[OpenSIPS-Users] OpenSIPs w/ Fail2Ban - Change Log File (HOW TO)

Donat Zenichev donat.zenichev at gmail.com
Mon Feb 15 11:48:28 EST 2021

Good day Rick.
I'm not totally sure I understand what you mean correctly, but,
I think that you might misunderstand the concept of producing logs in your
scenario a bit.

First of all, the function 'www_challenge()' doesn't produce logs on its
own, nor 'www_authorize()' does it.
Functions only can return the code (return code in terms of programming).

For e.g. 'www_challenge()' function returns -1 when it tries to challenge a
user (to let it send credentials using WWW-Authorize header) and
eventually fails to do that due to certain reasons (for e.g. failed to
generate nonce, or failed to send out a 401 response etc.).
Otherwise if everything is good, it returns 0 - which means everything is
due to a plan,
401 challenge is sent out and we wait for a re-sending of REGISTER with
credentials encrypted (using nonce, and a list of other parameters and md5

'www_authorize()' function in its turn has a list of return codes, which
you can find here:
Basically you are interested in the fact, that a return code is not
negative, otherwise something is wrong with an authentication and you
should not let this user pass through.

You use the '$rc' (in 2.4 branch was '$retcode') pseudo variable (which is
pre-defined) in order to get the last returned code, of the last invoked
Here is an example of how dramatically simplified functionality could look
if (!www_authorize("", "subscriber")) {
    switch ($rc) {
        case -1:
            xlog("L_NOTICE", "Authentication error for $si port:$sp, not
found \n");
        case -2:
            xlog("L_NOTICE", "Authentication error for $si port:$sp, wrong
password given \n");
    www_challenge("", "0");

Note please, this is just an example, which shows the basic concept how it
works and shouldn't be copy-pasted into any production environment.
I underline this - just an example which was not even tested, because I
have written this on the go while answering you.

So as you can see, the log rows are being produced with a help of xlog()
function and not www_authorize()/www_challenge().
xlog() does it based on the previously returned code.
Further logic is only restricted with a creativity you can apply to it.

Please note also, that your logs will be produced to the log-file which is
correlated with the log facility, which you set by 'log_facility='
For e.g. if you have previously configured (with rsyslog) that log facility
7 produces logs to opensips.log,
then you are ought to use it then in the opensips's preprocessor directive
like that:
Thus opensips will send logs to log facility 7, which in its turn directs
logs to opensips.log. I hope it's clear for understanding.

What relates to Fail2Ban and how it uses these logs then in order to ban
You need to firstly define a jail object for it (in jail.conf), which can
look something like that (only an example):
enabled  = true
filter   = some_name_here
action   = some_name_here[name=opensips, protocol=all]
logpath  = /var/log/opensips.log
maxretry = 10
bantime = 9999999
findtime = 500

Then you need to let fail2ban know which regular expressions to use for
that (syntax for f2b seems to be PCRE), regular expressions definitions are
located in 'filter.d' directory.
You need to place a new file here with some name defined (same as you
pointed in the 'filter=' parameter of the jail.conf), you place the regex
under the [Definition] section.
An example:
failregex = ^.*Auth error for '<HOST>'.*, .*$

And also, do not forget to add an actions configuration in the 'action.d'
folder, you add a new file here with some name
(which correlates with name pointed in the 'action=' parameter of the
jail.conf), try to surf the web to see how the actions configuration is
usually configured.
Here you can play with that and configure it to act as you want.
This becomes even more powerful if you use some external functionality
written in whatever language (for e.g. python).

What relates to your question:
>> And when I change the Code like the TO: section above OpenSIPS will not
start because it says Error in Config File it cannot load opensips.

Read the log output in the syslog, or if you log into a different log file,
then you use it - in order to see where the syntax error is.
Usually it's something relatively obvious.

Note however, this is just an example, and you should not copy-paste it
into your production configurations.
I just show a basic concept of how it works. For more details read Wiki of
the OpenSIPS project elaborately.

And no, there is no magic pill which will make everything in your setup
working right away.
It's open-source, and people help here just because they want to facilitate
each other.

Best regards.

On Sat, Feb 13, 2021 at 1:20 PM Rick McGill - ₪ <rick at netrovoip.com> wrote:

> Dear OpenSIPs Community,
> My goal for this topic is to get OpenSIPS 3.1 logging to a new file
> OpenSIPs.log and then have Fail2Ban monitoring that log file for failed
> login attempts by IP addresses.
> I’m running OpenSIPS 3.1 on Debain 10.7
> The Directions in the URL below are valid for OpenSIPS up to version 2.4
> But with OpenSIPS 3.1 it is different as they do not use
>  www_challenge("",
> "0");   but   www_challenge("", "auth");   Instead.
> The difference is the '0' in OpenSIPS 2.4 and the  'auth' in OpenSIPS 3.1
> Same like the instructions in URL link below.
> It is obvious that the code in the needs to be tweaked to work with but all
> my attempts to make the edits to the /etc/opensips/opensips.cfg only makes
> OpenSIPs unable to load because of bad config file.
> My question is... Where can I go for the source to find out what
> www_challenge codes I should use for different login results to log?
> Or more end result question... How should I change the directions in 2.4
> document to work with a OpenSIPS 3.1 opensips.cfg file?
> ----------------------------------------------------------------------------
> -------------------------------------------
> Rick McGill – CEO
> Rick at NetroVOIP.com     |     Rick at NetropolitanWorks.com
> Thailand: +66-2105-4262  x1001  |   USA: +1-737-237-2030   |    Mobile:
> +66-85557-3000
> Support:: +66-97047-2000  |  SKYPE & LINE ID:  NetroVOIP  |
> Support at NetroVOIP.com
>   ₪  www.NetroVOIP.com  Telecommunications / Video Consulting & Solutions
> Provider
> ----------------------------------------------------------------------------
> ----------------------------------------------
> https://www.opensips.org/Documentation/Tutorials
> Document 28.  OpenSIPS and fail2ban (Direction for OpenSIPS ver 2.4)
> This is a small tutorial so you can use fail2ban together with opensips to
> block via firewall the attackers that are using wrong authentication
> credentials
> https://www.opensips.org/Documentation/Tutorials-Fail2Ban
> The is what is in the link above:
> -------
> from:
> ----------------------------------------------------------------------------
> ------
>  if (!www_authorize("", "subscriber")) {
>         www_challenge("", "0");
>         exit;
> }
> ----------------------------------------------------------------------------
> ----
> ----
> To:
> ----------------------------------------------------------------------------
> -----
> $var(auth_code) = www_authorize("", "subscriber");
> if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
>                 xlog("L_NOTICE","Auth error for $fU@$fd from $si cause
> $var(auth_code)");
> }
> if ( $var(auth_code) < 0 ) {
>                 www_challenge("", "0");
>                 exit;
> }
> ----------------------------------------------------------------------------
> ----
> The issue is that my new install of OpenSIP has code a bit different.
> Instead of "0" it has "AUTH".
> And when I change the Code like the TO: section above OpenSIPS will not
> start because it says Error in Config File it cannot load opensips.
> ------------
> This is what the default code looks like in the opensips.cfg for OpenSIPS
> 3.1 after a new fresh install like I have:   Notice that www_challenger is
> "auth" and not "0"   I have tried to enter it as '0" as per the
> instructions
> in URL link above but that is when it then causes OpenSIPS to not be able
> to
> restart.
> ----------------------------------------------------------------------------
> ----
>         if (is_method("REGISTER")) {
>                 # authenticate the REGISTER requests
>                 if (!www_authorize("", "subscriber")) {
>                         www_challenge("", "auth");
>                         exit;
>                 }
> ----------------------------------------------------------------------------
> ----
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


Best regards,
Donat Zenichev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20210215/00573dc8/attachment.html>

More information about the Users mailing list