<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt>Hi,<br>
<tt><tt>The Temporarily banned mean<tt>s: Subscriber 11111 <tt>was
banned in the past (less than 36060 before) and now he's
trying to authenticate for the n-th time (n>3)<tt>.<br>
It's another warning, <tt>something different from the
Consecu<tt>tive Authenticat<tt>ion Failure<tt>
message.<br>
<br>
</tt></tt></tt></tt><tt>What is the issue exactly?</tt></tt></tt></tt></tt></tt></tt><br>
<br>
<br>
Daniel<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
On 04/23/2018 02:34 PM, Hohl Matthias wrote:<br>
<blockquote type="cite"
cite="mid:888898601.187238.1524486893427.JavaMail.zimbra@mx.telematica.at">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.E-MailFormatvorlage19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.E-MailFormatvorlage22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.E-MailFormatvorlage23
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hello Daniel,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">yes
i know about this setting but your handbook doesn’t
reference to this LOG format:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><a class="moz-txt-link-freetext" href="https://spce.telematica.at:1443/handbook/ar01s16.html#_securing_your_sip_provider_ce_against_sip_attacks">https://spce.telematica.at:1443/handbook/ar01s16.html#_securing_your_sip_provider_ce_against_sip_attacks</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><i><span lang="EN-US">Apr 23 03:44:56 spce
lb[3978]: WARNING: <script>: Subscriber
'1111111111111111' UA='Cisco/SPA112-1.3.5(004p)' from
IP='111.111.111.111’ is temporarily banned, send 403 –</span></i><span
style="color:#1F497D" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Is
this similar to:<o:p></o:p></span></p>
<div style="mso-element:para-border-div;border:solid #BBBBBB
1.0pt;padding:4.0pt 11.0pt 4.0pt 11.0pt;background:#EEEEEE">
<p class="MsoNormal"
style="background:#EEEEEE;border:none;padding:0cm"><span
style="font-size:9.0pt;font-family:"Courier
New";color:gray;mso-fareast-language:DE-AT"
lang="EN-US">Nov 9 13:31:56 sp1 lb[41952]: WARNING:
<script>: Consecutive Authentication Failure for
'<a class="moz-txt-link-abbreviated" href="mailto:sipvicous@mydomain.com">sipvicous@mydomain.com</a>' UA='sipvicous-client'
IP='1.2.3.4' - R=<null>
<a class="moz-txt-link-abbreviated" href="mailto:ID=313793-3624525116-589163@testlab.local">ID=313793-3624525116-589163@testlab.local</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:DE-AT"
lang="DE">Von:</span></b><span
style="color:windowtext;mso-fareast-language:DE-AT"
lang="DE"> Spce-user
<a class="moz-txt-link-rfc2396E" href="mailto:spce-user-bounces@lists.sipwise.com"><spce-user-bounces@lists.sipwise.com></a> <b>Im
Auftrag von </b>Daniel Grotti<br>
<b>Gesendet:</b> Montag, 23. April 2018 14:18<br>
<b>An:</b> <a class="moz-txt-link-abbreviated" href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</a><br>
<b>Betreff:</b> Re: [Spce-user] is temporarily banned,
send 403<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><tt><span style="font-size:10.0pt">Hi,</span></tt><span
style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>this is SPCE banning the user.</tt><br>
<tt>The DOS configuration section is in config.yml, e.g:</tt><br>
<br>
<tt> security:</tt><br>
<tt> dos_ban_enable: yes</tt><br>
<tt> dos_ban_time: '300'</tt><br>
<tt> dos_reqs_density_per_unit: '50'</tt><br>
<tt> dos_sampling_time_unit: '5'</tt><br>
<tt> dos_whitelisted_ips: </tt><br>
<tt> dos_whitelisted_subnets: []</tt><br>
<tt> failed_auth_attempts: '3'</tt><br>
<tt> failed_auth_ban_enable: yes</tt><br>
<tt> failed_auth_ban_time: '3600'</tt><br>
<br>
<br>
<tt>dos_ section is to band DOS attack, whitl failed_aut_
section is to ban credential spoofing attack, so a user
failing to authenticate more than 3 times in a row will be
banned for 1h.</tt><br>
<br>
<tt>Cheers,</tt><br>
<tt>Daniel</tt><br>
<br>
<br>
</span>On 04/23/2018 02:14 PM, Hohl Matthias wrote:<br>
<br>
<span style="font-size:12.0pt;mso-fareast-language:DE-AT"><o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">today i found this in
my kamailio-lb.log:<br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><i><span lang="EN-US">Apr 23 03:44:56
spce lb[3978]: WARNING: <script>: Subscriber
'1111111111111111' UA='Cisco/SPA112-1.3.5(004p)' from
IP='111.111.111.111’ is temporarily banned, send 403 –</span></i><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I am not sure, which
service/setting is banning this temporarily and how long
is temporarily?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Cause fail2ban is not
configured with this regex and the spce himself for DOS
ban (looking for “is blocked or banned”) and SIP
bruteforcing ban (looking for “consecutive authentication
failure”), doesn’t look on this string or does I miss
something?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Thanks for your help</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:DE-AT">Mit
freundlichen Grüßen,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:DE-AT">Matthias
Hohl</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:DE-AT"> </span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE-AT"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Spce-user mailing list<o:p></o:p></pre>
<pre><a href="mailto:Spce-user@lists.sipwise.com" moz-do-not-send="true">Spce-user@lists.sipwise.com</a><o:p></o:p></pre>
<pre><a href="https://lists.sipwise.com/listinfo/spce-user" moz-do-not-send="true">https://lists.sipwise.com/listinfo/spce-user</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:DE-AT"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>