[Fail2Ban] SIP: banned on localhost

Just got an email from Fail2Ban…


The IP has just been banned by Fail2Ban after
270 attempts against SIP on localhost.



so I’m pleased it’s doing its job, but have a couple of questions!

  1. I still don’t understand how I’m being probed when my FreePBX server sits behind a NAT firewall with NO exposed ports or DMZ. I’ve asked this question before but I didn’t understand the answer. It turns my understanding of networking on its head that WAN side probes can reach a server sat inside my LAN when I’m not explicitly port forwarding.*
  2. When it says “on localhost” I guess that just means “here”.
  3. Why did it take 270 attempts before the ban? Looking at my logs this French dude was trying all sorts of different extensions in a very short space of time…why not ban after 10 or 20 failed attempts?



When a connection is originated by a device on the Internet outside the LAN it is not clear which device on the LAN the connection is meant to be established with. In this case there needs to be some rule that tells the NAT router what to do with the incoming traffic, otherwise it will simply discard the traffic and no connection will be established.

EDIT: Just going through my router’s settings again. I’ve noticed UPNP is turned on, and there is only one reference to the IP my FreePBX box is on:

UDP ----- 42567 ------

Could this be the route in?

EDIT 2: Fail2Ban clearly unbanned my French friend because he’s just been rebanned , this time he was allowed 98 chances!

EDIT 3: Fail2Ban has unbanned my French friend again, this time he was permitted 174 cracks of the whip before Fail2Ban ‘sprang’ into action. I really feel like I’m under attack here.

Fail2ban has a ‘recidive’ jail,
fail2ban > version .8 remembers bans over reboots,
Install pyinotify for a quicker response to attempts

By any other means, add a drop rule to iptables (your firewall) for

I can not answer your questions but I can share a script with you that can help monitoring access to your system. Feel free to modify the script based on your need. The script will send you an email if there is a failed access attempt (one step before Fail2Ban jail) or if the system was successful accessed from unauthorized IP address. The script will send you one email notification. Then you either whitelist the IP address or block and clear from your log (so if there is another attempt you will get notification)

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.