Ok, I finally got all the pieces together. I wanted to create a new page on the wiki with the information, but I couldn't find the place to register.
Shall I post it here so someone with the rights can create the page? Or can someone point me to the page so I can register to edit the wiki. 2010/8/27 <[email protected]> > Hi Joan, > > Interesting idea. There are a few edge-cases you might want to consider: > > 1. A legitimate client will have periodic auth failure due to expired nonce > serialization (see "nonce_expire" parameter). This is expected behavior when > the nonce cached by a client is expired (by default every 30sec). The return > code -3 from www_authorize() indicates this case, and the reply to client > has stale=1 parameter. > > 2. Similar to above, a legitimate client will have auth failure due to > nonce serialization (see "disable_nonce_check" parameter). This also has a > -3 return code; however, the response back to the client does NOT have the > stale=1 parameter. > > 3. Generally the "first" request doesn't have any credentials at all > (because client doesn't have a nonce), and probably isn't an "attack". > Someone else one else suggested searching for "Authorization" header field > to detect this. You can also detect this via the -4 return code. > > Thus, I'm suggesting something like: > $var(auth_code) = www_authorize(...); > if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) { > xlog("L_ERR","Auth error for $...@$fd from $si cause $var(auth_code)"); > } > if ( $var(auth_code) < 0 ) { > www_challenge(...); > exit; > } > > > Also, I wonder if it is possible store the data using db_flatstore. Is > there an interface to to call db_flatstore's insert method from script land? > avpops doesn't seem to have an avp_db_insert() method. > > Regards, > Kennard > > [image: Inactive hide details for Joan ---08/27/2010 08:25:11 AM---Hello, > Since some time ago there are plenty of hackers trying to sto]Joan > ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of > hackers trying to stole > > From: Joan <[email protected]> > To: OpenSIPS users mailling list <[email protected]> > Date: 08/27/2010 08:25 AM > Subject: [OpenSIPS-Users] Log authentication errors > Sent by: [email protected] > ------------------------------ > > > > Hello, > > Since some time ago there are plenty of hackers trying to stole > accounts and bruteforcing passwords. I would like to log all the > wrong authentications so I can use fail2ban to block those ips. > I've been reading all the mailing list history and I don't see > anything related althought is quite interesting. > I've been trying something and at the moment the best I could do is this: > > if (is_method("REGISTER")) { > # authenticate the REGISTER requests > if (!www_authorize("", "subscriber")) { > xlog("L_ERR","Auth error for $...@$fd from $si"); > www_challenge("", "0"); > exit; > } > > > So when the device tries to register with a wrong password/username i > will log the errors. After that I still have to do the fail2ban > script, but that's quite easy. > I'd like to know your opinion about this. > > Thanks > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >
<<graycol.gif>>
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
