[OpenSIPS-Users] OpenSIPs w/ Fail2Ban - Change Log File (HOW TO)
Rick McGill - ₪
rick at netrovoip.com
Sat Feb 27 08:26:38 EST 2021
Dear Donat,
Finally got OpenSIPS failed auth or logins logging into the dedicated opensips.log file.
Also now Fail2Ban is catching the failed auth login attempts and working well.
As you mentioned a couple of time "do not just copy and paste".
I went thru the directions for OpenSIPs 2.4 Fail2Ban and corrected and cleaned up the code a bit so it would work with 3.1.
My biggest error was a very small character that I copied and pasted from the OpenSIPs 2.4 Fail2Ban documentation page. It was such a small character I almost did not even see it. But it was causing error in my opensips.cfg file which cause opensips not to start.
All is well now. Thanks for you helped and pointed replies.
/var/log/opensips.log
Feb 27 15:17:14 sip /usr/sbin/opensips[13974]: Auth error for 100 at sip.netrovoip.com from 10.1.10.201 cause -2
Feb 27 15:17:14 sip /usr/sbin/opensips[13973]: Auth error for 100 at sip.netrovoip.com from 10.1.10.201 cause -2
Feb 27 15:17:18 sip /usr/sbin/opensips[13972]: Auth error for 100 at sip.netrovoip.com from 10.1.10.201 cause -2
Feb 27 15:17:18 sip /usr/sbin/opensips[13971]: Auth error for 100 at sip.netrovoip.com from 10.1.10.201 cause -2
Feb 27 15:17:26 sip /usr/sbin/opensips[13974]: Auth error for 100 at sip.netrovoip.com from 10.1.10.201 cause -2
Feb 27 15:17:26 sip /usr/sbin/opensips[13974]: Auth error for 100 at sip.netrovoip.com from 10.1.10.201 cause -2
Regards, Rick
-----------------------------------------------------------------------------------------------------------------------------
Rick McGill – CEO
mailto:Rick at NetroVOIP.com | mailto:Rick at NetropolitanWorks.com
Thailand: +66-2105-4262 x1001 | USA: +1-737-237-2030 | Mobile: +66-85557-3000
Support:: +66-97047-2000 | SKYPE & LINE ID: NetroVOIP | Support at NetroVOIP.com
₪ http://www.netrovoip.com/ Telecommunications / Video Consulting & Solutions Provider
------------------------------------------------------------------------------------------------------------------------------
-----Original Message-----
From: Rick McGill - ₪ <rick at netrovoip.com>
Sent: Monday, February 22, 2021 4:11 PM
To: 'OpenSIPS users mailling list' <users at lists.opensips.org>
Subject: RE: [OpenSIPS-Users] OpenSIPs w/ Fail2Ban - Change Log File (HOW TO)
Dear Donat,
Sorry for the delay replying to your response.
I know we kind of jumped into this OpenSIPs world feet first and are going thru a big learning curve.
Sorry if I have ask a bit too much or my questions are very newby style.
Just FYI.
Before sending out this email I had pretty much already had all the logging working and changed to /var/log/opensips.log already and configured/programmed Fail2Ban to monitor the opensips.log.
Failed login attempts are currently not being logged I believe in that opensips.logs though.
Thanks for the links for OpenSIPs 2.5 return codes. I think that will help a lot and I will try a few edits to the code and see if I can get it to log failed OpenSIPs registration failures.
If I get it working correctly I will make some documentation so we can put it in the online Wiki to update it for OpenSIPs 2.5
I really do appreciate your detailed replies and information and hopefully we will get to a point where we can start to help others here also.
Regards, Rick
-----------------------------------------------------------------------------------------------------------------------------
Rick McGill – CEO
mailto:Rick at NetroVOIP.com | mailto:Rick at NetropolitanWorks.com
Thailand: +66-2105-4262 x1001 | USA: +1-737-237-2030 | Mobile: +66-85557-3000
Support:: +66-97047-2000 | SKYPE & LINE ID: NetroVOIP | Support at NetroVOIP.com
₪ http://www.netrovoip.com/ Telecommunications / Video Consulting & Solutions Provider
------------------------------------------------------------------------------------------------------------------------------
From: Users <users-bounces at lists.opensips.org> On Behalf Of Donat Zenichev
Sent: Monday, February 15, 2021 6:48 PM
To: OpenSIPS users mailling list <users at lists.opensips.org>
Subject: Re: [OpenSIPS-Users] OpenSIPs w/ Fail2Ban - Change Log File (HOW TO)
Good day Rick.
I'm not totally sure I understand what you mean correctly, but, I think that you might misunderstand the concept of producing logs in your scenario a bit.
First of all, the function 'www_challenge()' doesn't produce logs on its own, nor 'www_authorize()' does it.
Functions only can return the code (return code in terms of programming).
For e.g. 'www_challenge()' function returns -1 when it tries to challenge a user (to let it send credentials using WWW-Authorize header) and eventually fails to do that due to certain reasons (for e.g. failed to generate nonce, or failed to send out a 401 response etc.).
Otherwise if everything is good, it returns 0 - which means everything is due to a plan,
401 challenge is sent out and we wait for a re-sending of REGISTER with credentials encrypted (using nonce, and a list of other parameters and md5 algorithm).
'www_authorize()' function in its turn has a list of return codes, which you can find here:
https://opensips.org/html/docs/modules/3.1.x/auth_db.html#func_www_authorize
Basically you are interested in the fact, that a return code is not negative, otherwise something is wrong with an authentication and you should not let this user pass through.
You use the '$rc' (in 2.4 branch was '$retcode') pseudo variable (which is pre-defined) in order to get the last returned code, of the last invoked function.
Here is an example of how dramatically simplified functionality could look like:
if (!www_authorize("", "subscriber")) {
switch ($rc) {
case -1:
xlog("L_NOTICE", "Authentication error for $si port:$sp, not found \n");
break;
case -2:
xlog("L_NOTICE", "Authentication error for $si port:$sp, wrong password given \n");
break;
}
www_challenge("", "0");
exit;
}
Note please, this is just an example, which shows the basic concept how it works and shouldn't be copy-pasted into any production environment.
I underline this - just an example which was not even tested, because I have written this on the go while answering you.
So as you can see, the log rows are being produced with a help of xlog() function and not www_authorize()/www_challenge().
xlog() does it based on the previously returned code.
Further logic is only restricted with a creativity you can apply to it.
Please note also, that your logs will be produced to the log-file which is correlated with the log facility, which you set by 'log_facility=' parameter.
For e.g. if you have previously configured (with rsyslog) that log facility 7 produces logs to opensips.log, then you are ought to use it then in the opensips's preprocessor directive like that:
'log_facility=LOG_LOCAL7'
Thus opensips will send logs to log facility 7, which in its turn directs logs to opensips.log. I hope it's clear for understanding.
What relates to Fail2Ban and how it uses these logs then in order to ban someone.
You need to firstly define a jail object for it (in jail.conf), which can look something like that (only an example):
[opensips]
enabled = true
filter = some_name_here
action = some_name_here[name=opensips, protocol=all]
logpath = /var/log/opensips.log
maxretry = 10
bantime = 9999999
findtime = 500
Then you need to let fail2ban know which regular expressions to use for that (syntax for f2b seems to be PCRE), regular expressions definitions are located in 'filter.d' directory.
You need to place a new file here with some name defined (same as you pointed in the 'filter=' parameter of the jail.conf), you place the regex under the [Definition] section.
An example:
failregex = ^.*Auth error for '<HOST>'.*, .*$
And also, do not forget to add an actions configuration in the 'action.d' folder, you add a new file here with some name (which correlates with name pointed in the 'action=' parameter of the jail.conf), try to surf the web to see how the actions configuration is usually configured.
Here you can play with that and configure it to act as you want.
This becomes even more powerful if you use some external functionality written in whatever language (for e.g. python).
What relates to your question:
>> And when I change the Code like the TO: section above OpenSIPS will not start because it says Error in Config File it cannot load opensips.
Read the log output in the syslog, or if you log into a different log file, then you use it - in order to see where the syntax error is.
Usually it's something relatively obvious.
Note however, this is just an example, and you should not copy-paste it into your production configurations.
I just show a basic concept of how it works. For more details read Wiki of the OpenSIPS project elaborately.
And no, there is no magic pill which will make everything in your setup working right away.
It's open-source, and people help here just because they want to facilitate each other.
Best regards.
On Sat, Feb 13, 2021 at 1:20 PM Rick McGill - ₪ <mailto:rick at netrovoip.com> wrote:
Dear OpenSIPs Community,
My goal for this topic is to get OpenSIPS 3.1 logging to a new file OpenSIPs.log and then have Fail2Ban monitoring that log file for failed login attempts by IP addresses.
I’m running OpenSIPS 3.1 on Debain 10.7
The Directions in the URL below are valid for OpenSIPS up to version 2.4
But with OpenSIPS 3.1 it is different as they do not use www_challenge("",
"0"); but www_challenge("", "auth"); Instead.
The difference is the '0' in OpenSIPS 2.4 and the 'auth' in OpenSIPS 3.1
Same like the instructions in URL link below.
It is obvious that the code in the needs to be tweaked to work with but all my attempts to make the edits to the /etc/opensips/opensips.cfg only makes OpenSIPs unable to load because of bad config file.
My question is... Where can I go for the source to find out what www_challenge codes I should use for different login results to log?
Or more end result question... How should I change the directions in 2.4 document to work with a OpenSIPS 3.1 opensips.cfg file?
----------------------------------------------------------------------------
-------------------------------------------
Rick McGill – CEO
mailto:Rick at NetroVOIP.com | mailto:Rick at NetropolitanWorks.com
Thailand: +66-2105-4262 x1001 | USA: +1-737-237-2030 | Mobile:
+66-85557-3000
Support:: +66-97047-2000 | SKYPE & LINE ID: NetroVOIP | mailto:Support at NetroVOIP.com
₪ http://www.NetroVOIP.com Telecommunications / Video Consulting & Solutions Provider
----------------------------------------------------------------------------
----------------------------------------------
https://www.opensips.org/Documentation/Tutorials
Document 28. OpenSIPS and fail2ban (Direction for OpenSIPS ver 2.4) This is a small tutorial so you can use fail2ban together with opensips to block via firewall the attackers that are using wrong authentication credentials
https://www.opensips.org/Documentation/Tutorials-Fail2Ban
The is what is in the link above:
-------
from:
----------------------------------------------------------------------------
------
if (!www_authorize("", "subscriber")) {
www_challenge("", "0");
exit;
}
----------------------------------------------------------------------------
----
----
To:
----------------------------------------------------------------------------
-----
$var(auth_code) = www_authorize("", "subscriber"); if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
xlog("L_NOTICE","Auth error for $fU@$fd from $si cause $var(auth_code)"); } if ( $var(auth_code) < 0 ) {
www_challenge("", "0");
exit;
}
----------------------------------------------------------------------------
----
The issue is that my new install of OpenSIP has code a bit different.
Instead of "0" it has "AUTH".
And when I change the Code like the TO: section above OpenSIPS will not start because it says Error in Config File it cannot load opensips.
------------
This is what the default code looks like in the opensips.cfg for OpenSIPS
3.1 after a new fresh install like I have: Notice that www_challenger is
"auth" and not "0" I have tried to enter it as '0" as per the instructions
in URL link above but that is when it then causes OpenSIPS to not be able to restart.
----------------------------------------------------------------------------
----
if (is_method("REGISTER")) {
# authenticate the REGISTER requests
if (!www_authorize("", "subscriber")) {
www_challenge("", "auth");
exit;
}
----------------------------------------------------------------------------
----
_______________________________________________
Users mailing list
mailto:Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Best regards,
Donat Zenichev
More information about the Users
mailing list