Huge brute force attack since 6AM this morning Fail2Ban does not work?

Hello,

My log is filled with more then 200’000 lines like that :

297376	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297377	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297378	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297379	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297380	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297381	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297382	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297383	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297384	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297385	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297386	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297387	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297388	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297389	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	
297390	[2023-02-19 07:50:51] NOTICE[1120] chan_sip.c: Registration from '"101" <sip:[email protected]>' failed for '45.93.16.218:56950' - Wrong password	

I am using FreeBPX 15 (updated yesterday).

Max Retry for Intrusion Detection is set to 5.

Then why isn’t this IP banned after 5 unsuccessful attempts?

Do you use responsive firewall?

Fail2ban detects ‘changes’ on logfiles using the backend configured

### Log scanning

The fail2ban service supports both file polling or more 
efficient file modification notifications; when pyinotify or
 gamin is installed and the user did not change the 
`backend` directive, then pyinotify or gamin will be used, 
 otherwise polling is done. This can of course be 
 configured in /etc/fail2ban/jail.conf.

(Current versions use systemd for speed and efficiency.)

Installing pyinotify will greatly speed up it’s response lag to such floods

Why are the 45.93.xx.xx addresses allowed in at all?

Are you using chan_sip? If so, why?

Based on no port number in the From, I assume that the attackers are sending REGISTER requests to port 5060. But by default, chan_sip listens on port 5160. Did you change this? If so, why did you choose 5060, rather than a random high port?

Because it is 5 attempts every X seconds. Fail2ban reads logs which means logs entries have to exist. Not only that it only looks at logs every X seconds to find these. So an attacker can hit you, do damage and then fail2ban will catch up and block them for future attempts

The Fail2ban backend behavior you describe is ‘polling’, pyinotify and gamin react quicker to FILEWRITE events, if you have neither available it will indeed ‘poll’ the log file, but even with pyinotify as the backend, there is a latency between matching the regex and adding the firewall rules which make such ‘flooding’ a little slow, that latency has been greatly improved in current versions of Fail2ban using ‘systemd’ backend

No, because I was afraid it would delete the rules I put in Iptables.
I have to tag RTP packets in DSCP 46 and it is not possible to do it in a simple way on FreePBX.

I have more than 400 extensions and modifying pjsip.endpoint_custom_post.conf for each extension to add tos_audio=ef is really not practical.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.