<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Matthias,<br>
didn't have time yet to go over your message, but the User ban was
working for me in mr4.5 LTS and I just stumbled upon it again
today in trunk (the future mr5.5) so I am really not sure what
could be the problem on your system. This should have nothing to
do with firewall, as we have not changed anything in IP & User
ban feature for a long time. Any logs etc would be most helpful.<br>
<br>
Regards,<br>
Andrew<br>
<br>
On 09/19/2017 05:20 PM, Matthias Hohl wrote:<br>
</div>
<blockquote type="cite"
cite="mid:14ff501d3315a$d44c8a80$7ce59f80$@telematica.at">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.E-MailFormatvorlage19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.E-MailFormatvorlage21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hey,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Anybody a hint
for me?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="mso-fareast-language:DE-AT" lang="DE">Von:</span></b><span
style="mso-fareast-language:DE-AT" lang="DE"> Spce-user
[<a class="moz-txt-link-freetext" href="mailto:spce-user-bounces@lists.sipwise.com">mailto:spce-user-bounces@lists.sipwise.com</a>] <b>Im
Auftrag von </b>Matthias Hohl<br>
<b>Gesendet:</b> Freitag, 15. September 2017 13:10<br>
<b>An:</b> <a class="moz-txt-link-abbreviated" href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</a><br>
<b>Betreff:</b> [Spce-user] IP & User ban feature
are not working correctly anymore in mr4.5.5<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">i did today a test on a testing enviroment
with a device where i put in a wrong password.<o:p></o:p></p>
<p class="MsoNormal">Normally this username and the ip adress
should be blocked from spce and fail2ban for 1 hour.<o:p></o:p></p>
<p class="MsoNormal">But it looks like that this is not working.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In kamailio-lb.log i see about 6 times a
REGISTER request each minute and a Reply from Inbound - S=401
- Unauthorized M=REGISTER<o:p></o:p></p>
<p class="MsoNormal">But the username nor the IP get blocked.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As far as i can remember, by wrong
password, shoud there be not a „<em><span
style="font-size:10.5pt;font-family:"Courier
New";color:black;border:none windowtext
1.0pt;padding:0cm;background:white">Consecutive
Authentication Failure“ </span></em>message in the log
file?<o:p></o:p></p>
<p class="MsoNormal">i can’t see this anywhere…<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>What i want?<o:p></o:p></b></p>
<p class="MsoNormal">If there are more then 100 messages in 2
seconds, the ip should be blocked for 1 hour. (ngcp rule)<o:p></o:p></p>
<p class="MsoNormal">If there is more then 10 failed
authentification of a username, the username should be blocked
for 1 hour. (ngcp rule)<o:p></o:p></p>
<p class="MsoNormal">If there is more then 10 failed
authentification of a username in 1 hour, the ip adress of the
request should be blocked for 1 hour. (fail2ban rule but
actually deactivated) <o:p></o:p></p>
<p class="MsoNormal">If there is a malicious UA, the ip oft he
request should be blocked. (fail2ban rule)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Can you tell me whats wrong?<o:p></o:p></p>
<p class="MsoNormal">I believe in older SPCE version my config
worked. But in the latest not. Maybe cause you introduce a new
spce firewall?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The config<o:p></o:p></p>
<p class="MsoNormal">====================<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Config.yml:<o:p></o:p></b></p>
<p class="MsoNormal"> security:<o:p></o:p></p>
<p class="MsoNormal"> dos_ban_enable: yes<o:p></o:p></p>
<p class="MsoNormal"> dos_ban_time: '3600'<o:p></o:p></p>
<p class="MsoNormal"> dos_reqs_density_per_unit: '100'<o:p></o:p></p>
<p class="MsoNormal"> dos_sampling_time_unit: '2'<o:p></o:p></p>
<p class="MsoNormal"> dos_whitelisted_ips: []<o:p></o:p></p>
<p class="MsoNormal"> dos_whitelisted_subnets: []<o:p></o:p></p>
<p class="MsoNormal"> failed_auth_attempts: '10'<o:p></o:p></p>
<p class="MsoNormal"> failed_auth_ban_enable: yes<o:p></o:p></p>
<p class="MsoNormal"> failed_auth_ban_time: '3600'<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>fail2ban: jail.conf<o:p></o:p></b></p>
<p class="MsoNormal">[kamailio-iptables]<o:p></o:p></p>
<p class="MsoNormal">enabled = true<o:p></o:p></p>
<p class="MsoNormal">filter = kamailio<o:p></o:p></p>
<p class="MsoNormal">action = iptables-allports[name=KAMAILIO,
protocol=all]<o:p></o:p></p>
<p class="MsoNormal">logpath = /var/log/ngcp/kamailio-lb.log<o:p></o:p></p>
<p class="MsoNormal">maxretry = 1<o:p></o:p></p>
<p class="MsoNormal">findtime = 3600<o:p></o:p></p>
<p class="MsoNormal">bantime = 3600<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>kamailio.conf<o:p></o:p></b></p>
<p class="MsoNormal">[Definition]<o:p></o:p></p>
<p class="MsoNormal"># filter for kamailio messages<o:p></o:p></p>
<p class="MsoNormal">failregex = Request rejected, malicious
UA='.*' from IP='<HOST><o:p></o:p></p>
<p class="MsoNormal"># Consecutive Authentication Failure for
'.*' UA='.*' IP='<HOST>'<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Kamailio.cfg.customtt.tt2<o:p></o:p></b></p>
<p class="MsoNormal">Request_route:<o:p></o:p></p>
<p class="MsoNormal"
style="line-height:15.0pt;vertical-align:baseline"><span
style="font-size:10.5pt;font-family:Consolas;color:#333333;border:none
windowtext 1.0pt;padding:0cm;mso-fareast-language:DE-AT"> ##
filtering by UA : blacklist</span><span
style="font-size:10.5pt;font-family:Consolas;color:#333333;mso-fareast-language:DE-AT"><o:p></o:p></span></p>
<p class="MsoNormal"
style="line-height:15.0pt;vertical-align:baseline"><span
style="font-size:10.5pt;font-family:Consolas;color:#333333;border:none
windowtext 1.0pt;padding:0cm;mso-fareast-language:DE-AT"> if(
is_method("REGISTER|INVITE") && ($ua
=~ "friendly-scanner"</span><span
style="font-size:10.5pt;font-family:Consolas;color:#333333;mso-fareast-language:DE-AT"> <span
style="border:none windowtext 1.0pt;padding:0cm">|| $ua
=~ "friendly-request"</span> <span style="border:none
windowtext 1.0pt;padding:0cm">|| $ua =~ "sipvicious"</span> <span
style="border:none windowtext 1.0pt;padding:0cm">|| $ua
=~ "^sipcli.+") )</span><o:p></o:p></span></p>
<p class="MsoNormal"
style="line-height:15.0pt;vertical-align:baseline"><span
style="font-size:10.5pt;font-family:Consolas;color:#333333;border:none
windowtext 1.0pt;padding:0cm;mso-fareast-language:DE-AT"> {</span><span
style="font-size:10.5pt;font-family:Consolas;color:#333333;mso-fareast-language:DE-AT"><o:p></o:p></span></p>
<p class="MsoNormal"
style="line-height:15.0pt;vertical-align:baseline"><span
style="font-size:10.5pt;font-family:Consolas;color:#333333;border:none
windowtext 1.0pt;padding:0cm;mso-fareast-language:DE-AT"> xlog("L_WARN", "Request
rejected, malicious UA='$ua' from IP=$si - [% logreq_init
-%]\n");</span><span
style="font-size:10.5pt;font-family:Consolas;color:#333333;mso-fareast-language:DE-AT"><o:p></o:p></span></p>
<p class="MsoNormal"
style="line-height:15.0pt;vertical-align:baseline"><span
style="font-size:10.5pt;font-family:Consolas;color:#333333;border:none
windowtext 1.0pt;padding:0cm;mso-fareast-language:DE-AT"> exit;</span><span
style="font-size:10.5pt;font-family:Consolas;color:#333333;mso-fareast-language:DE-AT"><o:p></o:p></span></p>
<p class="MsoNormal"
style="line-height:15.0pt;vertical-align:baseline"><span
style="font-size:10.5pt;font-family:Consolas;color:#333333;border:none
windowtext 1.0pt;padding:0cm;mso-fareast-language:DE-AT"> }</span><span
style="font-size:10.5pt;font-family:Consolas;color:#333333;mso-fareast-language:DE-AT"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>root@spce:~# iptables -L<o:p></o:p></b></p>
<p class="MsoNormal">Chain INPUT (policy ACCEPT)<o:p></o:p></p>
<p class="MsoNormal">target prot opt source
destination<o:p></o:p></p>
<p class="MsoNormal">fail2ban-KAMAILIO all --
anywhere anywhere<o:p></o:p></p>
<p class="MsoNormal">fail2ban-ssh tcp -- anywhere
anywhere multiport dports ssh<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Chain FORWARD (policy DROP)<o:p></o:p></p>
<p class="MsoNormal">target prot opt source
destination<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Chain OUTPUT (policy ACCEPT)<o:p></o:p></p>
<p class="MsoNormal">target prot opt source
destination<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Chain fail2ban-KAMAILIO (1 references)<o:p></o:p></p>
<p class="MsoNormal">target prot opt source
destination<o:p></o:p></p>
<p class="MsoNormal">RETURN all -- anywhere
anywhere<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Chain fail2ban-ssh (1 references)<o:p></o:p></p>
<p class="MsoNormal">target prot opt source
destination<o:p></o:p></p>
<p class="MsoNormal">REJECT all -- 117.71.18.20
anywhere reject-with icmp-port-unreachable<o:p></o:p></p>
<p class="MsoNormal">RETURN all -- anywhere
anywhere<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Chain rtpengine (0 references)<o:p></o:p></p>
<p class="MsoNormal">target prot opt source
destination<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Spce-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a>
<a class="moz-txt-link-freetext" href="https://lists.sipwise.com/listinfo/spce-user">https://lists.sipwise.com/listinfo/spce-user</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>