Ok, I finally got all the pieces together. I wanted to create a new page on the wiki with the information, but I couldn't find the place to register.<div><br></div><div>Shall I post it here so someone with the rights can create the page? Or can someone point me to the page so I can register to edit the wiki.<br>
<br><div class="gmail_quote">2010/8/27 <span dir="ltr"><<a href="mailto:Kennard_White@logitech.com">Kennard_White@logitech.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div>
<p>Hi Joan,<br>
<br>
Interesting idea. There are a few edge-cases you might want to consider:<br>
<br>
1. A legitimate client will have periodic auth failure due to expired nonce serialization (see "nonce_expire" parameter). This is expected behavior when the nonce cached by a client is expired (by default every 30sec). The return code -3 from www_authorize() indicates this case, and the reply to client has stale=1 parameter.<br>
<br>
2. Similar to above, a legitimate client will have auth failure due to nonce serialization (see "disable_nonce_check" parameter). This also has a -3 return code; however, the response back to the client does NOT have the stale=1 parameter.<br>
<br>
3. Generally the "first" request doesn't have any credentials at all (because client doesn't have a nonce), and probably isn't an "attack". Someone else one else suggested searching for "Authorization" header field to detect this. You can also detect this via the -4 return code.<br>
<br>
Thus, I'm suggesting something like:<br>
<font face="Courier New">$var(auth_code) = www_authorize(...);</font><br>
<font face="Courier New"> if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {</font><br>
<font face="Courier New"> xlog("L_ERR","Auth error for $fU@$fd from $si cause $var(auth_code)");</font><br>
<font face="Courier New"> }</font><br>
<font face="Courier New"> if ( $var(auth_code) < 0 ) {</font><br>
<font face="Courier New"> www_challenge(...);</font><br>
<font face="Courier New"> exit;</font><br>
<font face="Courier New"> }</font><br>
<br>
<br>
Also, I wonder if it is possible store the data using db_flatstore. Is there an interface to to call db_flatstore's insert method from script land? avpops doesn't seem to have an avp_db_insert() method.<br>
<br>
Regards,<br>
Kennard<br>
<br>
<img width="16" height="16" src="cid:1__=07BBFD1FDFCA85368f9e8a93df9@logitech.com" border="0" alt="Inactive hide details for Joan ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of hackers trying to sto"><font color="#424282">Joan ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of hackers trying to stole</font><br>
<br>
<font size="2" color="#5F5F5F">From: </font><font size="2">Joan <<a href="mailto:aseques@gmail.com" target="_blank">aseques@gmail.com</a>></font><br>
<font size="2" color="#5F5F5F">To: </font><font size="2">OpenSIPS users mailling list <<a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a>></font><br>
<font size="2" color="#5F5F5F">Date: </font><font size="2">08/27/2010 08:25 AM</font><br>
<font size="2" color="#5F5F5F">Subject: </font><font size="2">[OpenSIPS-Users] Log authentication errors</font><br>
<font size="2" color="#5F5F5F">Sent by: </font><font size="2"><a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a></font><br>
</p><hr width="100%" size="2" align="left" noshade style="color:#8091A5"><br>
<br>
<br>
<tt><div><div></div><div class="h5">Hello,<br>
<br>
Since some time ago there are plenty of hackers trying to stole<br>
accounts and bruteforcing passwords. I would like to log all the<br>
wrong authentications so I can use fail2ban to block those ips.<br>
I've been reading all the mailing list history and I don't see<br>
anything related althought is quite interesting.<br>
I've been trying something and at the moment the best I could do is this:<br>
<br>
if (is_method("REGISTER")) {<br>
# authenticate the REGISTER requests<br>
if (!www_authorize("", "subscriber")) {<br>
xlog("L_ERR","Auth error for $fU@$fd from $si");<br>
www_challenge("", "0");<br>
exit;<br>
}<br>
<br>
<br>
So when the device tries to register with a wrong password/username i<br>
will log the errors. After that I still have to do the fail2ban<br>
script, but that's quite easy.<br>
I'd like to know your opinion about this.<br>
<br>
Thanks<br>
<br></div></div><div class="im">
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
</div></tt><div class="im"><tt><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></tt><tt><br>
</tt><br>
</div><p></p></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div>