Fail2ban entries every 2 seconds from unknown source

Not sure if this is the correct place to post this. I am getting this message appear in the fail2ban logs while looking in the Asterisk Log Files. It appears every 2 seconds or so.

11063 [2025-01-24 15:37:45] SECURITY[3756] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-01-24T15:37:45.395-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f42e80022c8”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/43090”,UsingPassword=“0”,SessionTV=“2025-01-24T15:37:45.395-0500”
11064 [2025-01-24 15:37:48] SECURITY[3756] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-01-24T15:37:48.469-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f42f400d438”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/43096”,UsingPassword=“0”,SessionTV=“2025-01-24T15:37:48.469-0500”
11065 [2025-01-24 15:37:51] SECURITY[3756] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-01-24T15:37:51.553-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f42fc002068”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/43102”,UsingPassword=“0”,SessionTV=“2025-01-24T15:37:51.553-0500”
11066 [2025-01-24 15:37:54] SECURITY[3756] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-01-24T15:37:54.619-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f42fc002068”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/43108”,UsingPassword=“0”,SessionTV=“2025-01-24T15:37:54.619-0500”
11067 [2025-01-24 15:37:57] SECURITY[3756] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-01-24T15:37:57.686-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f42fc002068”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/43114”,UsingPassword=“0”,SessionTV=“2025-01-24T15:37:57.686-0500”
11068 [2025-01-24 15:38:00] SECURITY[3756] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-01-24T15:38:00.752-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f42fc002068”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/43120”,UsingPassword=“0”,SessionTV=“2025-01-24T15:38:00.752-0500”
11069 [2025-01-24 15:38:03] SECURITY[3756] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-01-24T15:38:03.678-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f42fc002068”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/43126”,UsingPassword=“0”,SessionTV=“2025-01-24T15:38:03.678-0500”
11070 [2025-01-24 15:38:03] SECURITY[3756] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-01-24T15:38:03.822-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f42fc002068”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/43132”,UsingPassword=“0”,SessionTV=“2025-01-24T15:38:03.822-0500”
11071 [2025-01-24 15:38:06] SECURITY[3756] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-01-24T15:38:06.897-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f42fc002068”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/43138”,UsingPassword=“0”,SessionTV=“2025-01-24T15:38:06.897-0500”

I am not sure where to start to look as the IP address referenced is the loopback IP and there is no user called admin on the PBX. This has been occurring for some time now.

1 post - 1 participant

Read full topic