This is an update to my post below, which is unfortunately locked.
Today I found a hostname entry in the responsive firewall whitelist on the Intrusion Detection tab. I didn’t put it there and I didn’t know it would accept, much less work with a host name. I removed the host name and now the list of banned IPs on that page is matching the emails I’m getting from fail2ban.
I’m sure this will tamp down the brute-force attempts on SIP and the avalanche of emails from fail2ban, but it leaves me wondering how that host got there (unfortunately I didn’t record it, but the TLD was cz), and why that field accept and uses host names when the help for it explicitly says “list IP addresses”.
This should definitely be spelled out in the help popup for that field, both that it accepts FQDNs and that this entry using a Czech Republic TLD is expected. Presumably someone monitors the IPs associated with the FQDN to make sure bad actors aren’t using it to skirt the firewall?
We’ve seen dozens to hundreds of fail2ban notifications for months on this install and no entries in the Responsive Firewall ban list. Now that ban list is growing and the fail2ban emails are slowing.
At this point I’d say either push wasn’t working because IPs using that TLD were getting blocked by fail2ban, or that something is amiss with the config because fail2ban shouldn’t block valid communication.
(edit to change should to shouldn’t)