Fail2ban problem

il trying to configure fail2ban-iptables to secure my server asterisk 16.6.1
this is my jail.local

ignoreip =
bantime = 600
findtime = 600
maxretry = 3
backend = auto
usedns = warn
destemail =
sendername = Fail2Ban
banaction = iptables-multiport
mta = sendmail
protocol = all
chain = INPUT
# action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
          %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
# action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
           %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
action = iptables-allports[name=ASTERISK, protocol=all]

enabled     = true
port        = 5060, 5061
filter      = asterisk
logpath     = /var/log/asterisk/messages
maxretry    = 3

for filters i used /etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban filter for asterisk authentication failures


# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


_daemon = asterisk

__pid_re = (?:\s*\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+:\d*(?:(?: in)? [^:]+:)?

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
            ^No registration for peer '[^']*' \(from <HOST>\)$
            ^hacking attempt detected '<HOST>'$
            ^"Rejecting unknown SIP connection from <HOST>(?::\d+)?"$
            ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$

# FreePBX (todo: make optional in v.0.10):
#            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$

ignoreregex =

datepattern = {^LN-BEG}

# Author: Xavier Devlamynck / Daniel Black
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
# First regex: channels/chan_sip.c
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog

journalmatch = _SYSTEMD_UNIT=asterisk.service


# asterisk can log timestamp if logs into systemd-journal (optional part matching this timestamp, gh-2383):
__extra_timestamp = (?:\[[^\]]+\]\s+)?
__prefix_line = %(known/__prefix_line)s%(__extra_timestamp)s

the action that my asterisk service invokes is called iptables-multiport this is the associated file :

# Fail2Ban configuration file
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning


before = iptables-common.conf


# Option:  actionstart
# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

name = default
port = 5060, 5061
protocol = all
chain = INPUT

After making changes restart Fail2Ban to take effect.

[For SysVinit Systems]
# service fail2ban restart

[For systemd Systems]
# systemctl restart fail2ban.service

sudo fail2ban-client status

|- Number of jail:	2
`- Jail list:	asterisk-iptables, sshd

fail2ban-client status asterisk-iptables

Status for the jail: asterisk-iptables
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/asterisk/messages
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:

the problem is :
when i want to confirm whether Fail2Ban iptables rules are added into firewall using below command # iptables -L :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

thst’ mean fail2ban iptables rules does not added into firewall
when i want also to display the contents of the iptables table with the command #iptables -nL fail2ban-ASTERISK

# iptables -nL fail2ban-ASTERISK
iptables: No chain/target/match by that name.

that mean fail2ban iptables not added
any one helps me plizzzz ???

3 posts were merged into an existing topic: Fail2ban on asterisk