Hello, I am seeing millions of these on the asterisk console. For some reason, fail2ban does not appear to be working. This is a new install of freepbx 5.211.65-20 with asterisk 11.13.1.
[2014-11-14 16:51:51] NOTICE[1904]: chan_sip.c:28062 handle_request_register: Registration from ‘“104” sip:[email protected]’ failed for ‘195.154.35.220:6751’ - Wrong password
localhost*CLI>
Any ideas what is wrong?
While you are troubleshooting Fail2BAN, you can at least manually ban that IP - From the cli:
iptables -A INPUT -s 195.154.35.220 -j DROP
Here is more info on manually doing it:
I noticed yesterday that fail2ban has stopped catching these malicious registration attempts.
I am running FPBX Distro 6.12.65-20, FPBX 12.0.13 and asterisk 11.14. I upgraded from track 5 to track 6 last week. Before upgrading fail2ban was catching them.
I had a quick look at the filters and jail. All looks normal but have not yet had a chance to look at it in depth.
What ended up working for me was turning the following from yes to no under “Asterisk SIP Settings”.
Allow SIP Guests?
Allow Anonymous Inbound SIP Calls?
Apparently the default is Yes. In my opinion, the default probably should be No, maybe it is a bug. Once I set this to No, the problem just went away. I’m thinking that fail2ban does not catch these arriving from locations other than your sip provider.
Has anyone else had problems with fail2ban not working. It is not working for me. I have checked the jails etc and all looks very normal with the install I mentioned above.
Post your jail.local here
Here we go - I have removed email addresseses for sender and dest:
[DEFAULT]
ignoreip = 127.0.0.1 172.16.60.0/24 208.81.163.2 204.16.8.68 192.168.1.0/24
bantime = 604800
findtime = 600
maxretry = 8
backend = auto
[asterisk-iptables]
enabled = true
filter = asterisk-security
action = iptables-allports[name=SIP, protocol=all]
sendmail[name=SIP, dest=, sender=]
logpath = /var/log/asterisk/fail2ban
[pbx-gui]
enabled = true
filter = freepbx
action = iptables-allports[name=PBX-GUI, protocol=all]
sendmail[name=PBX-GUI, dest=, sender=]
logpath = /var/log/asterisk/freepbx_security.log
[ssh-iptables]
enabled = true
filter = sshd
action = iptables-allports[name=SSH, port=ssh, protocol=tcp]
sendmail[name=SSH,dest= , sender=]
logpath = /var/log/secure
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = iptables-allports[name=PBX-GUI, port=http, protocol=tcp]
sendmail[name=PBX-GUI, dest=, sender=]
logpath = /var/log/httpd/error_log
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables-allports[name=FTP, port=ftp, protocol=tcp]
sendmail[name=FTP, dest=, sender=]
logpath = /var/log/vsftpd.log
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-allports[name=BadBots, port=“http,https”]
sendmail[name=PBX GUI, dest=, sender=]
logpath = /var/log/httpd/*access_log
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive, protocol=all]
sendmail[name=recidive, dest=, sender=]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
you will need to create another one. it should work. but take not whenever you reboot your server,filter = asterisk will become filter = asterisk-security
[asterisk-iptables1]
enabled = true
filter = asterisk
action = iptables-allports[name=SIP, protocol=all]
sendmail[name=SIP, dest=, sender=]
logpath = /var/log/asterisk/fail2ban
There was a bug introduced in version one script version and it was fixed in newer versions. If it was working before and then suddenly stopped then this may be the issue. We suffered from this issue and it was resolved by an upgrade and fail2ban service restart. I can’t recall exactly the version.
Can you check what do you have in filter? I believe there is asterisk and asterisk-security. Asterisk should be the one catching.
Sent using CloudMagic
On Sun, Jan 4, 2015 at 11:06 pm, stonet <[email protected]> wrote:
stonet
January 4
Here we go - I have removed email addresseses for sender and dest:
[DEFAULT]
ignoreip = 127.0.0.1 172.16.60.0/24 208.81.163.2 204.16.8.68 192.168.1.0/24
bantime = 604800
findtime = 600
maxretry = 8
backend = auto
[asterisk-iptables]
enabled = true
filter = asterisk-security
action = iptables-allports[name=SIP, protocol=all]
sendmail[name=SIP, dest=, sender=]logpath = /var/log/asterisk/fail2ban
[pbx-gui]
enabled = true
filter = freepbx
action = iptables-allports[name=PBX-GUI, protocol=all]
sendmail[name=PBX-GUI, dest=, sender=]logpath = /var/log/asterisk/freepbx_security.log
[ssh-iptables]
enabled = true
filter = sshd
action = iptables-allports[name=SSH, port=ssh, protocol=tcp]
sendmail[name=SSH,dest= , sender=]logpath = /var/log/secure
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = iptables-allports[name=PBX-GUI, port=http, protocol=tcp]
sendmail[name=PBX-GUI, dest=, sender=]logpath = /var/log/httpd/error_log
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables-allports[name=FTP, port=ftp, protocol=tcp]
sendmail[name=FTP, dest=, sender=]logpath = /var/log/vsftpd.log
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-allports[name=BadBots, port=“http,https”]
sendmail[name=PBX GUI, dest=, sender=]logpath = /var/log/httpd/*access_log
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive, protocol=all]
sendmail[name=recidive, dest=, sender=]bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
To respond, reply to this email or visit http://community.freepbx.org/t/fail2ban-not-working/25489/7 in your browser.
Previous Replies
cp3
December 23
Post your jail.local here
December 18
Has anyone else had problems with fail2ban not working. It is not working for me. I have checked the jails etc and all looks very normal with the install I mentioned above.
November 30
What ended up working for me was turning the following from yes to no under "Asterisk SIP Settings".
Allow SIP Guests?
Allow Anonymous Inbound SIP Calls?
Apparently the default is Yes. In my opinion, the default probably should be No, maybe it is a bug. Once I set this to No, the problem just went away. I'm thinking that fail2ban does not catch these arriving from locations other than your sip provider.
November 30
I noticed yesterday that fail2ban has stopped catching these malicious registration attempts.
I am running FPBX Distro 6.12.65-20, FPBX 12.0.13 and asterisk 11.14. I upgraded from track 5 to track 6 last week. Before upgrading fail2ban was catching them.
I had a quick look at the filters and jail. All looks normal but have not yet had a chance to look at it in depth.
November 14
While you are troubleshooting Fail2BAN, you can at least manually ban that IP - From the cli:
iptables -A INPUT -s 195.154.35.220 -j DROP
Here is more info on manually doing it:
http://www.cyberciti.biz/faq/how-do-i-block-an-ip-on-my-linux-server/
To respond, reply to this email or visit http://community.freepbx.org/t/fail2ban-not-working/25489/7 in your browser.
To unsubscribe from these emails, visit your user preferences.
Hi,
I don’t know if it is the correcty discussion and for that sorry if it is a mistake.
I don’t know if my fail2ban work or not, every day i receive a lot of mail mail from fail2ban where says that many ip are been banned, but it is possible?
for example It also banned the ip 52.25.146.36 , of amazon…amazon are trying to hack my pbx ??? 
@reikidude89 Please start a new thread for your own issues in the future.
To answer your question, no Amazon isn’t trying to hack your PBX.
The e-mails mean that it’s working, and the Amazon IPs means that somebody is using a stolen credit card to pay for an AWS cloud server and run a bot that tries to hack IP PBX servers and use them to commit some sort of fraud, presumably toll fraud.
I have my ban timer set for 1 week because of this; and I’m moving towards a permanent ban (time = -1). The problem with this is that I will have to unban people manually, but I think that it’s worth it.
thank you for your help.
In my scenario there are two location that are connected on vpn, and there is one pbx for all phones.
i will set fail2ban with a long time and hope to not cause any problem.
Thank you 
