[OpenSIPS-Users] Switch Statement Trouble

Mark Farmer farmorg at gmail.com
Tue Sep 3 09:24:21 EDT 2019


Hi everyone, can anyone tell me what's going wrong here please?
I'm having a problem with my switch statement in that  $retcode 1 ends up
falling into the processing for -1, -2, -3

# If the client is not already authenticated, check the return code and
look for multiple failures
                www_authorize("", "subscriber");
                switch ($retcode)
                {
                        case 0: # false
                                xlog("CUSTOM_LOG: Client NOT
authenticated");
                                break;
                        case 1: # true
                                xlog("CUSTOM_LOG: Client authenticated");
                                break;
                        case -3: # stale nonce
                        case -2: # invalid passwd
                        case -1: # no such user
                                xlog("CUSTOM_LOG: Failed Authentication
Attempt (Return Code: $retcode) for $ru To: $tu - Checking for Dictionary
attack");
                                # Is the attribute AuthFail_$si present in
cache?
                                if (
cache_fetch("local","AuthFail_$si",$avp(failed_no)) ) {
                                        xlog("CUSTOM_LOG: Failure Attempts
for $ru ($fU) is now $avp(failed_no) (Return Code: $retcode)");
                                        # If so, how many failures so far?
                                        if ( $(avp(failed_no){s.int}) >=
$var(max_auth_fail) ) {
                                                xlog("CUSTOM_LOG: SECURITY
ALERT: $var(max_auth_fail) failed auth attempts for $fU from $si - Blocking
IP Address");
                                                # Looks like bad people -
Block the source IP
                                                exec("sudo /sbin/ipset add
$var(ipset) $$SIP_SRCIP");
                                                xlog("CUSTOM_LOG: $si added
to ipset $var(ipset))");
                                                exit;
                                        }
                                        # If authentication is failing,
increment the value of AuthFail_$si by 1
                                        xlog("CUSTOM_LOG: Incrementing
AuthFail_$si");

cache_add("local","AuthFail_$si",1,60);
                                } else {
                                        # If the attribute AuthFail_$si is
not present - add it
                                        xlog("CUSTOM_LOG: Adding Cache
entry AuthFail_$si");

cache_store("local","AuthFail_$si","1",60);
                                }
                                break;
                        default:
                                # If non of the above is true, try to
authenticate the user
                                xlog("CUSTOM_LOG: No Subscriber in database
for $ru ($fU) - Challenging");
                                www_challenge("", 0);
                }

--------------

>From my logs:

CUSTOM_LOG: Failed Authentication Attempt (Return Code: 1) for
sip:XXX.XXX.XXX.XXX To: sip:5003 at XXX.XXX.XXX.XXX - Checking for Dictionary
attack
CUSTOM_LOG: Failure Attempts for sip:XXX.XXX.XXX.XXX (5003) is now 1
(Return Code: 1)
CUSTOM_LOG: Incrementing AuthFail_XXX.XXX.XXX.XXX

Version info:

version: opensips 3.0.0 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC,
F_MALLOC, HP_MALLOC, DBG_MALLOC, CC_O0, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
git revision: 435890a06
main.c compiled on 13:19:25 Jun 21 2019 with gcc 7

Many thanks
Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190903/fd30c237/attachment.html>


More information about the Users mailing list