Yes the issue with how many attempts mean they hit your system so fast it could not block it after 5 as they hit you 136 times instantlly and fail2ban has to parse logs after it happens to block people.
if you are not trying to have remote phones register why don’t you disable the legacy sip setting on the responsive firewall tab? i think this will block all sip attempts except for those coming from known IP’s.
If you don’t have remote phones, don’t allow the SIP ports at all.
If you need SIP for your VOIP provider, whitelist them and block the ports specifically. Same with remote phones with static IP addresses.
If you have remote phones that don’t have static IP addresses, change the ports that you use for SIP from 5060 and 5061 to something completely different (12834 and 18725 work fine). Security through obscurity isn’t preventative, but it will mitigate your exposure to script kiddies.
i am not sure i understand what you are saying. are you saying that you can log into the freepbx admin panel from the internet? if yes then 1) do you have your interfaces marked as external and 2) how have you set your web management and web management (secure) services in the firewall?
I set NIC to external and set sip services to external and internal as I have outside clients. I set UCP to be external and internal, http web management to internal, https web management to external and internal.
Now, my remote clients can login
UCP is not accessible from external network, neither is web management (which is set to that). That remains the same, even if I have a registered sip client from the same network from wher I try to access UCP. It looks like, I need to set web management to external, before UCP becomes available as well. Is that how it supposed to work.
bad practice to set sip services to external. leave it set to external, but enable the the sip service on the response firewall tab. this will allow external clients to attempt to register a couple of times before banning them. once registered things like UCP will also become available to those clients.
[2016-06-15 11:42:20] NOTICE: chan_sip.c:28446 handle_request_register: Registration from '1003 <sip:[email protected]>' failed for '220.127.116.11:51364' - Wrong password
When I disabled the firewall (Settings->System Firelwall->Disable Firewall), after 5 retries the IP is indeed blocked and I get an email.
When I enable it, the IP is not blocked and it continues on trying to authenticate. Shouldn’t it get blocked?
On the menu “Responsive Firewall” , Legacy SIP (chan_sip) (that works on 5060) is set to disabled. If I understood correctly, disabled means that after 5 retries (or as many as you have set at intrusion detection) the IP will be blocked and it will be not be rate limited.
EDIT: Abit more on my network setup. My PBX has eth0 with private IP and on Interafcesmenu eth0 is set to Internal. From my router I forward 5060-5070 TCP / 10000-20000UDP to the PBX IP address (so remote clients can register)