[OpenSIPS-Users] Log authentication errors

Joan aseques at gmail.com
Mon Aug 30 13:07:42 CEST 2010


Ok, I finally got all the pieces together. I wanted to create a new page on
the wiki with the information, but I couldn't find the place to register.

Shall I post it here so someone with the rights can create the page? Or can
someone point me to the page so I can register to edit the wiki.

2010/8/27 <Kennard_White at logitech.com>

> Hi Joan,
>
> Interesting idea. There are a few edge-cases you might want to consider:
>
> 1. A legitimate client will have periodic auth failure due to expired nonce
> serialization (see "nonce_expire" parameter). This is expected behavior when
> the nonce cached by a client is expired (by default every 30sec). The return
> code -3 from www_authorize() indicates this case, and the reply to client
> has stale=1 parameter.
>
> 2. Similar to above, a legitimate client will have auth failure due to
> nonce serialization (see "disable_nonce_check" parameter). This also has a
> -3 return code; however, the response back to the client does NOT have the
> stale=1 parameter.
>
> 3. Generally the "first" request doesn't have any credentials at all
> (because client doesn't have a nonce), and probably isn't an "attack".
> Someone else one else suggested searching for "Authorization" header field
> to detect this. You can also detect this via the -4 return code.
>
> Thus, I'm suggesting something like:
> $var(auth_code) = www_authorize(...);
>  if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
>  xlog("L_ERR","Auth error for $fU@$fd from $si cause $var(auth_code)");
>  }
>  if ( $var(auth_code) < 0 ) {
>  www_challenge(...);
>  exit;
>  }
>
>
> Also, I wonder if it is possible store the data using db_flatstore. Is
> there an interface to to call db_flatstore's insert method from script land?
> avpops doesn't seem to have an avp_db_insert() method.
>
> Regards,
> Kennard
>
> [image: Inactive hide details for Joan ---08/27/2010 08:25:11 AM---Hello,
> Since some time ago there are plenty of hackers trying to sto]Joan
> ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of
> hackers trying to stole
>
> From: Joan <aseques at gmail.com>
> To: OpenSIPS users mailling list <users at lists.opensips.org>
> Date: 08/27/2010 08:25 AM
> Subject: [OpenSIPS-Users] Log authentication errors
> Sent by: users-bounces at lists.opensips.org
> ------------------------------
>
>
>
> Hello,
>
> Since some time ago there are plenty of hackers trying to stole
> accounts and bruteforcing passwords. I would like to log all the
> wrong authentications so I can use fail2ban to block those ips.
> I've been reading all the mailing list history and I don't see
> anything related althought is quite interesting.
> I've been trying something and at the moment the best I could do is this:
>
>        if (is_method("REGISTER")) {
>                # authenticate the REGISTER requests
>                if (!www_authorize("", "subscriber")) {
>                        xlog("L_ERR","Auth error for $fU@$fd from $si");
>                        www_challenge("", "0");
>                        exit;
>                }
>
>
> So when the device tries to register with a wrong password/username i
> will log  the errors. After that I still have to do the fail2ban
> script, but that's quite easy.
> I'd like to know your opinion about this.
>
> Thanks
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20100830/d49dea0c/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://lists.opensips.org/pipermail/users/attachments/20100830/d49dea0c/attachment.gif 


More information about the Users mailing list