This is an update to my post below, which is unfortunately locked.
Today I found a hostname entry in the responsive firewall whitelist on the Intrusion Detection tab. I didn’t put it there and I didn’t know it would accept, much less work with a host name. I removed the host name and now the list of banned IPs on that page is matching the emails I’m getting from fail2ban.
I’m sure this will tamp down the brute-force attempts on SIP and the avalanche of emails from fail2ban, but it leaves me wondering how that host got there (unfortunately I didn’t record it, but the TLD was cz), and why that field accept and uses host names when the help for it explicitly says “list IP addresses”.
This entry was created automatically when the Sangoma Connect module was installed, it’s used to allow registrations for push notifications to Sangoma Talk mobile. Further reading: Sangoma Documentation
This should definitely be spelled out in the help popup for that field, both that it accepts FQDNs and that this entry using a Czech Republic TLD is expected. Presumably someone monitors the IPs associated with the FQDN to make sure bad actors aren’t using it to skirt the firewall?
We’ve seen dozens to hundreds of fail2ban notifications for months on this install and no entries in the Responsive Firewall ban list. Now that ban list is growing and the fail2ban emails are slowing.
At this point I’d say either push wasn’t working because IPs using that TLD were getting blocked by fail2ban, or that something is amiss with the config because fail2ban shouldn’t block valid communication.
(edit to change should to shouldn’t)
Yes, I know the Networks tab field will accept an FQDN, and that is extremely helpful as in several locations we only allow SangomaConnect to register from hosts included in a dynamic DNS IP list.
Still don’t understand whether there is an issue here with fail2ban blocking approximately 100 IPs per day until I removed that FQDN from the Intrusion Detection whitelist.
