Hi Joan, Interesting idea. There are a few edge-cases you might want to consider:
1. A legitimate client will have periodic auth failure due to expired nonce
serialization (see "nonce_expire" parameter). This is expected behavior
when the nonce cached by a client is expired (by default every 30sec). The
return code -3 from www_authorize() indicates this case, and the reply to
client has stale=1 parameter.
2. Similar to above, a legitimate client will have auth failure due to
nonce serialization (see "disable_nonce_check" parameter). This also has a
-3 return code; however, the response back to the client does NOT have the
stale=1 parameter.
3. Generally the "first" request doesn't have any credentials at all
(because client doesn't have a nonce), and probably isn't an "attack".
Someone else one else suggested searching for "Authorization" header field
to detect this. You can also detect this via the -4 return code.
Thus, I'm suggesting something like:
$var(auth_code) = www_authorize(...);
if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
xlog("L_ERR","Auth error for $...@$fd from $si cause $var
(auth_code)");
}
if ( $var(auth_code) < 0 ) {
www_challenge(...);
exit;
}
Also, I wonder if it is possible store the data using db_flatstore. Is
there an interface to to call db_flatstore's insert method from script
land? avpops doesn't seem to have an avp_db_insert() method.
Regards,
Kennard
From: Joan <[email protected]>
To: OpenSIPS users mailling list <[email protected]>
Date: 08/27/2010 08:25 AM
Subject: [OpenSIPS-Users] Log authentication errors
Sent by: [email protected]
Hello,
Since some time ago there are plenty of hackers trying to stole
accounts and bruteforcing passwords. I would like to log all the
wrong authentications so I can use fail2ban to block those ips.
I've been reading all the mailing list history and I don't see
anything related althought is quite interesting.
I've been trying something and at the moment the best I could do is this:
if (is_method("REGISTER")) {
# authenticate the REGISTER requests
if (!www_authorize("", "subscriber")) {
xlog("L_ERR","Auth error for $...@$fd from $si");
www_challenge("", "0");
exit;
}
So when the device tries to register with a wrong password/username i
will log the errors. After that I still have to do the fail2ban
script, but that's quite easy.
I'd like to know your opinion about this.
Thanks
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
<<inline: graycol.gif>>
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
