FailedACL What does that mean?

I am using fail2ban with his default configuration, the problema is that fail2ban is banning the same IP repeatedly by the same problem FailedACL.

I found the matching word on: /etc/fail2ban/filter.d/asterisk.conf

^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteA

What FailedACL mean? Is it dangerous?
What I can do to solve this problem?

Is it safe to down the level of security removing the word FailedACL from fail2ban?

/etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$
            ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$
            ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$

ignoreregex =


# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
~

ACL means access control list. As such I assume it means that this was taken out by a Deny line in your Asterisk configuration. It’s only dangerous if you didn’t mean to deny it, but it would be better to add a static rule to the firewall, as well.

I have iptables+fail2ban, and I am only grant access to asterisk when the IP is from my country.

When you say that I have a Deny line in my asterisk are your talking about iptables or another thing? If is something diferent of iptables, what is it and where I can check this?

Unfortnantly I can’t creat a static rule by IP because they change too often.

Thanks.

I’m talking about Asterisk.

You can add a static rule for this, as you already have a static rule for it, but at the next line of defence. As you haven’t provided the matching line, one can’t tell if this is a SIP request; it might, for example,be an AMI one.

https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+ManagerEvent_FailedACL

Rules can white list as well as black list.

Oh!
All this time and I have no idea about asterisk have a file named acl.conf, thanks for the heads up.

The strange thing is I never touch on this file and all his lines are commented, I have never create any rule there.

*CLI> acl show

acl
---

As it is empty it should not interfere, in theory…

Is it possible to disable it? I only find res_pjsip_acl.so and I am using SIP not PJSIP.

You can also have permit and deny in other files, including sip.conf and manager.conf; probably anything that deals with IP networks.

one other heads up, did you change sip port from default 5060 to something else ? beware this simple action can reduce attacks by up to 95% if not more (I personally saw 99% reduction)

The biggest problem here is that the same IP is getting blocked again and again for the same reason, while I dont have problem with other clients. I am considering is some problem on the ISP of this specific client.

Thanks for the advice, but my problem has nothing to do with attack, it is a trusted connection that is getting blocked because of of a message on security log.

[2021-04-06 10:11:24] SECURITY[1466] res_security_log.c: SecurityEvent="FailedACL",EventTV="2021-04-06T10:11:24.259-0300",Severity="Error",Service="SIP",EventVersion="1",AccountID="8860",SessionID="0x7f72c4023380",LocalAddress="IPV4/UDP/192.168.41.4/5060",RemoteAddress="IPV4/UDP/191.5.2.119/5060",ACLName="no_extension_match"

2021-04-06 10:11:24,694 fail2ban.actions        [19980]: NOTICE  [asterisk-iptables] Ban 191.5.2.119

`

Looks like the scope of this class of message is greater than I thought:

This is why you should always provide the full message.

If this source can genuinely dial the wrong number, I suspect you are going to have to refine your filter to exclude ones with the above clause.

Whilst fail2ban was something that our office manager used for the internal system, and, as a product developer, I wasn’t involved with it, I suspect that you have rules that exclude local IP addresses from being blocked by fail2ban, and those are the ones that would normally produce legitimate wrong numbers, but you haven’t white listed the address that is causing you problems.

Another possibility is that local devices don’t generate wrong numbers frequently enough to be considered hostile, but the problem peer does.

One possible reason for seeing a lot of wrong numbers would be if the peer is sending OPTIONS requests to detect whether a call would likely succeed. Often these are sent with a user part that is chose arbitrarily (although it is usually constant, so you can define a dummy extension to handle it).

You are right:

[2021-04-06 10:11:24] NOTICE[1442][C-000038a0] chan_sip.c: Call from 'Nathalia - Certificacao' (191.5.2.119:5060) to extension '8860' rejected because extension not found in context 'ddd'.

I didn’t see it because 8XXX are the range for sip peers, when I have peers registred locally it does not happen because I have the network on the whitelist of fail2ban, but that is not the case.

For some reason 8860 doesnt exisists anymore and this person still calling to this number.

Thanks for helping.

There is a place on fail2ban where you insert the IP address or a network that you want to be ignored by fail2ban, in my case, the IP is a Valid Public IP that change frequently.

/etc/fail2ban/jail.conf

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip =