Fail2ban not banning wrong password attempts

Hawkeye · March 29, 2016, 1:14pm

Hi, noticed a lot of password failures in CLI. iptables -nL shows nothing banned:

Chain fail2ban-SIP (2 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0
RETURN all – 0.0.0.0/0 0.0.0.0/0

Code in /etc/fail2ban/jail.local seems right:

[asterisk-iptables]
enabled = true
filter = asterisk-security
action = iptables-allports[name=SIP, protocol=all]
sendmail[name=SIP, [email protected], [email protected]]
logpath = /var/log/asterisk/fail2ban

Running fail2ban-regex /var/log/asterisk/fail2ban /etc/fail2ban/filter.d/asterisk-security.conf to see if there are matches and there are 1508 matches with the exact same RemoteAddress:

No ‘host’ found in '[] SECURITY[2339] res_security_log.c: SecurityEvent=“InvalidPassword”,EventTV=“2016-03-29T08:54:22.526-0400”,Severity=“Error”,Service=“SIP”,EventVersion=“2”,AccountID=“1355”,SessionID=“0xb8e9a54”,LocalAddress=“IPV4/UDP/xx.xxx.xx.xxx/5060”,RemoteAddress=“IPV4/UDP/212.83.146.40/5137”,Challenge=“63943eaf”,ReceivedChallenge=“63943eaf”,ReceivedHash=“9f886d762c3adc2b47c4edfc326f9f60”

Is fail2ban running?
root 21150 1.7 0.3 180588 6576 ? Sl 08:34 0:42 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock

What might be causing fail2ban not banning?

Thanks

PeterJ · April 1, 2016, 4:04pm

Hi,

I’ve seen the same thing here on several (current version) builds. The new ‘firewall’ feature also seems unable to detect these type of attacks.

Regards,

Peter.

jfinstrom · April 1, 2016, 4:32pm

RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"

Looking at the above I would imagine your issue is the **
**212.83.146.60** is not a valid host