Fail2Ban banning wrong IP address

Hawkeye · October 5, 2016, 4:22pm

Hi, this morning office unable to get/make calls. sip show peers shows all extensions unreachable. iptables showed the office IP address was banned for fail2ban-SIP.

/var/log/asterisk/full log showed the ban but instead of banning the IP trying to auth it banned the IP for the office where the extension is.

full-20161004:[2016-10-03 21:04:35] NOTICE[1649] chan_sip.c: Registration from ‘101 sip:[email protected]’ failed for ‘23.239.65.66:58281’ - Wrong password

To be clear here, the IP address of 23.239.65.66 SHOULD have been banned. For some reason fail2ban banned the xxx.xx.49.45

Wondering if fail2ban does something similar to sip show peers to get the IP address of the extension it thinks is sending the (wrong) password.

PBX VERSION: 10.13.66-15

Thanks.

tonyclewis · October 5, 2016, 6:59pm

fail2ban only reads logs. That is it. Go look in fail2ban logs and see what IP it banned and why.

Hawkeye · October 5, 2016, 9:05pm

Tony, the ONLY entries with ‘Wrong’ in /var/log/asterisk/fail2ban* are:

grep -i wrong fail2ban*

fail2ban-20161004:[2016-10-03 21:04:31] NOTICE[1649] chan_sip.c: Registration from ‘101 sip:[email protected]’ failed for ‘23.239.65.66:38861’ - Wrong password
fail2ban-20161004:[2016-10-03 21:04:31] NOTICE[1649] chan_sip.c: Registration from ‘101 sip:[email protected]’ failed for ‘23.239.65.66:38861’ - Wrong password
fail2ban-20161004:[2016-10-03 21:04:35] NOTICE[1649] chan_sip.c: Registration from ‘101 sip:[email protected]’ failed for ‘23.239.65.66:58281’ - Wrong password
fail2ban-20161004:[2016-10-03 21:04:35] NOTICE[1649] chan_sip.c: Registration from ‘101 sip:[email protected]’ failed for ‘23.239.65.66:58281’ - Wrong password

The xxx.xx.49.45 is the remote FreePBX Server.

The office IP address contains 12.39.58

grep ‘12.39.58’ fail2ban.log

2016-10-05 10:36:01,086 fail2ban.actions[2789]: WARNING [asterisk-iptables] Ban xxx.12.39.58
2016-10-05 10:41:08,439 fail2ban.actions[2789]: WARNING [asterisk-iptables] Unban xxx.12.39.58
2016-10-05 10:41:08,446 fail2ban.actions.action[2789]: ERROR iptables -D fail2ban-SIP -s xxx.12.39.58 -j REJECT --reject-with icmp-port-unreachable returned 100
2016-10-05 12:35:32,473 fail2ban.actions[1577]: WARNING [asterisk-iptables] Ban xxx.12.39.58
2016-10-05 12:42:58,939 fail2ban.actions[1577]: WARNING [asterisk-iptables] Unban xxx.12.39.58
2016-10-05 12:42:58,963 fail2ban.actions.action[1577]: ERROR iptables -D fail2ban-SIP -s xxx.12.39.58 -j REJECT --reject-with icmp-port-unreachable returned 100

Looked in both /var/log/fail2ban.log and /var/log/asterisk/fail2ban* and don’t see any reference to the office IP address containing '12.39.58 other than above.

GeekBoy · October 5, 2016, 9:42pm

Those time stamps are not exactly matching up from the fails, and the bans.

Though I have seen this recently. A script is spoofing your IP address.

Not sure how to address this.