I’ve gotten a few notifications of 50+ SIP attempts against one of my FreePBX boxes the past couple of days. Initially, I added this IP subnet into the IP Tables rules list to deny further connections, but I received a notification this morning that this same IP address was banned again after 97 SIP attempts, even though this IP address should already be banned. I checked my IP Tables rule list and this IP is listed in there.
Why would Fail2Ban say that it has banned an IP but that IP is still allowed connection attempts to my system?
I’m not sure if this matters but my machine is running SSH on port 20022 instead of the standard port.
I do think there be some changes on how fail2ban is loading and interacting with the FreePBX Firewall (if that is enabled) and the new FreePBX 14. See https://issues.freepbx.org/browse/FREEPBX-15446
I am using FreePBX 12, I haven’t upgrade to 14 or used the firewall for this system because this system in particular has various remote workers with dynamic IP addresses that require the ability to register extensions to this box.
Also after reading that article, it appears that the jails are loading correctly after checking the status of fail2ban:
[root@XXX ~]# fail2ban-client status
Status
|- Number of jail: 7
`- Jail list: apache-tcpwrapper, recidive, ssh-iptables, apache-badbots, pbx-gui, asterisk-iptables, vsftpd-iptables