whitelisting is an awesome idea, thanks, it's now modified, that will help.

Hristo Benev : I'm not experienced with tcpdump and it happens quite rarely, whitelisting will do the trick has we never experienced any problem regarding this anyway but thanks for the info, I will keep this in mind if we ever experience another issue like that in the future !



On Fri, Apr 5, 2013 at 5:38 AM, Tom Hendrikx <tom@whyscream.net> wrote:
On 05-04-13 04:33, Zurd wrote:
> We didn't change much of our server in the last few months to my knowledge,
> yet we started receiving mails like this a few months ago. Note that
> 192.68.X.X is our linux server running fail2ban and asterisk at the same
> time.
>
> The IP 192.168.X.X has just been banned by Fail2Ban after 3 attempts
> against Asterisk-TCP.
>
> Lines containing IP:192.168.X.X in /var/log/asterisk/full
>
> [2013-04-02 21:43:20] NOTICE[5087] chan_sip.c: Failed to authenticate user
> 210<sip:210@192.168.X.X:5060 <http://sip:210@192.168.17.15:5060>
>> ;tag=85df70c6
> [2013-04-02 21:43:21] NOTICE[5087] chan_sip.c: Failed to authenticate user
> 210<sip:210@192.168.X.X:5060 <http://sip:210@192.168.17.15:5060>
>> ;tag=f677dc69
> [2013-04-02 21:43:22] NOTICE[5087] chan_sip.c: Failed to authenticate user
> 210<sip:210@192.168.X.X:5060 <http://sip:210@192.168.17.15:5060>
>> ;tag=98b6c23c
> [2013-04-02 21:43:23] NOTICE[5087] chan_sip.c: Failed to authenticate user
> 210<sip:210@192.168.X.X:5060 <http://sip:210@192.168.17.15:5060>
>> ;tag=e3d23ae5
> [2013-04-02 21:43:24] NOTICE[5087] chan_sip.c: Failed to authenticate user
> 210<sip:210@192.168.X.X:5060 <http://sip:210@192.168.17.15:5060>
>> ;tag=981cb196
>
> Anyone know what is this all about ? It always happens around 9pm, but at
> that time there's no one in the office. And user 210 is the conference room
> phone, nobody's really using it. Sometimes there's so many tries, it goes
> into recidive and the server bans itself for 24 hours. No one in the office
> is complaining though, everything's working all fine. Maybe it's the
> cleaning lady at 9pm trying something with the phone in the conference room
> ?!

haha nice read, but this is a 10% social problem, or a asterisk bug.
Nothing to do with fail2ban though, try their mailinglist if you trust
your cleaning lady ;)

>
> We have 2 jails for asterisk, TCP and UDP, using iptables-multiport as the
> action on port 5060 and 5061.
>

Try whitelisting the local ip if you're concerned about side effects.

Regards,
        Tom

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users