I noticed invalid sip passwords were not leading to the ip address being banned. For testing, I set one of my internal phones to the wrong password. It seemed to generate an incorrect address about once a minute.
The first thing to see is if asterisk is even logging the incorrect login attempt. It is supposed to log them to /var/log/asterisk/fail2ban. I looked there and indeed saw all the invalid attempts. Here’s one of them:
[2015-06-08 10:39:36] SECURITY[3024] res_security_log.c: SecurityEvent=“InvalidPassword”,EventTV=“1433785176-211286”,Severity=“Error”,Service=“SIP”,EventVersion=“2”,AccountID=“508”,SessionID=“0x7f44b001def8”,LocalAddress=“IPV4/UDP/192.168.1.14/5060”,RemoteAddress=“IPV4/UDP/192.168.1.16/5060”,Challenge=“5c8560ff”,ReceivedChallenge=“5c8560ff”,ReceivedHash=“f50a727f0dc3f032d18a50678239a714”
Ok. So the next thing was to see if fail2ban could find it. I ran the following command and saw all the offenders.
fail2ban-regex /var/log/asterisk/fail2ban /etc/fail2ban/filter.d/asterisk.conf
192.168.1.16 (Mon Jun 08 10:23:20 2015)
192.168.1.16 (Mon Jun 08 10:23:35 2015)
192.168.1.16 (Mon Jun 08 10:24:40 2015)
192.168.1.16 (Mon Jun 08 10:24:55 2015)
192.168.1.16 (Mon Jun 08 10:26:00 2015)
192.168.1.16 (Mon Jun 08 10:26:15 2015)
192.168.1.16 (Mon Jun 08 10:27:20 2015)
192.168.1.16 (Mon Jun 08 10:27:35 2015)
192.168.1.16 (Mon Jun 08 10:28:40 2015)
192.168.1.16 (Mon Jun 08 10:28:55 2015)
192.168.1.16 (Mon Jun 08 10:30:00 2015)
192.168.1.16 (Mon Jun 08 10:30:15 2015)
192.168.1.16 (Mon Jun 08 10:31:20 2015)
192.168.1.16 (Mon Jun 08 10:31:35 2015)
192.168.1.16 (Mon Jun 08 10:32:40 2015)
192.168.1.16 (Mon Jun 08 10:32:55 2015)
192.168.1.16 (Mon Jun 08 10:34:00 2015)
192.168.1.16 (Mon Jun 08 10:34:15 2015)
192.168.1.16 (Mon Jun 08 10:35:20 2015)
Next, I changed /etc/fail2ban/jail.local so that the backend = polling instead of auto
Finally, jail.local is made automatically to use the asterisk-security.conf filter while the more current looking asterisk.conf filter does not get used. Instead of modifiying the jail.local file to point at asterisk instead of asterisk-security, I went into the /etc/fail2ban/filter.d/ folder and switched asterisk-security.conf and asterisk.conf so that the more current regex rules are used.
When I looked at my iptables rules (iptables -L), I then saw the offender in the fail2ban-SIP jail.