Fail2Ban is not blocking.
FreePBX 13.0.190.7
Asterisk 13.13.1
Fail2Ban v0.8.14
The full log showing:
[2017-02-08 08:41:03] WARNING[7204] chan_sip.c: Timeout on 008cb5e01383efde4e92ab9803f3cc0f on non-critical invite transaction.
[2017-02-08 08:41:16] WARNING[7204] chan_sip.c: Timeout on eaf846251b77037e78d0ae5d93dabacf on non-critical invite transaction.
[2017-02-08 08:45:27] WARNING[7204] chan_sip.c: Timeout on 8af01a7ccc185dbfafa8d839c7c91b49 on non-critical invite transaction.
[2017-02-08 08:49:38] WARNING[7204] chan_sip.c: Timeout on 29e5e69cc5535dc6625fb74ce4c9ec95 on non-critical invite transaction.
[2017-02-08 08:50:30] WARNING[7204] chan_sip.c: Timeout on 6633a54085b7a87613c3c021c835faec on non-critical invite transaction.
[2017-02-08 08:53:32] WARNING[7204] chan_sip.c: Timeout on 5ca8aeb1a05d2682c09cb41bee0921ee on non-critical invite transaction.
[2017-02-08 08:53:46] WARNING[7204] chan_sip.c: Timeout on 5d1d71ea466f3c180a66c1bdba9cd212 on non-critical invite transaction.
[2017-02-08 08:57:19] WARNING[7204] chan_sip.c: Timeout on d786d589bee69f293b321d1f568fd2e4 on non-critical invite transaction.
[2017-02-08 08:57:30] WARNING[7204] chan_sip.c: Timeout on c99af1a50c268b0312f9220bd32de0c1 on non-critical invite transaction.
[2017-02-08 08:58:00] WARNING[7204] chan_sip.c: Timeout on 8a61578698827f68c3c0d279606e2b71 on non-critical invite transaction.
[2017-02-08 09:05:47] WARNING[7204] chan_sip.c: Timeout on 0458b801505320c1cae998b7bc10bc12 on non-critical invite transaction.
[2017-02-08 09:06:31] WARNING[7204] chan_sip.c: Timeout on 04fabb502db9432fe140b9f64ce89e57 on non-critical invite transaction.
[2017-02-08 09:12:29] WARNING[7204] chan_sip.c: Timeout on b57cf59c2b44c26f75b6a0c927ac69fd on non-critical invite transaction.
[2017-02-08 09:18:43] WARNING[7204] chan_sip.c: Timeout on 482a266581150b9daa6c6a9a7422a3d5 on non-critical invite transaction.
[2017-02-08 09:19:10] WARNING[7204] chan_sip.c: Timeout on d08c8cd22d1e458463392f1075db4e69 on non-critical invite transaction.
The fail2ban log
[2017-02-08 09:18:38] SECURITY[7210] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2017-02-08T09:18:38.968-0600",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:[email protected]",SessionID="0x7fc800046b00",LocalAddress="IPV4/UDP/123.456.789.123/5060",RemoteAddress="IPV4/UDP/213.202.253.44/5074",Challenge="55797fb0"
[2017-02-08 09:18:36] SECURITY[7210] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2017-02-08T09:18:36.866-0600",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:[email protected]",SessionID="0x7fc8001246f0",LocalAddress="IPV4/UDP/123.456.789.123/5060",RemoteAddress="IPV4/UDP/195.154.182.223/5074",Challenge="3864c2fe"
After I added those 2 IPs (213.202.253.44,195.154.182.223) manually to the recidive jail it stops. But during a night I can see 20-30 attempts. And those 2 are from today. Yesterday I had 2-3 different IPs
Configuration:
fail2ban.conf
# Fail2Ban main configuration file
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in fail2ban.local file, e.g.:
#
# [Definition]
# loglevel = 4
#
[Definition]
# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: [ NUM ] Default: 1
#
loglevel = 3
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# If you change logtarget from the default value and you are
# using logrotate -- also adjust or disable rotation in the
# corresponding configuration file
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR
#
logtarget = /var/log/fail2ban.log
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock
# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
# fail2ban server.
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid
fail2ban.local
# Fail2Ban configuration file
#
# This file is Generated from your sysadmin module on your PBX
# DO NOT HAND EDIT THIS FILE
[Definition]
logtarget = /var/log/fail2ban.log
jail.conf
# Fail2Ban jail specifications file
#
# Comments: use '#' for comment lines and ';' for inline comments
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file, e.g.:
#
# [DEFAULT]
# bantime = 3600
#
# [ssh-iptables]
# enabled = true
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when reverse DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a reverse DNS lookup will be performed.
# warn: if a hostname is encountered, a reverse DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
jail.local
# Configuration automatically generated via the Sysadmin Module
# This file will be overwritten by Sysadmin on startup. If you modify
# this file, your changes will be lost. DO NOT MODIFY THIS FILE!
# generated: Tue, 17 Jan 2017 19:45:38 +0000
[DEFAULT]
ignoreip = 127.0.0.1 192.168.1.0/24 123.456.789.123/24 192.168.1.3
bantime = 3600
findtime = 172800
maxretry = 3
backend = auto
[asterisk-iptables]
enabled = true
filter = asterisk-security
action = iptables-allports[name=SIP, protocol=all]
sendmail[name=SIP, dest=, [email protected]]
logpath = /var/log/asterisk/fail2ban
[pbx-gui]
enabled = true
filter = freepbx
action = iptables-allports[name=SIP, protocol=all]
sendmail[name=SIP, dest=, [email protected]]
logpath = /var/log/asterisk/freepbx_security.log
[ssh-iptables]
enabled = true
filter = sshd
action = iptables-multiport[name=SSH, protocol=tcp, port=ssh]
sendmail[name=SSH, dest=, [email protected]]
logpath = /var/log/secure
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = iptables-multiport[name=apache-auth, protocol=tcp, port=http]
sendmail[name=apache-auth, dest=, [email protected]]
logpath = /var/log/httpd/error_log
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables-multiport[name=FTP, protocol=tcp, port=ftp]
sendmail[name=FTP, dest=, [email protected]]
logpath = /var/log/vsftpd.log
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, protocol=tcp, port="http,https"]
sendmail[name=BadBots, dest=, [email protected]]
logpath = /var/log/httpd/*access_log
[recidive]
# recidivist.
#
# Noun: A convicted criminal who reoffends, especially repeatedly.
#
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log*
action = iptables-allports[name=recidive, protocol=all]
sendmail[name=recidive, dest=, [email protected]]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 20
asterisk.conf
# Fail2Ban filter for asterisk authentication failures
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?
failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s <HOST> tried to authenticate with nonexistent user.+$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s <HOST> failed to authenticate as.+$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Request from '[^']*' failed for '<HOST>:\d+' .+ No matching endpoint found$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS|WSS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS|WSS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
# These WARNINGS do not have a file attribute, as they're generated dynamicly
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
ignoreregex =
# Author: Xavier Devlamynck / Daniel Black
#
# Update: 2016-05-10 by [email protected]
# - Detect PJSIP Scans
# - Detect AMI events that may be missed by having SecuritEvents disabled
# - Support WSS
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
Iptables
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-FTP tcp -- anywhere anywhere multiport dports ftp
fail2ban-apache-auth tcp -- anywhere anywhere multipor t dports http
fail2ban-SIP all -- anywhere anywhere
fail2ban-SIP all -- anywhere anywhere
fail2ban-BadBots tcp -- anywhere anywhere multiport dp orts http,https
fail2ban-SSH tcp -- anywhere anywhere multiport dports ssh
fail2ban-recidive all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-FTP (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-SIP (2 references)
target prot opt source destination
REJECT all -- vmi102110.contabo.host anywhere reject-with icmp -port-unreachable
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain fail2ban-SSH (1 references)
target prot opt source destination
REJECT all -- streaming-cdn.positivonet.it anywhere reject-wit h icmp-port-unreachable
REJECT all -- 140.250.65.57 anywhere reject-with icmp-po rt-unreachable
RETURN all -- anywhere anywhere
Chain fail2ban-apache-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-recidive (1 references)
target prot opt source destination
REJECT all -- xen2.akamai-hd.com anywhere reject-with icmp-po rt-unreachable
REJECT all -- 188.161.2.118 anywhere reject-with icmp-po rt-unreachable
REJECT all -- vmi102110.contabo.host anywhere reject-with icmp -port-unreachable
REJECT all -- 188.161.14.162 anywhere reject-with icmp-po rt-unreachable
REJECT all -- 195-154-43-208.rev.poneytelecom.eu anywhere reje ct-with icmp-port-unreachable
REJECT all -- 188.161.184.159 anywhere reject-with icmp-po rt-unreachable
REJECT all -- 212-83-154-218.rev.poneytelecom.eu anywhere reje ct-with icmp-port-unreachable
REJECT all -- 163-172-195-232.rev.poneytelecom.eu anywhere rej ect-with icmp-port-unreachable
REJECT all -- 66.85.239.23.static.reverse.as19531.net anywhere reject-with icmp-port-unreachable
REJECT all -- m3145.contabo.host anywhere reject-with icmp-po rt-unreachable
REJECT all -- v246.violet.servdiscount-customer.com anywhere r eject-with icmp-port-unreachable
REJECT all -- v-6806.rapidgameservers.net anywhere reject-with icmp-port-unreachable
REJECT all -- 195-154-177-170.rev.poneytelecom.eu anywhere rej ect-with icmp-port-unreachable
REJECT all -- v133.violet.servdiscount-customer.com anywhere r eject-with icmp-port-unreachable
REJECT all -- 199.168.141.168 anywhere reject-with icmp-po rt-unreachable
REJECT all -- 195-154-214-162.rev.poneytelecom.eu anywhere rej ect-with icmp-port-unreachable
REJECT all -- 188.161.108.118 anywhere reject-with icmp-po rt-unreachable
REJECT all -- s83-50-81.sfi.paltel.net anywhere reject-with ic mp-port-unreachable
REJECT all -- dsl-197-245-6-114.voxdsl.co.za anywhere reject-w ith icmp-port-unreachable
REJECT all -- takii.rentelync.com anywhere reject-with icmp-po rt-unreachable
REJECT all -- 134.119.219.42 anywhere reject-with icmp-po rt-unreachable
REJECT all -- h145.helix.servdiscount-customer.com anywhere re ject-with icmp-port-unreachable
REJECT all -- r022.red.servdiscount-customer.com anywhere reje ct-with icmp-port-unreachable
REJECT all -- ns3064424.ip-94-23-202.eu anywhere reject-with i cmp-port-unreachable
REJECT all -- 62-210-167-32.rev.poneytelecom.eu anywhere rejec t-with icmp-port-unreachable
REJECT all -- 195-154-185-202.rev.poneytelecom.eu anywhere rej ect-with icmp-port-unreachable
REJECT all -- hst-93-115-28-89.balticservers.eu anywhere rejec t-with icmp-port-unreachable
REJECT all -- usloft4522.dedicatedpanel.com anywhere reject-wi th icmp-port-unreachable
REJECT all -- 146.0.234.38 anywhere reject-with icmp-po rt-unreachable
REJECT all -- 188.161.108.142 anywhere reject-with icmp-po rt-unreachable
REJECT all -- 212-129-61-254.rev.poneytelecom.eu anywhere reje ct-with icmp-port-unreachable
REJECT all -- 188.161.187.8 anywhere reject-with icmp-po rt-unreachable
REJECT all -- 108.170.59.62 anywhere reject-with icmp-po rt-unreachable
REJECT all -- 46.30.65.218.broad.xy.jx.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
REJECT all -- 26-16-23-177.netcabo.com.br anywhere reject-with icmp-port-unreachable
REJECT all -- 116.31.116.25 anywhere reject-with icmp-po rt-unreachable
REJECT all -- hosted-by.hostgrad.ru anywhere reject-with icmp- port-unreachable
REJECT all -- 162.254.205.238 anywhere reject-with icmp-po rt-unreachable
REJECT all -- vps4701.ua-hosting.company anywhere reject-with icmp-port-unreachable
REJECT all -- ADSL-176.67.124.63.mada.ps anywhere reject-with icmp-port-unreachable
REJECT all -- 195-154-58-8.rev.poneytelecom.eu anywhere reject -with icmp-port-unreachable
REJECT all -- 5.39.220.3 anywhere reject-with icmp-po rt-unreachable
REJECT all -- 134.119.213.31 anywhere reject-with icmp-po rt-unreachable
REJECT all -- 134.119.218.133 anywhere reject-with icmp-po rt-unreachable
REJECT all -- 134.119.216.237 anywhere reject-with icmp-po rt-unreachable
REJECT all -- 212-83-148-64.rev.poneytelecom.eu anywhere rejec t-with icmp-port-unreachable
RETURN all -- anywhere anywhere