I spent a ton of time trying to track down what might be causing this. I connected an s705 last week Friday, in the hopes that if the problem occurred for me I could trace down the issue before I had to deploy the phone to the customer. I thought I was out of the woods until I came in yesterday morning and found the phone had been blocked.
It appears, at least in my case, that it is unrelated to fail2ban. The rules that are initiating the ban seem to be derived strictly from iptables. Basically, once a phone registers, an iptables rule is created allowing most traffic from that IP. Once the phone is unregistered, depending on where the firewall monitoring system is at in its cycle, that iptables rule is removed. Then the phone is forced to go through the various rules to see if the first few packets initiate a SIP registration, after which the iptables rule is re-added.
By default, none of this is logged, so it makes troubleshooting this issue difficult after the fact. However, based on my interpretation of the iptables rules, what I believe is happening, is that after this whitelist rule is removed when a phone has been unregistered, the phone may not realize it, and either SIP packets or the various other traffic related to the rest-apps could still be hitting the PBX, while it is in this unregistered state, causing the ban.
To try to circumvent this, I created a couple of iptables rules that continuously whitelist registered IPs for 90 seconds, so that 90 seconds after a phone is unregistered, the PBX will still accept packets from that device and allow it to re-register before another ban is initiated.
This fix has not been put through any extensive testing, so I’m curious to get any and all input from the community. As of right now, this s705 appears to be staying registered, and hack attempts are still getting blocked, but I’ve only had this fix deployed for the last 3 hours.
Here are the additional rules to add to /etc/firewall-4.rules:
-I fpbxknownreg -m recent --set --name KNOWNREG --mask 255.255.255.255 --rsource
-I fpbxfirewall -m recent --update --name KNOWNREG --seconds 90 --reap --mask 255.255.255.255 --rsource -j ACCEPT
If you’re not sure how to enable custom firewall rules, check my last post here: The issue with let's encrypt certificate updating
Hope this helps, and hopes this resolves the issue once and for all!