[Fail2Ban] SIP: banned <IP> on localhost

The passed 12 hours I have been getting the following mails from my FreePBX:


The IP <IP> has just been banned by Fail2Ban after
73 attempts against SIP on localhost.



The FreePBX is a VPS hosted by Vultr and I have setup the Vultr firewall to only allow ports 80, 443, 5060, 10000-20000 and 22222. Port 80 from anywhere for Let’s Encrypt and all other ports from my WAN address. So why am I getting Fail2Ban messages from other addresses?

Fail2Ban currently doesn’t show any blocked addresses and it hasn’t sent mails as of 3.58 AM.

sngrep -d lo

would show sip activity only on /dev/lo

the fail2ban logs should identify which jail produced that report

sngrep -d lo does not show anything, sngrep shows the usual suspects, the server, all remote locations, connected trunks.

If you are allowing 5060 from anywhere then anyone is allowed to try and register to your server. Perhaps you could implement a default DROP policy for your INPUT and only allow known IPs?

I’m allowing ports 443, 5060, 10000-20000 and 22222 only from the offices, so not anywhere. The last rule in the firewall drops all other incoming traffic.

So is the IP address that got banned one of the IPs that you are allowing through the firewall? That traffic got through somehow

Correct. Firewall misfire at Vultr?

I’m confused about this response. Are you saying that the IP that got banned is an IP that you are allowing? Or it isn’t?

The IP that got banned is an IP I’m not allowing. It hasn’t happened however, so I’m guessing it’s a glitch in the Vultr firewall which I’m going to talk to them about.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.