Responsive firewall/fail2ban update

This is an update to my post below, which is unfortunately locked.

Today I found a hostname entry in the responsive firewall whitelist on the Intrusion Detection tab. I didn’t put it there and I didn’t know it would accept, much less work with a host name. I removed the host name and now the list of banned IPs on that page is matching the emails I’m getting from fail2ban.

I’m sure this will tamp down the brute-force attempts on SIP and the avalanche of emails from fail2ban, but it leaves me wondering how that host got there (unfortunately I didn’t record it, but the TLD was cz), and why that field accept and uses host names when the help for it explicitly says “list IP addresses”.

This entry was created automatically when the Sangoma Connect module was installed, it’s used to allow registrations for push notifications to Sangoma Talk mobile. Further reading: Technical Details - Sangoma Talk (Connect) - Documentation

This should definitely be spelled out in the help popup for that field, both that it accepts FQDNs and that this entry using a Czech Republic TLD is expected. Presumably someone monitors the IPs associated with the FQDN to make sure bad actors aren’t using it to skirt the firewall?

We’ve seen dozens to hundreds of fail2ban notifications for months on this install and no entries in the Responsive Firewall ban list. Now that ban list is growing and the fail2ban emails are slowing.

At this point I’d say either push wasn’t working because IPs using that TLD were getting blocked by fail2ban, or that something is amiss with the config because fail2ban shouldn’t block valid communication.
(edit to change should to shouldn’t)

Is this the page you’re talking about?

I’m talking about this:

1 Like

Understood. I will create a ticket to address that.

1 Like


Yes, I know the Networks tab field will accept an FQDN, and that is extremely helpful as in several locations we only allow SangomaConnect to register from hosts included in a dynamic DNS IP list.

Still don’t understand whether there is an issue here with fail2ban blocking approximately 100 IPs per day until I removed that FQDN from the Intrusion Detection whitelist.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.