Hey, I finally was able to open an account in the wiki (it's quite strange wiki system tough). In any case I could create this entry: http://www.opensips.org/PmWiki/Fail2ban
But currently is not referenced from anywhere, could someone make it indexable from the wiki content!. And thanks for the people who helped with the code! 2010/8/30 Joan <[email protected]> > Ok, I finally got all the pieces together. I wanted to create a new page on > the wiki with the information, but I couldn't find the place to register. > > Shall I post it here so someone with the rights can create the page? Or can > someone point me to the page so I can register to edit the wiki. > > 2010/8/27 <[email protected]> > > Hi Joan, >> >> Interesting idea. There are a few edge-cases you might want to consider: >> >> 1. A legitimate client will have periodic auth failure due to expired >> nonce serialization (see "nonce_expire" parameter). This is expected >> behavior when the nonce cached by a client is expired (by default every >> 30sec). The return code -3 from www_authorize() indicates this case, and the >> reply to client has stale=1 parameter. >> >> 2. Similar to above, a legitimate client will have auth failure due to >> nonce serialization (see "disable_nonce_check" parameter). This also has a >> -3 return code; however, the response back to the client does NOT have the >> stale=1 parameter. >> >> 3. Generally the "first" request doesn't have any credentials at all >> (because client doesn't have a nonce), and probably isn't an "attack". >> Someone else one else suggested searching for "Authorization" header field >> to detect this. You can also detect this via the -4 return code. >> >> Thus, I'm suggesting something like: >> $var(auth_code) = www_authorize(...); >> if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) { >> xlog("L_ERR","Auth error for $...@$fd from $si cause $var(auth_code)"); >> } >> if ( $var(auth_code) < 0 ) { >> www_challenge(...); >> exit; >> } >> >> >> Also, I wonder if it is possible store the data using db_flatstore. Is >> there an interface to to call db_flatstore's insert method from script land? >> avpops doesn't seem to have an avp_db_insert() method. >> >> Regards, >> Kennard >> >> [image: Inactive hide details for Joan ---08/27/2010 08:25:11 AM---Hello, >> Since some time ago there are plenty of hackers trying to sto]Joan >> ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of >> hackers trying to stole >> >> From: Joan <[email protected]> >> To: OpenSIPS users mailling list <[email protected]> >> Date: 08/27/2010 08:25 AM >> Subject: [OpenSIPS-Users] Log authentication errors >> Sent by: [email protected] >> ------------------------------ >> >> >> >> Hello, >> >> Since some time ago there are plenty of hackers trying to stole >> accounts and bruteforcing passwords. I would like to log all the >> wrong authentications so I can use fail2ban to block those ips. >> I've been reading all the mailing list history and I don't see >> anything related althought is quite interesting. >> I've been trying something and at the moment the best I could do is this: >> >> if (is_method("REGISTER")) { >> # authenticate the REGISTER requests >> if (!www_authorize("", "subscriber")) { >> xlog("L_ERR","Auth error for $...@$fd from $si"); >> www_challenge("", "0"); >> exit; >> } >> >> >> So when the device tries to register with a wrong password/username i >> will log the errors. After that I still have to do the fail2ban >> script, but that's quite easy. >> I'd like to know your opinion about this. >> >> Thanks >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> >
<<graycol.gif>>
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
