[OpenSIPS-Users] Log authentication errors

Bogdan-Andrei Iancu bogdan at voice-system.ro
Tue Aug 31 19:46:45 CEST 2010 

Hi Joan,

Thank you for your contribution - the proper place for the page should 
be under  http://www.opensips.org/Resources/DocsTutorials , like 
http://www.opensips.org/Resources/Fail2ban...

If you want, I can help you with the migration.

Thanks and regards,
Bogdan



Joan wrote:
> Hey, I finally was able to open an account in the wiki (it's quite 
> strange wiki system tough).
> In any case I could create this entry:
> http://www.opensips.org/PmWiki/Fail2ban
>
> But currently is not referenced from anywhere, could someone make it 
> indexable from the wiki content!.
>
> And thanks for the people who helped with the code!
>
> 2010/8/30 Joan <aseques at gmail.com <mailto:aseques at gmail.com>>
>
>     Ok, I finally got all the pieces together. I wanted to create a
>     new page on the wiki with the information, but I couldn't find the
>     place to register.
>
>     Shall I post it here so someone with the rights can create the
>     page? Or can someone point me to the page so I can register to
>     edit the wiki.
>
>     2010/8/27 <Kennard_White at logitech.com
>     <mailto:Kennard_White at logitech.com>>
>
>         Hi Joan,
>
>         Interesting idea. There are a few edge-cases you might want to
>         consider:
>
>         1. A legitimate client will have periodic auth failure due to
>         expired nonce serialization (see "nonce_expire" parameter).
>         This is expected behavior when the nonce cached by a client is
>         expired (by default every 30sec). The return code -3 from
>         www_authorize() indicates this case, and the reply to client
>         has stale=1 parameter.
>
>         2. Similar to above, a legitimate client will have auth
>         failure due to nonce serialization (see "disable_nonce_check"
>         parameter). This also has a -3 return code; however, the
>         response back to the client does NOT have the stale=1 parameter.
>
>         3. Generally the "first" request doesn't have any credentials
>         at all (because client doesn't have a nonce), and probably
>         isn't an "attack". Someone else one else suggested searching
>         for "Authorization" header field to detect this. You can also
>         detect this via the -4 return code.
>
>         Thus, I'm suggesting something like:
>         $var(auth_code) = www_authorize(...);
>         if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
>         xlog("L_ERR","Auth error for $fU@$fd from $si cause
>         $var(auth_code)");
>         }
>         if ( $var(auth_code) < 0 ) {
>         www_challenge(...);
>         exit;
>         }
>
>
>         Also, I wonder if it is possible store the data using
>         db_flatstore. Is there an interface to to call db_flatstore's
>         insert method from script land? avpops doesn't seem to have an
>         avp_db_insert() method.
>
>         Regards,
>         Kennard
>
>         Inactive hide details for Joan ---08/27/2010 08:25:11
>         AM---Hello, Since some time ago there are plenty of hackers
>         trying to stoJoan ---08/27/2010 08:25:11 AM---Hello, Since
>         some time ago there are plenty of hackers trying to stole
>
>         From: Joan <aseques at gmail.com <mailto:aseques at gmail.com>>
>         To: OpenSIPS users mailling list <users at lists.opensips.org
>         <mailto:users at lists.opensips.org>>
>         Date: 08/27/2010 08:25 AM
>         Subject: [OpenSIPS-Users] Log authentication errors
>         Sent by: users-bounces at lists.opensips.org
>         <mailto:users-bounces at lists.opensips.org>
>
>         ------------------------------------------------------------------------
>
>
>
>         Hello,
>
>         Since some time ago there are plenty of hackers trying to stole
>         accounts and bruteforcing passwords. I would like to log all the
>         wrong authentications so I can use fail2ban to block those ips.
>         I've been reading all the mailing list history and I don't see
>         anything related althought is quite interesting.
>         I've been trying something and at the moment the best I could
>         do is this:
>
>                if (is_method("REGISTER")) {
>                        # authenticate the REGISTER requests
>                        if (!www_authorize("", "subscriber")) {
>                                xlog("L_ERR","Auth error for $fU@$fd
>         from $si");
>                                www_challenge("", "0");
>                                exit;
>                        }
>
>
>         So when the device tries to register with a wrong
>         password/username i
>         will log  the errors. After that I still have to do the fail2ban
>         script, but that's quite easy.
>         I'd like to know your opinion about this.
>
>         Thanks
>
>         _______________________________________________
>         Users mailing list
>         Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>         http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>         _______________________________________________
>         Users mailing list
>         Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>         http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   


-- 
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro

More information about the Users mailing list