I happened to be on a system digging around, and found that the asterisk.conf does not seem to properly detect the Rejecting unknown SIP connection from… so I created my own asterisk-custom.conf file in the filters.d using
failregex = ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s:.* "Rejecting unknown SIP connection from "$
(the current asterisk.conf or asterisk-security.conf file is missing the .* after the s:, which it doesn’t then detect.
Running the fail2ban-regex /var/log/asterisk/full asterisk-custom.conf, has 219 matches. So the IPs should be getting banned. Nope. Restart fail2ban, wait 10 minutes nothing still not banned. I have a very low tolerance for fails…I have a max retry of 4 with find time of 86400 (4 matches in 24 hours gets you banned).
So, I ran fail2ban-client status, and noticed there’s no asterisk-iptables listed in the jails. Went through the local.conf file, and no jails are setup to use the asterisk filters.
Is there a reason that asterisk-iptables is not running? Using the firewall module too, but would think fail2ban would be in play too…
Thanks in advance,