' failed for '190.75.143.13:5063' - Wrong password
[2016-03-09 12:04:19] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:[email protected]:5060>' failed for '190.75.143.13:5071' - Wrong password
[2016-03-09 12:04:35] NOTICE[2423] chan_sip.c: Registration from '"9922" <sip:[email protected]:5060>' failed for '190.75.143.13:5066' - Wrong password
[2016-03-09 12:04:45] VERBOSE[3033][C-00000000] pbx.c: -- Executing [[email protected]:2] Log("SIP/MYPBXIP-00000000", "WARNING,Friendly Scanner from 89.163.242.32") in new stack
[2016-03-09 12:04:45] WARNING[3033][C-00000000] Ext. 9900972595183134: Friendly Scanner from 89.163.242.32
[2016-03-09 12:04:54] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:[email protected]:5060>' failed for '190.75.143.13:5088' - Wrong password
[2016-03-09 12:05:10] NOTICE[2423] chan_sip.c: Registration from '"444555" <sip:[email protected]:5060>' failed for '190.75.143.13:5079' - Wrong password
[2016-03-09 12:05:17] WARNING[2423] chan_sip.c: Retransmission timeout reached on transmission 4fc05a33f7498cceb2d136b51acd82f1 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[2016-03-09 12:05:27] NOTICE[2423] chan_sip.c: Registration from '"343434" <sip:[email protected]:5060>' failed for '190.75.143.13:5081' - Wrong password
[2016-03-09 12:05:41] NOTICE[2423] chan_sip.c: Registration from '"3388" <sip:[email protected]:5060>' failed for '190.75.143.13:5067' - Wrong password
[2016-03-09 12:05:47] VERBOSE[3125][C-00000001] pbx.c: -- Executing [[email protected]:2] Log("SIP/MYPBXIP-00000001", "WARNING,Friendly Scanner from 89.163.242.74") in new stack
[2016-03-09 12:05:47] WARNING[3125][C-00000001] Ext. 200011972598727607: Friendly Scanner from 89.163.242.74
[2016-03-09 12:06:18] NOTICE[2423] chan_sip.c: Registration from '"3388" <sip:[email protected]:5060>' failed for '190.75.143.13:5077' - Wrong password
[2016-03-09 12:06:19] WARNING[2423] chan_sip.c: Retransmission timeout reached on transmission 369e23e5460b8265286e3d663e058e55 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
[2016-03-09 12:06:46] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:[email protected]:5060>' failed for '190.75.143.13:5080' - Wrong password
[2016-03-09 12:06:55] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:[email protected]:5060>' failed for '190.75.143.13:5085' - Wrong password
[2016-03-09 12:07:03] NOTICE[2423] chan_sip.c: Registration from '"3388" <sip:[email protected]:5060>' failed for '190.75.143.13:5073' - Wrong password
[2016-03-09 12:07:21] NOTICE[2423] chan_sip.c: Registration from '"9922" <sip:[email protected]:5060>' failed for '190.75.143.13:5067' - Wrong password
[2016-03-09 12:07:50] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:[email protected]:5060>' failed for '190.75.143.13:5086' - Wrong password
[2016-03-09 12:07:53] NOTICE[2423] chan_sip.c: Registration from '"9922" <sip:[email protected]:5060>' failed for '190.75.143.13:5082' - Wrong password
[2016-03-09 12:08:04] NOTICE[2423] chan_sip.c: Registration from '"9922" <sip:[email protected]:5060>' failed for '190.75.143.13:5061' - Wrong password
[2016-03-09 12:08:23] NOTICE[2423] chan_sip.c: Registration from '"3388" <sip:[email protected]:5060>' failed for '190.75.143.13:5064' - Wrong password
[2016-03-09 12:08:40] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:[email protected]:5060>' failed for '190.75.143.13:5070' - Wrong password
[2016-03-09 12:09:05] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:[email protected]:5060>' failed for '190.75.143.13:5068' - Wrong password
[2016-03-09 12:09:10] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:[email protected]:5060>' failed for '190.75.143.13:5071' - Wrong password
[2016-03-09 12:09:55] NOTICE[2423] chan_sip.c: Registration from '"444555" <sip:[email protected]:5060>' failed for '190.75.143.13:5078' - Wrong password

So the firewall finally blocked these IPs… but it’s been 2.5 hours since.
Is there a threshold that I can set to be more aggressive?

It’s been a while… and sorry to bring up something that probably comes up very often…
Several of my PBXes have been blocking IPs from familiar actors. One IP in particular I’ve been getting almost daily fail2ban alerts for over 2 months. So fail2ban is working… but I’m afraid of the potential exposure or load on the PBXes. I had one PBX put under a DDoS attack a few months ago (thousands of different IP addresses making several different attempts) and it overloaded fail2ban and eventually I just had to shutdown the PBX for a while.

What is the best way to permanently ban a list some IP addresses?

Has anyone used blocklists like abuseipdb.com and voipbl.org with FreePBX?

Blacklist is available in Firewall:
https://wiki.freepbx.org/display/FPG/Firewall+Blacklist

Repeated fail2ban interceptions indicates a firewall misconfig (or extremely strict fail2ban settings). Are you sure you have your Firewall configured correctly?

I have the Intrusion Detection (fail2ban) module running with a max retry of 1, find time of 600, and ban time of 86400.

For the System Firewall, Responsive Firewall is turned off, and I have all my known hosts in Trusted Zones.

Can I use the Firewall Blacklist when Responsive Firewall is off?
I thought the System Firewall should deny by default unless Responsive Firewall is turned on?

Yes.

It does, further evidence your Firewall is mis-configured. What zone do you have your interface(s) in?

Only one eth0 interface in Internet (Default Firewall) zone.