<html><body>
<p>Hi Joan,<br>
<br>
Interesting idea. There are a few edge-cases you might want to consider:<br>
<br>
1. A legitimate client will have periodic auth failure due to expired nonce serialization (see "nonce_expire" parameter). This is expected behavior when the nonce cached by a client is expired (by default every 30sec). The return code -3 from www_authorize() indicates this case, and the reply to client has stale=1 parameter.<br>
<br>
2. Similar to above, a legitimate client will have auth failure due to nonce serialization (see "disable_nonce_check" parameter). This also has a -3 return code; however, the response back to the client does NOT have the stale=1 parameter.<br>
<br>
3. Generally the "first" request doesn't have any credentials at all (because client doesn't have a nonce), and probably isn't an "attack". Someone else one else suggested searching for "Authorization" header field to detect this. You can also detect this via the -4 return code.<br>
<br>
Thus, I'm suggesting something like:<br>
<font face="Courier New">$var(auth_code) = www_authorize(...);</font><br>
<font face="Courier New"> if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {</font><br>
<font face="Courier New"> xlog("L_ERR","Auth error for $fU@$fd from $si cause $var(auth_code)");</font><br>
<font face="Courier New"> }</font><br>
<font face="Courier New"> if ( $var(auth_code) < 0 ) {</font><br>
<font face="Courier New"> www_challenge(...);</font><br>
<font face="Courier New"> exit;</font><br>
<font face="Courier New"> }</font><br>
<br>
<br>
Also, I wonder if it is possible store the data using db_flatstore. Is there an interface to to call db_flatstore's insert method from script land? avpops doesn't seem to have an avp_db_insert() method.<br>
<br>
Regards,<br>
Kennard<br>
<br>
<img width="16" height="16" src="cid:1__=07BBFD1FDFCA85368f9e8a93df9@logitech.com" border="0" alt="Inactive hide details for Joan ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of hackers trying to sto"><font color="#424282">Joan ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of hackers trying to stole</font><br>
<br>
<font size="2" color="#5F5F5F">From: </font><font size="2">Joan <aseques@gmail.com></font><br>
<font size="2" color="#5F5F5F">To: </font><font size="2">OpenSIPS users mailling list <users@lists.opensips.org></font><br>
<font size="2" color="#5F5F5F">Date: </font><font size="2">08/27/2010 08:25 AM</font><br>
<font size="2" color="#5F5F5F">Subject: </font><font size="2">[OpenSIPS-Users] Log authentication errors</font><br>
<font size="2" color="#5F5F5F">Sent by: </font><font size="2">users-bounces@lists.opensips.org</font><br>
<hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br>
<br>
<br>
<tt>Hello,<br>
<br>
Since some time ago there are plenty of hackers trying to stole<br>
accounts and bruteforcing passwords. I would like to log all the<br>
wrong authentications so I can use fail2ban to block those ips.<br>
I've been reading all the mailing list history and I don't see<br>
anything related althought is quite interesting.<br>
I've been trying something and at the moment the best I could do is this:<br>
<br>
if (is_method("REGISTER")) {<br>
# authenticate the REGISTER requests<br>
if (!www_authorize("", "subscriber")) {<br>
xlog("L_ERR","Auth error for $fU@$fd from $si");<br>
www_challenge("", "0");<br>
exit;<br>
}<br>
<br>
<br>
So when the device tries to register with a wrong password/username i<br>
will log the errors. After that I still have to do the fail2ban<br>
script, but that's quite easy.<br>
I'd like to know your opinion about this.<br>
<br>
Thanks<br>
<br>
_______________________________________________<br>
Users mailing list<br>
Users@lists.opensips.org<br>
</tt><tt><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></tt><tt><br>
</tt><br>
</body></html>