Fail2Ban Inbound DoS

[Rayman]

Hi,

I am getting some malicious IP's spamming my FusionPBX Freeswitch server with inbound call attempts.

I'd like to ban the IP automatically via Fail2Ban but ....the offending IP (HOST) is on another line and not in the same line as the "indicator" - I'm not really familiar how I can work with multiple lines in the same regex.

Freeswitch log lines

7b383019-b74c-4ae0-bc9f-aa102e5622c3 2018-03-22 17:17:04.657702 [DEBUG] sofia.c:9248 sofia/External_NAT/95917@MY.IP.HERE receiving invite from MALICIOUS.IP.HERE:5070 version: 1.6.6 -13-d2d0b32 64bit
...some other lines here
7b383019-b74c-4ae0-bc9f-aa102e5622c3 EXECUTE sofia/External_NAT/95917@MY.IP.HERE log(WARNING Accountcode  is not authenticated!!)
7b383019-b74c-4ae0-bc9f-aa102e5622c3 2018-03-22 17:17:04.737681 [WARNING] mod_dptools.c:1692 Accountcode  is not authenticated!!

My current filter

failregex = ^\.\d+ \[WARNING\] mod_dptools.c:\d+ Accountcode  is not authenticated!!$

Any help would be appreciated.

 

[DigitalDaz]

If that is your external profile can you not just block all access except from your carriers?

 

[Rayman]

If that is your external profile can you not just block all access except from your carriers?

I have tried that (blocking all traffic for port 5080 except carriers) but it didn't stop it at all. I did confirm that the port is blocked by using public port scanners.

 

[DigitalDaz]

Is it definitely on port 5080??

I see
sofia/External_NAT

That would imply a custom profile possibly on another port??

 

[Rayman]

Is it definitely on port 5080??

I see
sofia/External_NAT

That would imply a custom profile possibly on another port??

This is what "sofia status" returns.