[OpenSIPS-Users] Log authentication errors

Kennard_White at logitech.com Kennard_White at logitech.com
Fri Aug 27 18:41:55 CEST 2010 

Hi Joan,

Interesting idea. There are a few edge-cases you might want to consider:

1. A legitimate client will have periodic auth failure due to expired nonce
serialization (see "nonce_expire" parameter).  This is expected behavior
when the nonce cached by a client is expired (by default every 30sec). The
return code -3 from www_authorize() indicates this case, and the reply to
client has stale=1 parameter.

2. Similar to above, a legitimate client will have auth failure due to
nonce serialization (see "disable_nonce_check" parameter). This also has a
-3 return code; however, the response back to the client does NOT have the
stale=1 parameter.

3. Generally the "first" request doesn't have any credentials at all
(because client doesn't have a nonce), and probably isn't an "attack".
Someone else one else suggested searching for "Authorization" header field
to detect this. You can also detect this via the -4 return code.

Thus, I'm suggesting something like:
   $var(auth_code) = www_authorize(...);
   if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
	xlog("L_ERR","Auth error for $fU@$fd from $si cause $var
(auth_code)");
   }
   if ( $var(auth_code) < 0 ) {
	www_challenge(...);
	exit;
   }


Also, I wonder if it is possible store the data using db_flatstore. Is
there an interface to to call db_flatstore's insert method from script
land? avpops doesn't seem to have an avp_db_insert() method.

Regards,
Kennard



From:	Joan <aseques at gmail.com>
To:	OpenSIPS users mailling list <users at lists.opensips.org>
Date:	08/27/2010 08:25 AM
Subject:	[OpenSIPS-Users] Log authentication errors
Sent by:	users-bounces at lists.opensips.org



Hello,

Since some time ago there are plenty of hackers trying to stole
accounts and bruteforcing passwords. I would like to log all the
wrong authentications so I can use fail2ban to block those ips.
I've been reading all the mailing list history and I don't see
anything related althought is quite interesting.
I've been trying something and at the moment the best I could do is this:

        if (is_method("REGISTER")) {
                # authenticate the REGISTER requests
                if (!www_authorize("", "subscriber")) {
                        xlog("L_ERR","Auth error for $fU@$fd from $si");
                        www_challenge("", "0");
                        exit;
                }


So when the device tries to register with a wrong password/username i
will log  the errors. After that I still have to do the fail2ban
script, but that's quite easy.
I'd like to know your opinion about this.

Thanks

_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20100827/1fade28d/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://lists.opensips.org/pipermail/users/attachments/20100827/1fade28d/attachment.gif

More information about the Users mailing list