I keep getting register trials from an IP

[TurabG]

Hi all,

For the past two days, I have been getting endless requests from a single IP. I remember this IP was banned by fail2ban but after its ban time passed, it started querying the server again. But this time fail2ban doesn't recognize it. All jails are working but this IP is never banned again. I even tried manually banning it like:

iptables -A INPUT -s xx.xxx.xx.xx -j DROP

But iptables -L still doesn't list this IP in the ban list. My sngrep watch is overblown with 3-4 entries from this IP in each second. What am I missing here?

Edit: I issued fail2ban commands to ban this ip like:

fail2ban-client set freeswitch-ip banip xxx.xxx.xxx.xxx

I issue the command more than once and check the fail2ban log which reads "this ip is banned already", but iptables -L doesn't list it and it keeps trashing my sngrep screen.

 

[ad5ou]

Unless the IP is filtered via an external firewall before reaching the actual Fusionpbx server, sngrep will show the connection attempt. There should only show a single packet for each attempt.

 

[TurabG]

I also presumed so, just there are things niggling me.

Wouldn't a bot give up on an IP they are not getting a response from for days? I mean let's say you scanned for a SIP port, you found one, you tried a few times and the server stopped responding, your requests are never coming back or you are not even sure if your packet is reaching the server, for days. (I keep ban time very high.) For how long it is viable for a bot to continue sending 5 requests per second, which it can't get any response for? Is this because default ban times are really low so that the operator of the bot doesn't mind being banned for a couple of minutes so they keep trying forever?

I saw this exact same IP in my iptables rules and I never saw it in sngrep watch again. But now I don't see it in iptables rules either. I don't also see it in fail2ban logs. Shouldn't I at least see it in the log that fail2ban recognized and banned this ip? What's more interesting is, I manually banned it via fail2ban command and via iptables, I still don't see it in the rule list.

Edit: I inspected my iptables rule set again, I see that in whichever jail I banned this IP, there is a rule to drop requests from "serv.whost.org". How does this happen? I can't find anything about this host name and I don't understand how it is connected to the IP I banned?