Freepbx, fail2ban / iptables do not ban IP for wrong password

Hi all.

I’m running asterisk 11.18.0 on raspbx.
I’m up-to-date for all modules…

uname -a

Linux raspbx 3.18.6+ #753 PREEMPT Sun Feb 8 14:47:22 GMT 2015 armv6l GNU/Linux

asterisk -V

Asterisk 11.18.0

python -V

Python 2.7.9

Fail2ban v08.13

amportal a ma list

no repos specified, using: [commercial,unsupported,extended,standard] from last GUI settings

Module              Version           Status
------------------- ----------------- -------------------
announcement        2.11.0.4          Enabled
asteriskinfo        12.0.2            Enabled
backup              12.0.19           Enabled
builtin                               Enabled
callrecording       12.0.4            Enabled
cdr                 12.0.23           Enabled
conferences         12.0.19           Enabled
core                12.0.39           Enabled
customappsreg       12.0.3.2          Enabled
dashboard           12.0.32           Enabled
dictate             2.11.0.3          Enabled
featurecodeadmin    12.0.2            Enabled
framework           12.0.76.2         Enabled
fw_ari              12.0.8            Enabled
iaxsettings         2.11.0.3          Enabled
infoservices        12.0.3.2          Enabled
ivr                 2.11.0.11         Enabled
logfiles            12.0.6            Enabled
motif               12.0.4            Enabled
music               12.0.1            Enabled
queues              12.0.20           Enabled
recordings          12.0.8            Enabled
ringgroups          12.0.3.2          Enabled
sipsettings         12.0.16           Enabled
timeconditions      12.0.8            Enabled
voicemail           12.0.43           Enabled

apt-get upgarde --> Nothing to upgrade

My pbx is on my local network, and needs to connect to local or remote devices.

Public UDP 5060 port is redirected to the PBX local IP address.

I have disabled GUEST connections…

I can connect to SIP phones and establish calls.

Fail2ban is correctly banning IP for ssh attempts, but not for bad registration in my asterisk…

In /var/log/asterisk/security_log, I get many connections with wrong password like this one.

[2015-10-20 18:09:01] NOTICE[1458] chan_sip.c: Registration from '"107" <sip:[email protected]:5060>' failed for '88.150.240.13:5102' - Wrong password
[2015-10-20 18:09:01] SECURITY[1416] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1445357341-60451",Severity="Error",Service="SIP",EventVersion="2",AccountID="107",SessionID="0xb64b77ec",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5102",Challenge="31d9463f",ReceivedChallenge="31d9463f",ReceivedHash="42eb3a317fa51c45d6429ee3b251e04d"
[2015-10-20 18:09:03] SECURITY[1416] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="1445357343-404085",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x211ab74",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/52063",UsingPassword="0",SessionTV="1445357343-404046"
[2015-10-20 18:09:03] NOTICE[4783] pbx_spool.c: Call completed to Local/[email protected]
[2015-10-20 18:09:03] SECURITY[1416] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1445357343-974428",Severity="Informational",Service="SIP",EventVersion="1",AccountID="210",SessionID="0xb6401054",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5061",Challenge="62e848d3"
[2015-10-20 18:09:04] NOTICE[1458] chan_sip.c: Registration from '"210" <sip:[email protected]:5060>' failed for '88.150.240.13:5061' - Wrong password
[2015-10-20 18:09:04] SECURITY[1416] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1445357344-68129",Severity="Error",Service="SIP",EventVersion="2",AccountID="210",SessionID="0xb6401054",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5061",Challenge="62e848d3",ReceivedChallenge="62e848d3",ReceivedHash="fd6975e7a467fbf53ef469a99aea267c"
[2015-10-20 18:09:04] SECURITY[1416] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1445357344-455486",Severity="Informational",Service="SIP",EventVersion="1",AccountID="709",SessionID="0xb64656f4",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5085",Challenge="16b78cee"
[2015-10-20 18:09:04] NOTICE[1458] chan_sip.c: Registration from '"709" <sip:[email protected]:5060>' failed for '88.150.240.13:5085' - Wrong password
[2015-10-20 18:09:04] SECURITY[1416] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1445357344-545712",Severity="Error",Service="SIP",EventVersion="2",AccountID="709",SessionID="0xb64656f4",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5085",Challenge="16b78cee",ReceivedChallenge="16b78cee",ReceivedHash="70838f2b2a366bdc7e626c754a992af5"
[2015-10-20 18:09:04] SECURITY[1416] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1445357344-671314",Severity="Informational",Service="SIP",EventVersion="1",AccountID="309",SessionID="0xb649d6ac",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5105",Challenge="40e365d4"
[2015-10-20 18:09:04] NOTICE[1458] chan_sip.c: Registration from '"309" <sip:[email protected]:5060>' failed for '88.150.240.13:5105' - Wrong password
[2015-10-20 18:09:04] SECURITY[1416] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1445357344-766110",Severity="Error",Service="SIP",EventVersion="2",AccountID="309",SessionID="0xb649d6ac",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5105",Challenge="40e365d4",ReceivedChallenge="40e365d4",ReceivedHash="60761ff752fe68547e9db4237cfb5465"
[2015-10-20 18:09:06] SECURITY[1416] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1445357346-687938",Severity="Informational",Service="SIP",EventVersion="1",AccountID="109",SessionID="0xb64c8534",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5093",Challenge="49f47490"d

My fail2ban settings are :

/etc/fail2ban/jail.local

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=sip, protocol=all]
#          sendmail[name=Asterisk, dest=root, sender=root]
logpath  = /var/log/asterisk/security_log
maxretry = 3
findtime = 1800
bantime  = 1800

/etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban configuration file
#
#
# $Revision: 251 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
# Asterisk 1.8 uses Host:Port format which is reflected here

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
        NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
        NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
        NOTICE.* <HOST> failed to authenticate as '.*'$
        NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
        NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
        NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
        NOTICE.* .*: <HOST> failed to authenticate as '.*'
        NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
        SECURITY.* .*: SecurityEvent="InvalidAccountID",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*"
         SECURITY.* .*: SecurityEvent="ChallengeResponseFailed",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*
        SECURITY.* .*: SecurityEvent="InvalidPassword",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#

fail2ban-client status

Status
|- Number of jail:      4
`- Jail list:           asterisk-tcp, asterisk-iptables, ssh, asterisk-udp

fail2ban-regex /var/log/asterisk/security_log /etc/fail2ban/filter.d/asterisk.conf

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/asterisk.conf
Use         log file : /var/log/asterisk/security_log


Results
=======

Failregex: 4562 total
|-  #) [# of hits] regular expression
|   1) [1521] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
|   9) [1521] NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
|  18) [1520] SECURITY.* .*: SecurityEvent="InvalidPassword",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [5426] Year-Month-Day Hour:Minute:Second
`-

Lines: 5519 lines, 0 ignored, 3041 matched, 2478 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 2478 lines

I’m disapointed… I need help because I do not understand why fail2ban do not ban IP for wrong password intrusion.

I have read so many documents, and made so much tests…

Thanks,
Laurent.