Is my system under attack? fail2ban emails

I just got the 2 emails below, and I’m worried the freepbx machine may be under attack. The only ports I have open on the firewall are 5060 and 10000 to 20000. My guess is someone is trying to authenticate on my extensions. I have difficult passwords, but should I do something about this?

The IP has just been banned by Fail2Ban after
30 attempts against SIP on localhost.

The IP has just been banned by Fail2Ban after
666 attempts against SIP on localhost.

Are you behind a NAT firewall?
Than open port 5060 only to known IP addresses, e.g. those that your voice service provider is sending traffic from.

There is also a built in Freepbx firewall that can be used.

I cant open 5060 to only known ip addresses because the softphones could be connected from a home or work internet connection, or 3G/4G networks from multiple providers.

If I enable the freepbx firewall, wont it still open 5060 to allow the softphones to connect?

You can use the FreePBX responsive firewall for this, it’s built for that.

1 Like

+1 If you must have open ports, the responsive firewall is a good choice. It lets good guys and bad guys attempt a few logins, and then it blocks them. If your passwords are strong, this is reasonable protection because it slows them down so much that it would take them decades to finally guess the right password.

If it’s possible for you to close that port or do limited whitelisting, that would be much better. For example, if your phones support VPN, you could use that instead of port forwarding. Or, if you cared to build a simple webpage where users can click a button that says “Add my IP to the whitelist” and then it adds a rule to your firewall, that could work too.

If you have a port open, hackers will test it.

Isn’t fail2ban doing the exact same thing?

Fail2ban seems to be SSH attempts and web access attempts. After so many failed attempts it blocks them. I think most public systems are attacked, I know ours get tons. The fail2ban creates an attack limiter which prevents brute forcing and makes your attackers look for a softer target.

Its probably under attack like the Dutch are under attack by the ocean.

Fail2Ban IS doing it. The Responsive Firewall is using F2B to make this happen.

No it also blocks sip attacks.

But what is fail2ban is enabled, and the firewall disabled. Isn’t the result the same?

I could be wrong, but yes. Fail2ban basically does the same thing as the Responsive Firewall. From what I read, the RF is more active and customized for VoIP traffic, where F2B is more passive because it waits for the failures to be logged and reacts to the logs. RF can block attackers who send any kind of non-allowed SIP packets, but F2B only blocks attackers who fail to log in multiple times. Some people find RF easier, some prefer F2B.

This is not the case.

Responsive firewall tracks inbound SIP packets from non-registered hosts using iptables. If an abuser is detected, iptables first throttles the SIP packets from the host, and if the abuse continues the host is blocked by iptables.

fail2ban tracks intrusion events only after they’ve been logged in the various log files on the system, and if an abuser is detected, the host is blocked by iptables.

So the end result is mostly the same, but the mechanism to get there is very different. The two can operate independently on the same system.


And with responsive firewall (and freepbx firewall in general) enabled, is fail2ban disabled then or still running as before?

You know, here is a Christmas Wish - MAN it would be cool to have all my boxes tell each other about the scumbags out there - even better, how about a feature in FreePBX that would block these scumbags automatically.


It would be pretty easy to filter out the incorrectly configured phones (One IP trying to register the same extension with the same password over and over) versus the Crackers (One IP trying to register MULTIPLE extensions with MULTIPLE passwords) and not ban the oopsies!

I would pay for this…

CSF/LFD provides both clustering and can detect many kinds of port scanning/connection tracking. Also it supports blacklists and ipsets and coexists very nicely with fail2ban. Price is within your range also :wink:

I personally care to ban the whole network of a confirmed rogue ip as an efficiency measure, you can script that with the help of

Nice - I will look at both - it’s one of the things I like about our SonicWALL’s - Geo-IP Isolation - have to keep the US open, but the rest of the world is blocked from even trying - get’s rid of about 97% of the hacking attempts.

Geoip ipsets also built in to CSF

The responsive firewall seems to ban people upon failed SIP attempts. Not sure if it bans on anything else but I find myself in its ban list only when I do bad sip registrations.

Fail2Ban has banned me for repeated bad SSH logins and trying to access a password protected provisioning protected file while failing to input the correct details multiple times.