Ok. I got fail2ban running and pretty much all password attempts get stopped on their tracks. However, I still see following logs. What is this? I know it’s not me. But I don’t understand why there is no “Invalid password” follow ups being written in log?
RemoteAddress is hacker’s address. But there is no other security events other than “ChallengeSent” in logs. And obviously - this IP not getting banned. So, how is this possible in Asterisk?
I’m still not sure how is this possible. fail2ban goes strictly by logs. But it won’t ban until it sees SecurityEvent about bad password. This one is like a request that never get’s answered by Asterisk… How do I check in details?
fail2ban will not work without a firewall as it works by manipulating the firewall rules.
The normal sequence for an authenticated request is that the client sends an unauthenticated one, the server responds with 401, given the authentication type and and any cryptographic challenge, and the client repeats with the authentication. The repeat hasn’t happened. My guess is that that is because this was a genuine misconfiguration, not an attack.