fail2ban is not enough to protect your PBX. Here's why.
Why geographic filtering is the essential complement to fail2ban for PBX security. Proactive vs reactive protection.
The problem: fail2ban is reactive
If you manage an Asterisk PBX exposed to the internet, you almost certainly have fail2ban installed. It’s standard, it’s free, it’s simple. It blocks IPs that attempt too many failed authentications.
The problem is that fail2ban is reactive. It waits for the attack to happen, detects it from logs, and only then blocks the IP. In that window — seconds or minutes — the attacker has already sent hundreds of SIP requests. And if they have a botnet, they’re using dozens of IPs simultaneously from different countries. By the time fail2ban blocks them all, the damage may already be done.
We’ve seen this scenario too many times. A client discovers in the morning they have a bill for thousands of euros from their telephony provider. Calls to premium numbers, exotic countries, high-tariff destinations. The attack lasted less than an hour but used IPs from 12 different countries.
The solution: geographic filtering
Instead of waiting for the attack and reacting, you proactively block all countries you don’t need SIP traffic from. Most businesses need SIP traffic from at most 5-6 countries. The remaining 240+ countries have no reason to send SIP packets to your PBX.
PBX Firewall GeoFilter from PBXTools does exactly this. From the portal you select allowed countries, choose the operating mode (allow only selected countries or block only selected countries), and rules are applied on the server instantly. On deactivation, everything cleanly reverts to the original state.
Performance matters: rules are applied at kernel level, before traffic reaches your PBX. Lookup is instantaneous — regardless of whether you have 100 or 100,000 IPs in the list. It doesn’t slow down the server, doesn’t affect legitimate calls.
Multi-layered defense
An important detail: fail2ban and GeoFilter are not mutually exclusive. You use them together. GeoFilter proactively blocks traffic from irrelevant countries, fail2ban handles what gets through the geographic filters. Multi-layered defense.
Since activating GeoFilter across our PBX fleet, the number of brute force attempts logged in fail2ban dropped by over 90%. Not because attacks stopped, but because they no longer reach the PBX.
If you manage an Asterisk PBX and your only defense mechanism is fail2ban, add geographic filtering. Today.