<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.E-MailFormatvorlage19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.E-MailFormatvorlage22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.E-MailFormatvorlage23
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=DE-AT link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Hello Daniel,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>yes i know about this setting but your handbook doesn’t reference to this LOG format:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>https://spce.telematica.at:1443/handbook/ar01s16.html#_securing_your_sip_provider_ce_against_sip_attacks<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><i><span lang=EN-US>Apr 23 03:44:56 spce lb[3978]: WARNING: <script>: Subscriber '1111111111111111' UA='Cisco/SPA112-1.3.5(004p)' from IP='111.111.111.111’ is temporarily banned, send 403 –</span></i><span lang=EN-US style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Is this similar to:<o:p></o:p></span></p><div style='mso-element:para-border-div;border:solid #BBBBBB 1.0pt;padding:4.0pt 11.0pt 4.0pt 11.0pt;background:#EEEEEE'><p class=MsoNormal style='background:#EEEEEE;border:none;padding:0cm'><span lang=EN-US style='font-size:9.0pt;font-family:"Courier New";color:gray;mso-fareast-language:DE-AT'>Nov 9 13:31:56 sp1 lb[41952]: WARNING: <script>: Consecutive Authentication Failure for 'sipvicous@mydomain.com' UA='sipvicous-client' IP='1.2.3.4' - R=<null> ID=313793-3624525116-589163@testlab.local<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=DE style='color:windowtext;mso-fareast-language:DE-AT'>Von:</span></b><span lang=DE style='color:windowtext;mso-fareast-language:DE-AT'> Spce-user <spce-user-bounces@lists.sipwise.com> <b>Im Auftrag von </b>Daniel Grotti<br><b>Gesendet:</b> Montag, 23. April 2018 14:18<br><b>An:</b> spce-user@lists.sipwise.com<br><b>Betreff:</b> Re: [Spce-user] is temporarily banned, send 403<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><tt><span style='font-size:10.0pt'>Hi,</span></tt><span style='font-size:10.0pt;font-family:"Courier New"'><br><tt>this is SPCE banning the user.</tt><br><tt>The DOS configuration section is in config.yml, e.g:</tt><br><br><tt> security:</tt><br><tt> dos_ban_enable: yes</tt><br><tt> dos_ban_time: '300'</tt><br><tt> dos_reqs_density_per_unit: '50'</tt><br><tt> dos_sampling_time_unit: '5'</tt><br><tt> dos_whitelisted_ips: </tt><br><tt> dos_whitelisted_subnets: []</tt><br><tt> failed_auth_attempts: '3'</tt><br><tt> failed_auth_ban_enable: yes</tt><br><tt> failed_auth_ban_time: '3600'</tt><br><br><br><tt>dos_ section is to band DOS attack, whitl failed_aut_ section is to ban credential spoofing attack, so a user failing to authenticate more than 3 times in a row will be banned for 1h.</tt><br><br><tt>Cheers,</tt><br><tt>Daniel</tt><br><br><br></span>On 04/23/2018 02:14 PM, Hohl Matthias wrote:<br><br><span style='font-size:12.0pt;mso-fareast-language:DE-AT'><o:p></o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>Hello,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span lang=EN-US>today i found this in my kamailio-lb.log:<br><br><br></span><o:p></o:p></p><p class=MsoNormal><i><span lang=EN-US>Apr 23 03:44:56 spce lb[3978]: WARNING: <script>: Subscriber '1111111111111111' UA='Cisco/SPA112-1.3.5(004p)' from IP='111.111.111.111’ is temporarily banned, send 403 –</span></i><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>I am not sure, which service/setting is banning this temporarily and how long is temporarily?</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>Cause fail2ban is not configured with this regex and the spce himself for DOS ban (looking for “is blocked or banned”) and SIP bruteforcing ban (looking for “consecutive authentication failure”), doesn’t look on this string or does I miss something?</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>Thanks for your help</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:DE-AT'>Mit freundlichen Grüßen,</span><o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:DE-AT'>Matthias Hohl</span><o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:DE-AT'> </span><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:DE-AT'><br><br><br><o:p></o:p></span></p><pre>_______________________________________________<o:p></o:p></pre><pre>Spce-user mailing list<o:p></o:p></pre><pre><a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a><o:p></o:p></pre><pre><a href="https://lists.sipwise.com/listinfo/spce-user">https://lists.sipwise.com/listinfo/spce-user</a><o:p></o:p></pre></blockquote><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:DE-AT'><o:p> </o:p></span></p></div></body></html>