View Single Post
  #5  
Old 22nd May 2010, 18:06
MET MET is offline
Junior Member
 
Join Date: May 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Fail2Ban fails to ban !

I just had an other an other attack. The settings in jail.conf were for manual testing as sent before:

maxretry = 3
findtime = 300
bantime = 600

The log files show the following:

Asterisk
Code:
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"1249349713"<sip:1249349713@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"100"<sip:100@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"101"<sip:101@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"102"<sip:102@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"103"<sip:103@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"104"<sip:104@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
....
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9994"<sip:9994@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9995"<sip:9995@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9996"<sip:9996@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9997"<sip:9997@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9998"<sip:9998@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9999"<sip:9999@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
Fail2ban:
Code:
2010-05-22 16:04:06,632 fail2ban.actions: WARNING [asterisk-iptables] Ban 76.76.96.74
2010-05-22 16:04:09,130 fail2ban.actions.action: ERROR  printf %b "Hi,\n
The IP 76.76.96.74 has just been banned by Fail2Ban after
11 attempts against ASTERISK.\n\n
Here are more information about 76.76.96.74:\n
`whois 76.76.96.74`\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: banned 76.76.96.74" Me@My.net returned 7f00
2010-05-22 16:04:09,130 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:10,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:11,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:12,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:13,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:14,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:15,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:16,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:17,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
...
2010-05-22 16:12:55,309 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:56,311 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:57,318 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:58,321 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:14:07,356 fail2ban.actions: WARNING [asterisk-iptables] Unban 76.76.96.74
There are about 40 attacks per second whereas fail2ban reacts in about one second intervals only by reporting "already banned".

Fail2ban added the IP also in the File /etc/hosts.deny

Why then hasn't the IP been blocked ?
Any suggestions/recommendations to get it working ?

Last edited by MET; 24th May 2010 at 16:57.
Reply With Quote