Weird IPs in Fail2ban list

Home » Asterisk Users » Weird IPs in Fail2ban list
Asterisk Users 6 Comments

Hello everyone,

I have noticed getting wired IPs blocked by Fail2ban. Has anyone else seen
this or can explain this?

Chain fail2ban-ASTERISK (1 references)
num target prot opt source destination
1 DROP all — 0.23.20.189 0.0.0.0/0

I also get things like, 0.0.5.2, etc….Fail2ban seems to be working when I
am testing. Are these numbers taken from the SIP packet or the TCP/IP
protocol source because they surely are not valid addresses.

Thanks

6 thoughts on - Weird IPs in Fail2ban list

  • See fail2ban-regex(1). It’s very useful for discovering what fail2ban
    makes of your log files.

  • I can’t see those IPs in the /var/log/asterisk/full. I can’t event see
    parts of the IP address as I try *grep -o “23.20.189” full. *That is still
    nothing.

    I am wondering what is wrong here. This is my regex filter file:

    failregex = Registration from ‘.*’ failed for ‘(:[0-9]{1,5})?’ –
    Wrong password
    Registration from ‘.*’ failed for ‘
    (:[0-9]{1,5})?’ – No
    matching peer found
    Registration from ‘.*’ failed for ‘
    (:[0-9]{1,5})?’ –
    Device does not match ACL
    Registration from ‘.*’ failed for ‘
    (:[0-9]{1,5})?’ –
    Username/auth name mismatch
    Registration from ‘.*’ failed for ‘
    (:[0-9]{1,5})?’ – Peer
    is not supposed to register
    NOTICE.*
    failed to authenticate as ‘.*’$
    NOTICE.* .*: No registration for peer ‘.*’ (from
    )
    NOTICE.* .*: Host
    failed MD5 authentication for ‘.*’ (.*)
    VERBOSE.* logger.c: — .*IP/
    -.* Playing ‘ss-noservice’
    (language ‘.*’)
    .* -.*> Playing ‘ss-noservice.gsm’ .*

    Thanks,

  • I was using 1.8.8.1 and now upgraded it to 1.8.9.1. Here is a problem I
    have with Asterisk logging if someone can point me to the right direction.

    With allowguest=no, Asterisk 1.8.9.1 doesn’t create anything in the full
    log so my fail2ban can’t ban the unregistered call attempt on my server.
    How can this be fixed so that there is an entry in the log file for the
    failed attempt so the IP gets banned?

    Best,