fail2Ban with thousands of banned IPs

We have had several systems that have thousands of bnned IPs in the list. What impact would this have on call quality, etc? These systems typically have a dynamic IP and remote phones.

That many ‘rules’ can indeed impact your network and thus it’s response time, it will also consume
system resources to the detriment of other needs.

If you have that many , then I suggest that you look at the ‘commonality’ of the bans discovered


can provide such clues, I would postulate that the most common reasons will be :-

‘allowing guest or anonymous calls and listening on UDP/5060 for SIP INVITES’

if that is the case, both are easily remedied with a brief re-think of your deployment which would slow those from a flood to a trickle…

Thanks dicko,

You affirmed what I have been reading today about this. We wil certainly tighten things up.

Thanks again

1 Like

Consider those as ‘stop-gap measures’ there are more sophisticated prophylaxes not too much harder to impliment.

The system Firewall set for Responsive and leaving Fail2ban on doesn’t stop the attempts or the filling up of iptables does it. The traffic comes in from the fact that we have 5060 or 5300 open for mobile users. What would be the preferred way to slow it down then? Changing the control port to something obscure. Lately most of our installs are with cloud systems, The firewall there is pretty good if we know the incoming IP addresses

Changing the sip bind port away from 5000-5999 is the quickest your clients will need to be using that port, but a temporary port forward on your firewall from 5060 to your newly bound 56789 or whatever gives you time for pause., changing the protocol to TCP only the second, but also needs client intervention which is easy if you are 'provisioning ’ them , using TLS with a certificate issued to a legitimate but obscure domain other than your standard LetsEncrypt GUI one probably the most instantaneously gratifying which when completed needs no IP based fire-walling at all. but you can add if you are really paranoid.

I will add as a postscript, that last time I looked, although chan_sip always allowed filtering all comms to only listed ‘domains’, chan_pjsip in FreePBX allows re-ordering of ‘transports’ but NOT the ability to disable any attempt of IP only based auth or other unacceptable transport, thus leaving a gaping hole to be exploited sooner or later . . .

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.