We didn't change much of our server in the last few months to my knowledge, yet we started receiving mails like this a few months ago. Note that 192.68.X.X is our linux server running fail2ban and asterisk at the same time.

The IP 192.168.X.X has just been banned by Fail2Ban after 3 attempts against Asterisk-TCP.

Lines containing IP:192.168.X.X in /var/log/asterisk/full

[2013-04-02 21:43:20] NOTICE[5087] chan_sip.c: Failed to authenticate user 210<sip:210@192.168.X.X:5060>;tag=85df70c6
[2013-04-02 21:43:21] NOTICE[5087] chan_sip.c: Failed to authenticate user 210<sip:210@192.168.X.X:5060>;tag=f677dc69
[2013-04-02 21:43:22] NOTICE[5087] chan_sip.c: Failed to authenticate user 210<sip:210@192.168.X.X:5060>;tag=98b6c23c
[2013-04-02 21:43:23] NOTICE[5087] chan_sip.c: Failed to authenticate user 210<sip:210@192.168.X.X:5060>;tag=e3d23ae5
[2013-04-02 21:43:24] NOTICE[5087] chan_sip.c: Failed to authenticate user 210<sip:210@192.168.X.X:5060>;tag=981cb196

Anyone know what is this all about ? It always happens around 9pm, but at that time there's no one in the office. And user 210 is the conference room phone, nobody's really using it. Sometimes there's so many tries, it goes into recidive and the server bans itself for 24 hours. No one in the office is complaining though, everything's working all fine. Maybe it's the cleaning lady at 9pm trying something with the phone in the conference room ?!

We have 2 jails for asterisk, TCP and UDP, using iptables-multiport as the action on port 5060 and 5061.