Just got an email from Fail2Ban…
Hi, The IP 220.127.116.11 has just been banned by Fail2Ban after 270 attempts against SIP on localhost. Regards, Fail2Ban
so I’m pleased it’s doing its job, but have a couple of questions!
- I still don’t understand how I’m being probed when my FreePBX server sits behind a NAT firewall with NO exposed ports or DMZ. I’ve asked this question before but I didn’t understand the answer. It turns my understanding of networking on its head that WAN side probes can reach a server sat inside my LAN when I’m not explicitly port forwarding.*
- When it says “on localhost” I guess that just means “here”.
- Why did it take 270 attempts before the ban? Looking at my logs this French dude was trying all sorts of different extensions in a very short space of time…why not ban after 10 or 20 failed attempts?
When a connection is originated by a device on the Internet outside the LAN it is not clear which device on the LAN the connection is meant to be established with. In this case there needs to be some rule that tells the NAT router what to do with the incoming traffic, otherwise it will simply discard the traffic and no connection will be established.
EDIT: Just going through my router’s settings again. I’ve noticed UPNP is turned on, and there is only one reference to the IP my FreePBX box is on:
UDP ----- 42567 ------ 192.168.1.18
Could this be the route in?
EDIT 2: Fail2Ban clearly unbanned my French friend because he’s just been rebanned , this time he was allowed 98 chances!
EDIT 3: Fail2Ban has unbanned my French friend again, this time he was permitted 174 cracks of the whip before Fail2Ban ‘sprang’ into action. I really feel like I’m under attack here.