Fail2Ban - Not Blocking Unknown SIP Connections....?


I have several systems where the CDRs will look similar to below:

2013-12-20 16:09:01 1387573741.7574 1551 Answer s [from-sip-external] ANSWERED 00:00

1551 is not an extension or DID on our system. Additional in the logs, we receive many messages from unknown IPs similar to what is below:

[2013-12-20 16:09:01] WARNING[25784][C-0000154b] Ext. s: “Rejecting unknown SIP connection from”

Our system is using the default latest version of FreePBX 2.11 distro. I noticed that under /etc/fail2ban/filters.d/asterisk.conf there is no listing to block messages similar to the one above from the log file. Shouldn’t there exist an entry in this filter config to prevent unknown and unwanted SIP invites from hitting our system attempting to find an extension on our system? I know once this bot/user starts to try to authenticate they will be banned, but I really do not like the fact that our customers can log on with a user ID and look in the CDRs and see all these bogus call attempts. How can we block these people altogether? I tried adding the following line to /etc/asterisk/fail2ban/filter.d/asterisk.conf but it seems to not do anything:

WARNING.* .*: "Rejecting unknown SIP connection from "

Best regards,


Looks like the host text was removed. Lets see if it shows now.

WARNING.* .*: "Rejecting unknown SIP connection from "