[OpenSIPS-Users] OpenSIPs w/ Fail2Ban - Change Log File (HOW TO)

Rick McGill - ₪ rick at netrovoip.com
Mon Feb 22 09:10:31 EST 2021

Dear Donat,

Sorry for the delay replying to your response.

I know we kind of jumped into this OpenSIPs world feet first and are going thru a big learning curve.
Sorry if I have ask a bit too much or my questions are very newby style.

Just FYI.
Before sending out this email I had pretty much already had all the logging working and changed to /var/log/opensips.log already and configured/programmed  Fail2Ban to monitor the opensips.log.
Failed login attempts are currently not being logged I believe in that opensips.logs though.

Thanks for the links for OpenSIPs 2.5 return codes.   I think that will help a lot and I will try a few edits to the code and see if I can get it to log failed OpenSIPs registration failures.
If I get it working correctly I will make some documentation so we can put it in the online Wiki to update it for OpenSIPs 2.5

I really do appreciate your detailed replies and information and hopefully we will get to a point where we can start to help others here also.

Regards,  Rick

Rick McGill – CEO
mailto:Rick at NetroVOIP.com     |     mailto:Rick at NetropolitanWorks.com 
Thailand: +66-2105-4262  x1001  |   USA: +1-737-237-2030   |    Mobile: +66-85557-3000
Support:: +66-97047-2000  |  SKYPE & LINE ID:  NetroVOIP  | Support at NetroVOIP.comhttp://www.netrovoip.com/  Telecommunications / Video Consulting & Solutions Provider

From: Users <users-bounces at lists.opensips.org> On Behalf Of Donat Zenichev
Sent: Monday, February 15, 2021 6:48 PM
To: OpenSIPS users mailling list <users at lists.opensips.org>
Subject: Re: [OpenSIPS-Users] OpenSIPs w/ Fail2Ban - Change Log File (HOW TO)

Good day Rick.
I'm not totally sure I understand what you mean correctly, but,
I think that you might misunderstand the concept of producing logs in your scenario a bit.

First of all, the function 'www_challenge()' doesn't produce logs on its own, nor 'www_authorize()' does it.
Functions only can return the code (return code in terms of programming).

For e.g. 'www_challenge()' function returns -1 when it tries to challenge a user (to let it send credentials using WWW-Authorize header) and 
eventually fails to do that due to certain reasons (for e.g. failed to generate nonce, or failed to send out a 401 response etc.).
Otherwise if everything is good, it returns 0 - which means everything is due to a plan,
401 challenge is sent out and we wait for a re-sending of REGISTER with credentials encrypted (using nonce, and a list of other parameters and md5 algorithm).

'www_authorize()' function in its turn has a list of return codes, which you can find here:
Basically you are interested in the fact, that a return code is not negative, otherwise something is wrong with an authentication and you should not let this user pass through.

You use the '$rc' (in 2.4 branch was '$retcode') pseudo variable (which is pre-defined) in order to get the last returned code, of the last invoked function.
Here is an example of how dramatically simplified functionality could look like:
if (!www_authorize("", "subscriber")) {
    switch ($rc) {
        case -1:
            xlog("L_NOTICE", "Authentication error for $si port:$sp, not found \n");
        case -2:
            xlog("L_NOTICE", "Authentication error for $si port:$sp, wrong password given \n");
    www_challenge("", "0");

Note please, this is just an example, which shows the basic concept how it works and shouldn't be copy-pasted into any production environment.
I underline this - just an example which was not even tested, because I have written this on the go while answering you.

So as you can see, the log rows are being produced with a help of xlog() function and not www_authorize()/www_challenge().
xlog() does it based on the previously returned code.
Further logic is only restricted with a creativity you can apply to it.

Please note also, that your logs will be produced to the log-file which is correlated with the log facility, which you set by 'log_facility=' parameter.
For e.g. if you have previously configured (with rsyslog) that log facility 7 produces logs to opensips.log,
then you are ought to use it then in the opensips's preprocessor directive like that:
Thus opensips will send logs to log facility 7, which in its turn directs logs to opensips.log. I hope it's clear for understanding.

What relates to Fail2Ban and how it uses these logs then in order to ban someone.
You need to firstly define a jail object for it (in jail.conf), which can look something like that (only an example):
enabled  = true
filter   = some_name_here
action   = some_name_here[name=opensips, protocol=all]
logpath  = /var/log/opensips.log
maxretry = 10
bantime = 9999999
findtime = 500

Then you need to let fail2ban know which regular expressions to use for that (syntax for f2b seems to be PCRE), regular expressions definitions are located in 'filter.d' directory.
You need to place a new file here with some name defined (same as you pointed in the 'filter=' parameter of the jail.conf), you place the regex under the [Definition] section.
An example:
failregex = ^.*Auth error for '<HOST>'.*, .*$

And also, do not forget to add an actions configuration in the 'action.d' folder, you add a new file here with some name
(which correlates with name pointed in the 'action=' parameter of the jail.conf), try to surf the web to see how the actions configuration is usually configured.
Here you can play with that and configure it to act as you want.
This becomes even more powerful if you use some external functionality written in whatever language (for e.g. python).

What relates to your question:
>> And when I change the Code like the TO: section above OpenSIPS will not start because it says Error in Config File it cannot load opensips.

Read the log output in the syslog, or if you log into a different log file, then you use it - in order to see where the syntax error is.
Usually it's something relatively obvious.

Note however, this is just an example, and you should not copy-paste it into your production configurations.
I just show a basic concept of how it works. For more details read Wiki of the OpenSIPS project elaborately.

And no, there is no magic pill which will make everything in your setup working right away.
It's open-source, and people help here just because they want to facilitate each other.

Best regards.

On Sat, Feb 13, 2021 at 1:20 PM Rick McGill - ₪ <mailto:rick at netrovoip.com> wrote:
Dear OpenSIPs Community,

My goal for this topic is to get OpenSIPS 3.1 logging to a new file
OpenSIPs.log and then have Fail2Ban monitoring that log file for failed
login attempts by IP addresses.
I’m running OpenSIPS 3.1 on Debain 10.7

The Directions in the URL below are valid for OpenSIPS up to version 2.4
But with OpenSIPS 3.1 it is different as they do not use   www_challenge("",
"0");   but   www_challenge("", "auth");   Instead.
The difference is the '0' in OpenSIPS 2.4 and the  'auth' in OpenSIPS 3.1

Same like the instructions in URL link below.

It is obvious that the code in the needs to be tweaked to work with but all
my attempts to make the edits to the /etc/opensips/opensips.cfg only makes
OpenSIPs unable to load because of bad config file.

My question is... Where can I go for the source to find out what
www_challenge codes I should use for different login results to log?
Or more end result question... How should I change the directions in 2.4
document to work with a OpenSIPS 3.1 opensips.cfg file?

Rick McGill – CEO
mailto:Rick at NetroVOIP.com     |     mailto:Rick at NetropolitanWorks.com 
Thailand: +66-2105-4262  x1001  |   USA: +1-737-237-2030   |    Mobile:
Support:: +66-97047-2000  |  SKYPE & LINE ID:  NetroVOIP  |
mailto:Support at NetroVOIP.comhttp://www.NetroVOIP.com  Telecommunications / Video Consulting & Solutions


Document 28.  OpenSIPS and fail2ban (Direction for OpenSIPS ver 2.4)
This is a small tutorial so you can use fail2ban together with opensips to
block via firewall the attackers that are using wrong authentication


The is what is in the link above:


 if (!www_authorize("", "subscriber")) {
        www_challenge("", "0");


$var(auth_code) = www_authorize("", "subscriber");
if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
                xlog("L_NOTICE","Auth error for $fU@$fd from $si cause
if ( $var(auth_code) < 0 ) {
                www_challenge("", "0");

The issue is that my new install of OpenSIP has code a bit different.
Instead of "0" it has "AUTH".
And when I change the Code like the TO: section above OpenSIPS will not
start because it says Error in Config File it cannot load opensips.

This is what the default code looks like in the opensips.cfg for OpenSIPS
3.1 after a new fresh install like I have:   Notice that www_challenger is
"auth" and not "0"   I have tried to enter it as '0" as per the instructions
in URL link above but that is when it then causes OpenSIPS to not be able to
        if (is_method("REGISTER")) {
                # authenticate the REGISTER requests
                if (!www_authorize("", "subscriber")) {
                        www_challenge("", "auth");

Users mailing list
mailto:Users at lists.opensips.org


Best regards,
Donat Zenichev

More information about the Users mailing list