Intrusion Detection / Fail2Ban not working

Hey all,
I know this has been discussed a few times but not recently and none of the previous discussions have a resolution that works.
I installed a fresh clean freepbx distro 2 days ago.
Now that my PBX is live and working, I am seeing in the logs and on the asterisk cli, lots of failed login or connection attempts that have no matching endpoint. Fail2ban is missing these all the time.
/var/log/asterisk/fail2ban has the attempts logged in it with the 3 lines of log as below:

asterisk/fail2ban:[2014-10-10 19:00:14] SECURITY[2064] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="2014-10-10T19:00:14.240+0100",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="301",SessionID="809824910d8a21f0f0673d275c198042",LocalAddress="IPV4/UDP/myip/5060",RemoteAddress="IPV4/UDP/script kiddie ip/5090"
asterisk/fail2ban:[2014-10-10 19:00:14] SECURITY[2064] res_security_log.c: SecurityEvent="ChallengeResponseFailed",EventTV="2014-10-10T19:00:14.241+0100",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="<unknown>",SessionID="809824910d8a21f0f0673d275c198042",LocalAddress="IPV4/UDP/My Ip/5060",RemoteAddress="IPV4/UDP/Script Kiddie Ip/5090",Challenge="1412964014/86152e7e6c96359bcdbdd31f54dc2836",Response="2c4401497f39074b4e4a91722b92d78d",ExpectedResponse=""
asterisk/fail2ban:[2014-10-10 19:00:14] NOTICE[10669] res_pjsip/pjsip_distributor.c: Request from '"301" <sip:[email protected] Ip>' failed for 'Script Kiddie IP:5090' (callid: 809824910d8a21f0f0673d275c198042) - No matching endpoint found

This (to me) means that the log is seeing the attempt and is clearly identifying it but the fail2ban is not catching it. I am not sure if fail2ban is looking in the wrong place?

There is a /var/log/fail2ban log that seems to have different ban and find times to what I see on the system admin module page. That page seems to tie up with jail.local and that is pointing at the
`logpath = /var/log/asterisk/fail2ban

I am seeing about 20 to 25 attempts at a time from the attempts to login and nothing in jail or in the banned IPs on the sys admin module.

Just to add:
service fail2ban status
Fail2ban (pid 9940) is running…
Status
|- Number of jail: 7
`- Jail list: apache-tcpwrapper, recidive, pbx-gui, apache-badbots, ssh-iptables, asterisk-iptables, vsftpd-iptables

 iptables -nL

Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-FTP tcp – 0.0.0.0/0 0.0.0.0/0
fail2ban-PBX-GUI all – 0.0.0.0/0 0.0.0.0/0
fail2ban-apache-auth tcp – 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fail2ban-BadBots tcp – 0.0.0.0/0 0.0.0.0/0
fail2ban-SSH tcp – 0.0.0.0/0 0.0.0.0/0
fail2ban-recidive all – 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-FTP (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-PBX-GUI (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SIP (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-apache-auth (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-recidive (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0

As this is a brand new install I don’t think I have messed anything up ?

Cheers
Ja`

It’s a bug, PJSIP on freepbx is still experimental.

You can edit /etc/fail2ban/filter.d/asterisk-security.conf and change all (SIP|IAX) to (SIP|PJSIP|IAX). This will make the trick…