I suspect the problem is that 401s are normal, so it would end up blocking local users. If you know the addresses that can legitimately try to authenticate, you don't need fail2ban, as you can configure the firewall to block all others.
If this is an attack, he needs fail2ban to detect 401s that are not followed up by a valid authentication.
However, it seems strange to me that anyone would hack without going through to the password stage, or at least the ACK stage, so I think it is more likely that there is a misconfigured system somewhere and he should be trying to inform the sender of their problem.
The non-standard port number may be why the dialogue never completes. If you really want to let fail2ban learn this, opening the firewall to any outbound destination port may allow the dialogue to get as far as the invalid password. If he actually needs fail2ban, it seems strange that he would restrict replay ports, as the port number for remote user phones is very unlikely to come in as 5060. He should know the address range for his ITSP, so, if he doesn't have remote users, he should simply be dropping all addresses outside that range and forgetting fail2ban.
Statistics : Posted by genobe • on Fri May 08, 2015 5:47 am • Replies 15 • Views 1929
If this is an attack, he needs fail2ban to detect 401s that are not followed up by a valid authentication.
However, it seems strange to me that anyone would hack without going through to the password stage, or at least the ACK stage, so I think it is more likely that there is a misconfigured system somewhere and he should be trying to inform the sender of their problem.
The non-standard port number may be why the dialogue never completes. If you really want to let fail2ban learn this, opening the firewall to any outbound destination port may allow the dialogue to get as far as the invalid password. If he actually needs fail2ban, it seems strange that he would restrict replay ports, as the port number for remote user phones is very unlikely to come in as 5060. He should know the address range for his ITSP, so, if he doesn't have remote users, he should simply be dropping all addresses outside that range and forgetting fail2ban.
Statistics : Posted by genobe • on Fri May 08, 2015 5:47 am • Replies 15 • Views 1929