> > In one case I've got here I see: > > 2021-01-03 06:49:10,131 fail2ban.jail [2315]: INFO Jail > 'asterisk' started > 2021-01-03 06:49:27,171 fail2ban.filter [2315]: INFO [asterisk] > Found 167.99.151.220 >
Checking IP WHOS it appears to be a New York IP via Digital Ocean.I only see if being flagged as not having a Forward-confirmed reverse DNS. https://matrix.spfbl.net/en/167.99.151.220 > And then many, many entries like that until a ban at timestamp: > > 2021-01-03 06:49:39,850 fail2ban.actions [2315]: NOTICE [asterisk] > Ban 167.99.151.220 > 2021-01-03 06:49:39,855 fail2ban.filter [2315]: INFO [asterisk] > Found 167.99.151.220 > 2021-01-03 06:49:39,931 fail2ban.filter [2315]: INFO [asterisk] > Found 167.99.151.220 > 2021-01-03 06:49:39,936 fail2ban.filter [2315]: INFO [asterisk] > Found 167.99.151.220 > > Ten seconds doesn't seem like a lot, but it's a huge number of entries. > In total, this file has 6 *million* attempts. For one IP. > > To wit: > > /var/log# grep 'Found 167.99.151.220' fail2ban.log.10 | wc -l > 6373481 > > Note that when a ban like this hits, it's not uncommon when the requests > are coming in so quickly to continue seeing "Found" before you ultimately > see "Already Blocked" entries. > > Even paging through it to see what happened is complicated. (I've bumped > my logs down to "hourly"). > I found some discussion on the Asterisk jail here https://www.voip-info.org/forum/threads/a-bit-confused-with-fail2ban-on-wazo.21274/ You can just put this IP in /etc/hosts.deny. Do you have the recidive jail enabled? And you can try creating a bug report at https://github.com/fail2ban/fail2ban/issues just provide all the requested details. > > === > > As to your question about a newer version. I'm using what was built in to > this version of Debian's packages. I could certainly try a newer version, > but most of my searches of the bug tracker didn't reveal a smoking gun > here of a specific issue fixed between then and now (just general "better > bits" stuff), so going outside of the usual packages involves some risk on > a company's production phone server. > > It's certainly worth a try but I was asking here first. > > > -- > > --------Dan Mahoney-------- > Techie, Sysadmin, WebGeek > Gushi on efnet/undernet IRC > FB: fb.com/DanielMahoneyIV > LI: linkedin.com/in/gushi > Site: > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.gushi.org&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=m8pDQtZNzBtTfLCGvwRNG-1oI4HUxOahkLVM6MQeWCM&s=Dn-gtTNR15Sk6cQ6D630NPcRvjvAyU_z9Ibc8xlLbZI&e= > --------------------------- > > > > > ------------------------------ > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_fail2ban-2Dusers&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=m8pDQtZNzBtTfLCGvwRNG-1oI4HUxOahkLVM6MQeWCM&s=-TDRVkakDs3bOtbdOqqi5s8vZqCntsMMs8tk8buTsYw&e= > > > ------------------------------ > > End of Fail2ban-users Digest, Vol 170, Issue 14 > *********************************************** >
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
