I have a new set up and have been receiving Fail2Ban emails stating IP’s have been blocked after multiple log in attempts. This is good as its working - BUT - it seems the email notifications I am receiving are increasing and instead of 10 attempts then a ban some are reaching 250+ attempts form an IP then being banned - it seems my set up is receiving a good bit of snooping
So as I am new on this I am keen to know if such probing is sort if normal and I just need to ensure all security is as good as it can be, or have I missed something and am I perhaps unknowingly putting my system out there as a fun option to poke at?
The bans seem to be slowing down now and they are mainly all from different IP’s. I guess I am getting 1x F2B alert email a day at present and it may slow even more and thus problem just naturally go away as net bots lose interest / mark destination as secure??
So, on Monday I received 5x Fail2Ban emails each with events putting a ban after c.100 attempts. It seems the system is safe but I am still unsure if such activity is just on my systems or standard broadly for most people?
Also, and perhaps this seems pointless given IP’s will be randomised, but is it perhaps worth permanently banning the IP’s that get banned via Fail2Ban?
You can set the length of time that fail2ban maintains it’s ban, but if you stop using UDP/5060 as your accepted transport you will not be getting nearly so many ‘bad attempts’ to INVITE or REGISTER
Hi, I appreciate the help - thank you. so, suggestion is to change port from UDP/5060 to something else of my choosing / fit for purpose. and to increase ban duration time to say double. correct?
I will have a look into changing the UDP/5060 port used - assume possible inside the admin panel?
no, the sip settings panel , you will need to change your extensions to reflect any changes, TCP is less attacked than UDP, TLS needs certificates but is very rarely attacked successfully
