Thanks for all advice guys! The intrusion was done in my asterisk server, hence I am responsible. A peek in the asterisk logs confirmed that it was a brute force attack, fail2ban should solve this. I followed the instruction on the wiki provided by pw44. To test the asterisk jail I tried to register to an extension with a SIP soft phone on a computer in my local network. I registered three times with incorrect password. The attempts were correctly logged in the asterisk log, but looking in the fail2ban log I could see that the ban did not kick in. Do I have trouble shooting to do, or is there an explanation to this? (I did not include the computers IP to the ignore list).
To see if it was blocked, try iptables -L -v, you should see something like:
5091 2125K DROP all -- any any 18.104.22.168-static.reverse.softlayer.com anywhere
Where DROP indicates reject any attempt from the given ip/address.
But remember that the configuration have a directive (ignoreip), to prevent any device in your internal network to be blocked.
Otherwise, please carefully check the fail2ban configuration, and remember that fail2ban SHALL be restartded AFTER /usr/pluto/bin/Network_Firewall.sh, because it clears and starts all the iptables rules for linuxmce, so the tutorial presents a hack for it, as described bellow:
For LinuxMCE, there is needed "patch", while fail2ban is not part of the distribution.
When LinuxMCE starts, it runs /usr/pluto/bin/Network_Firewall.sh, and this is done AFTER /etc/init.d/fail2ban is started.
So, edit /usr/pluto/bin/Network_Firewall.sh and add the following at the END of this file:
And remember to check and include this hack every time you updates linuxmce, because it's is not kept during the scripts updates.
I hope this helps.