Fail2Ban is not blocking

Fail2Ban is not blocking.

FreePBX 13.0.190.7
Asterisk 13.13.1
Fail2Ban v0.8.14

The full log showing:

[2017-02-08 08:41:03] WARNING[7204] chan_sip.c: Timeout on 008cb5e01383efde4e92ab9803f3cc0f on non-critical invite transaction.
[2017-02-08 08:41:16] WARNING[7204] chan_sip.c: Timeout on eaf846251b77037e78d0ae5d93dabacf on non-critical invite transaction.
[2017-02-08 08:45:27] WARNING[7204] chan_sip.c: Timeout on 8af01a7ccc185dbfafa8d839c7c91b49 on non-critical invite transaction.
[2017-02-08 08:49:38] WARNING[7204] chan_sip.c: Timeout on 29e5e69cc5535dc6625fb74ce4c9ec95 on non-critical invite transaction.
[2017-02-08 08:50:30] WARNING[7204] chan_sip.c: Timeout on 6633a54085b7a87613c3c021c835faec on non-critical invite transaction.
[2017-02-08 08:53:32] WARNING[7204] chan_sip.c: Timeout on 5ca8aeb1a05d2682c09cb41bee0921ee on non-critical invite transaction.
[2017-02-08 08:53:46] WARNING[7204] chan_sip.c: Timeout on 5d1d71ea466f3c180a66c1bdba9cd212 on non-critical invite transaction.
[2017-02-08 08:57:19] WARNING[7204] chan_sip.c: Timeout on d786d589bee69f293b321d1f568fd2e4 on non-critical invite transaction.
[2017-02-08 08:57:30] WARNING[7204] chan_sip.c: Timeout on c99af1a50c268b0312f9220bd32de0c1 on non-critical invite transaction.
[2017-02-08 08:58:00] WARNING[7204] chan_sip.c: Timeout on 8a61578698827f68c3c0d279606e2b71 on non-critical invite transaction.
[2017-02-08 09:05:47] WARNING[7204] chan_sip.c: Timeout on 0458b801505320c1cae998b7bc10bc12 on non-critical invite transaction.
[2017-02-08 09:06:31] WARNING[7204] chan_sip.c: Timeout on 04fabb502db9432fe140b9f64ce89e57 on non-critical invite transaction.
[2017-02-08 09:12:29] WARNING[7204] chan_sip.c: Timeout on b57cf59c2b44c26f75b6a0c927ac69fd on non-critical invite transaction.
[2017-02-08 09:18:43] WARNING[7204] chan_sip.c: Timeout on 482a266581150b9daa6c6a9a7422a3d5 on non-critical invite transaction.
[2017-02-08 09:19:10] WARNING[7204] chan_sip.c: Timeout on d08c8cd22d1e458463392f1075db4e69 on non-critical invite transaction.

The fail2ban log

 [2017-02-08 09:18:38] SECURITY[7210] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2017-02-08T09:18:38.968-0600",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:[email protected]",SessionID="0x7fc800046b00",LocalAddress="IPV4/UDP/123.456.789.123/5060",RemoteAddress="IPV4/UDP/213.202.253.44/5074",Challenge="55797fb0"
 [2017-02-08 09:18:36] SECURITY[7210] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2017-02-08T09:18:36.866-0600",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:[email protected]",SessionID="0x7fc8001246f0",LocalAddress="IPV4/UDP/123.456.789.123/5060",RemoteAddress="IPV4/UDP/195.154.182.223/5074",Challenge="3864c2fe"

After I added those 2 IPs (213.202.253.44,195.154.182.223) manually to the recidive jail it stops. But during a night I can see 20-30 attempts. And those 2 are from today. Yesterday I had 2-3 different IPs

Configuration:
fail2ban.conf

# Fail2Ban main configuration file
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in fail2ban.local file, e.g.:
#
# [Definition]
# loglevel = 4
#

[Definition]

# Option: loglevel
# Notes.: Set the log level output.
#         1 = ERROR
#         2 = WARN
#         3 = INFO
#         4 = DEBUG
# Values: [ NUM ]  Default: 1
#
loglevel = 3

# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#         Only one log target can be specified.
#         If you change logtarget from the default value and you are
#         using logrotate -- also adjust or disable rotation in the
#         corresponding configuration file
#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | FILE ]  Default: STDERR
#
logtarget = /var/log/fail2ban.log

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
#         fail2ban server.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid

fail2ban.local

# Fail2Ban configuration file
#
# This file is Generated from your sysadmin module on your PBX
# DO NOT HAND EDIT THIS FILE

[Definition]
logtarget = /var/log/fail2ban.log

jail.conf

# Fail2Ban jail specifications file
#
# Comments: use '#' for comment lines and ';' for inline comments
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in jail.local file, e.g.:
#
# [DEFAULT]
# bantime = 3600
#
# [ssh-iptables]
# enabled = true
#

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
# warn:  if a hostname is encountered, a reverse DNS lookup will be performed, 
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

jail.local

# Configuration automatically generated via the Sysadmin Module
# This file will be overwritten by Sysadmin on startup. If you modify
# this file, your changes will be lost. DO NOT MODIFY THIS FILE!
# generated: Tue, 17 Jan 2017 19:45:38 +0000

[DEFAULT]
ignoreip = 127.0.0.1 192.168.1.0/24 123.456.789.123/24 192.168.1.3
bantime = 3600
findtime = 172800
maxretry = 3
backend = auto

[asterisk-iptables]
enabled = true
filter = asterisk-security
action = iptables-allports[name=SIP, protocol=all]
     sendmail[name=SIP, dest=, [email protected]]
logpath = /var/log/asterisk/fail2ban

[pbx-gui]
enabled = true
filter = freepbx
action = iptables-allports[name=SIP, protocol=all]
     sendmail[name=SIP, dest=, [email protected]]
logpath = /var/log/asterisk/freepbx_security.log

[ssh-iptables]
enabled = true
filter = sshd
action = iptables-multiport[name=SSH, protocol=tcp, port=ssh]
     sendmail[name=SSH, dest=, [email protected]]
logpath = /var/log/secure

[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = iptables-multiport[name=apache-auth, protocol=tcp, port=http]
     sendmail[name=apache-auth, dest=, [email protected]]
logpath = /var/log/httpd/error_log

[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables-multiport[name=FTP, protocol=tcp, port=ftp]
     sendmail[name=FTP, dest=, [email protected]]
logpath = /var/log/vsftpd.log

[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, protocol=tcp, port="http,https"]
     sendmail[name=BadBots, dest=, [email protected]]
logpath = /var/log/httpd/*access_log

[recidive]
# recidivist.
#
#  Noun: A convicted criminal who reoffends, especially repeatedly.
#
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
     sendmail[name=recidive, dest=, [email protected]]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 20

asterisk.conf

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@][email protected]<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s <HOST> tried to authenticate with nonexistent user.+$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s <HOST> failed to authenticate as.+$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Request from '[^']*' failed for '<HOST>:\d+' .+ No matching endpoint found$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS|WSS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS|WSS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
# These WARNINGS do not have a file attribute, as they're generated dynamicly
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

ignoreregex =


# Author: Xavier Devlamynck / Daniel Black
#
# Update: 2016-05-10 by [email protected]
# - Detect PJSIP Scans
# - Detect AMI events that may be missed by having SecuritEvents disabled
# - Support WSS 
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog

Iptables
[[email protected] ~]# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-FTP  tcp  --  anywhere             anywhere            multiport dports                                                                           ftp
fail2ban-apache-auth  tcp  --  anywhere             anywhere            multipor                                                                        t dports http
fail2ban-SIP  all  --  anywhere             anywhere
fail2ban-SIP  all  --  anywhere             anywhere
fail2ban-BadBots  tcp  --  anywhere             anywhere            multiport dp                                                                        orts http,https
fail2ban-SSH  tcp  --  anywhere             anywhere            multiport dports                                                                         ssh
fail2ban-recidive  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-BadBots (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-FTP (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-SIP (2 references)
target     prot opt source               destination
REJECT     all  --  vmi102110.contabo.host  anywhere            reject-with icmp                                                                        -port-unreachable
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
REJECT     all  --  streaming-cdn.positivonet.it  anywhere            reject-wit                                                                        h icmp-port-unreachable
REJECT     all  --  140.250.65.57        anywhere            reject-with icmp-po                                                                        rt-unreachable
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-auth (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-recidive (1 references)
target     prot opt source               destination
REJECT     all  --  xen2.akamai-hd.com   anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  188.161.2.118        anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  vmi102110.contabo.host  anywhere            reject-with icmp                                                                        -port-unreachable
REJECT     all  --  188.161.14.162       anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  195-154-43-208.rev.poneytelecom.eu  anywhere            reje                                                                        ct-with icmp-port-unreachable
REJECT     all  --  188.161.184.159      anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  212-83-154-218.rev.poneytelecom.eu  anywhere            reje                                                                        ct-with icmp-port-unreachable
REJECT     all  --  163-172-195-232.rev.poneytelecom.eu  anywhere            rej                                                                        ect-with icmp-port-unreachable
REJECT     all  --  66.85.239.23.static.reverse.as19531.net  anywhere                                                                                    reject-with icmp-port-unreachable
REJECT     all  --  m3145.contabo.host   anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  v246.violet.servdiscount-customer.com  anywhere            r                                                                        eject-with icmp-port-unreachable
REJECT     all  --  v-6806.rapidgameservers.net  anywhere            reject-with                                                                         icmp-port-unreachable
REJECT     all  --  195-154-177-170.rev.poneytelecom.eu  anywhere            rej                                                                        ect-with icmp-port-unreachable
REJECT     all  --  v133.violet.servdiscount-customer.com  anywhere            r                                                                        eject-with icmp-port-unreachable
REJECT     all  --  199.168.141.168      anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  195-154-214-162.rev.poneytelecom.eu  anywhere            rej                                                                        ect-with icmp-port-unreachable
REJECT     all  --  188.161.108.118      anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  s83-50-81.sfi.paltel.net  anywhere            reject-with ic                                                                        mp-port-unreachable
REJECT     all  --  dsl-197-245-6-114.voxdsl.co.za  anywhere            reject-w                                                                        ith icmp-port-unreachable
REJECT     all  --  takii.rentelync.com  anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  134.119.219.42       anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  h145.helix.servdiscount-customer.com  anywhere            re                                                                        ject-with icmp-port-unreachable
REJECT     all  --  r022.red.servdiscount-customer.com  anywhere            reje                                                                        ct-with icmp-port-unreachable
REJECT     all  --  ns3064424.ip-94-23-202.eu  anywhere            reject-with i                                                                        cmp-port-unreachable
REJECT     all  --  62-210-167-32.rev.poneytelecom.eu  anywhere            rejec                                                                        t-with icmp-port-unreachable
REJECT     all  --  195-154-185-202.rev.poneytelecom.eu  anywhere            rej                                                                        ect-with icmp-port-unreachable
REJECT     all  --  hst-93-115-28-89.balticservers.eu  anywhere            rejec                                                                        t-with icmp-port-unreachable
REJECT     all  --  usloft4522.dedicatedpanel.com  anywhere            reject-wi                                                                        th icmp-port-unreachable
REJECT     all  --  146.0.234.38         anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  188.161.108.142      anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  212-129-61-254.rev.poneytelecom.eu  anywhere            reje                                                                        ct-with icmp-port-unreachable
REJECT     all  --  188.161.187.8        anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  108.170.59.62        anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  46.30.65.218.broad.xy.jx.dynamic.163data.com.cn  anywhere                                                                                    reject-with icmp-port-unreachable
REJECT     all  --  26-16-23-177.netcabo.com.br  anywhere            reject-with                                                                         icmp-port-unreachable
REJECT     all  --  116.31.116.25        anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  hosted-by.hostgrad.ru  anywhere            reject-with icmp-                                                                        port-unreachable
REJECT     all  --  162.254.205.238      anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  vps4701.ua-hosting.company  anywhere            reject-with                                                                         icmp-port-unreachable
REJECT     all  --  ADSL-176.67.124.63.mada.ps  anywhere            reject-with                                                                         icmp-port-unreachable
REJECT     all  --  195-154-58-8.rev.poneytelecom.eu  anywhere            reject                                                                        -with icmp-port-unreachable
REJECT     all  --  5.39.220.3           anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  134.119.213.31       anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  134.119.218.133      anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  134.119.216.237      anywhere            reject-with icmp-po                                                                        rt-unreachable
REJECT     all  --  212-83-148-64.rev.poneytelecom.eu  anywhere            rejec                                                                        t-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Any ideas ? Fail2Ban was reinstalled but still nothing