May 3, 2020, 4:07am
I received the following email from fail2ban
The IP 126.96.36.199 has just been banned by Fail2Ban after
46 attempts against SIP on ast.
My Fail2Ban settings are as follows:
After 2 failed attempts, I want to ban the IP for a month (this logic works for my setup). But this does not match-up with the above email.
Why was the rogue IP not blocked after 2 attempts? How did it get to make 46 attempts??
Also, my " IP’s that are currently banned." list is not growing.
I think I’m missing something here.
May 3, 2020, 12:19pm
I assume that by the time fail2ban counted 2 and blocked, that attacker already did 46 attempts.
May 3, 2020, 12:32pm
That could be a possibility.
No Fail2Ban emails since 8 hours. Either hackers are enjoying their Sunday or Fail2Ban is doing its job well
May 3, 2020, 2:38pm
It depends on the 'backend’s available to fail2ban and the rate that the attempts are made at, you will get significant response improvement if you makw pyinotify available on your system.
Also f2b versions >= .9 are also significantly more efficient.
May 4, 2020, 5:18am
@dicko My current FreePBX distro has fail2ban 0.8.14-76
Since I have a distro install, I will wait for the system to automatically upgrade fail2ban.
On another note, since yesterday, when I last made the config changes, I’m seeing fewer emails from fail2ban & I’m seeing a health growth in banned IP listed on the Intrusion detection page.
I will continue to monitor and update this thread as I discover something new.
Thanks again & stay safe!!
May 4, 2020, 5:36am
Welll the currently packaged version dates to Aug 19, 2014, 11 is the currently being developed version, but even so pyinotify will still help, if it is in the repos then
yum install python-pyinotify
would likely speed your detection rate without upsetting ‘the distro’.
the fail2ban logs will show what backend is used on startup
May 4, 2020, 6:35am
@dicko Thanks for sharing the link to DO.
My repo does not have pynotify
[email protected] ~]# yum install python-pyinotify
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
No package python-pyinotify available.
Error: Nothing to do
[ [email protected] ~]#
[email protected] ~]# rpm -qa | grep notify
[ [email protected] ~]#
June 2, 2020, 12:02am
I did the following today on my FreePBX distro.
yum install python-pip
pip install --upgrade pip
pip install pyinotify
modify jail.conf & jail.local – changed
backend = pyinotify service fail2ban restart
I’m hoping his will stop events like this:
46 attempts against SIP on ast
I will share my feedback in a few hours/days.
June 4, 2020, 12:22pm
I’m happy to report that finally I am seeing reduced number of fail2ban emails & most importantly max failed attempts has not cross “2”. Previously it was common for me to get 5-300 failed attempts in the notification email.
July 5, 2020, 12:25pm
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.