[OpenSIPS-Users] Log authentication errors

Joan aseques at gmail.com
Mon Aug 30 14:07:42 CEST 2010 

Hey, I finally was able to open an account in the wiki (it's quite strange
wiki system tough).
In any case I could create this entry:
http://www.opensips.org/PmWiki/Fail2ban

But currently is not referenced from anywhere, could someone make it
indexable from the wiki content!.

And thanks for the people who helped with the code!

2010/8/30 Joan <aseques at gmail.com>

> Ok, I finally got all the pieces together. I wanted to create a new page on
> the wiki with the information, but I couldn't find the place to register.
>
> Shall I post it here so someone with the rights can create the page? Or can
> someone point me to the page so I can register to edit the wiki.
>
> 2010/8/27 <Kennard_White at logitech.com>
>
>  Hi Joan,
>>
>> Interesting idea. There are a few edge-cases you might want to consider:
>>
>> 1. A legitimate client will have periodic auth failure due to expired
>> nonce serialization (see "nonce_expire" parameter). This is expected
>> behavior when the nonce cached by a client is expired (by default every
>> 30sec). The return code -3 from www_authorize() indicates this case, and the
>> reply to client has stale=1 parameter.
>>
>> 2. Similar to above, a legitimate client will have auth failure due to
>> nonce serialization (see "disable_nonce_check" parameter). This also has a
>> -3 return code; however, the response back to the client does NOT have the
>> stale=1 parameter.
>>
>> 3. Generally the "first" request doesn't have any credentials at all
>> (because client doesn't have a nonce), and probably isn't an "attack".
>> Someone else one else suggested searching for "Authorization" header field
>> to detect this. You can also detect this via the -4 return code.
>>
>> Thus, I'm suggesting something like:
>> $var(auth_code) = www_authorize(...);
>>  if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
>>  xlog("L_ERR","Auth error for $fU@$fd from $si cause $var(auth_code)");
>>  }
>>  if ( $var(auth_code) < 0 ) {
>>  www_challenge(...);
>>  exit;
>>  }
>>
>>
>> Also, I wonder if it is possible store the data using db_flatstore. Is
>> there an interface to to call db_flatstore's insert method from script land?
>> avpops doesn't seem to have an avp_db_insert() method.
>>
>> Regards,
>> Kennard
>>
>> [image: Inactive hide details for Joan ---08/27/2010 08:25:11 AM---Hello,
>> Since some time ago there are plenty of hackers trying to sto]Joan
>> ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of
>> hackers trying to stole
>>
>> From: Joan <aseques at gmail.com>
>> To: OpenSIPS users mailling list <users at lists.opensips.org>
>> Date: 08/27/2010 08:25 AM
>> Subject: [OpenSIPS-Users] Log authentication errors
>> Sent by: users-bounces at lists.opensips.org
>> ------------------------------
>>
>>
>>
>> Hello,
>>
>> Since some time ago there are plenty of hackers trying to stole
>> accounts and bruteforcing passwords. I would like to log all the
>> wrong authentications so I can use fail2ban to block those ips.
>> I've been reading all the mailing list history and I don't see
>> anything related althought is quite interesting.
>> I've been trying something and at the moment the best I could do is this:
>>
>>        if (is_method("REGISTER")) {
>>                # authenticate the REGISTER requests
>>                if (!www_authorize("", "subscriber")) {
>>                        xlog("L_ERR","Auth error for $fU@$fd from $si");
>>                        www_challenge("", "0");
>>                        exit;
>>                }
>>
>>
>> So when the device tries to register with a wrong password/username i
>> will log  the errors. After that I still have to do the fail2ban
>> script, but that's quite easy.
>> I'd like to know your opinion about this.
>>
>> Thanks
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20100830/87dff5d7/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://lists.opensips.org/pipermail/users/attachments/20100830/87dff5d7/attachment.gif

More information about the Users mailing list