<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt>Hi,<br>
this is SPCE banning the user.<br>
The DOS configuration section is in config.yml, e.g:<br>
<br>
security:<br>
dos_ban_enable: yes<br>
dos_ban_time: '300'<br>
dos_reqs_density_per_unit: '50'<br>
dos_sampling_time_unit: '5'<br>
dos_whitelisted_ips: <br>
dos_whitelisted_subnets: []<br>
failed_auth_attempts: '3'<br>
failed_auth_ban_enable: yes<br>
failed_auth_ban_time: '3600'<br>
<br>
<br>
dos_ section is to band DOS attack, whitl failed_aut_ section is
to ban credential spoofing attack, so a user failing to
authenticate more than 3 times in a row will be banned for 1h.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<br>
</tt>On 04/23/2018 02:14 PM, Hohl Matthias wrote:<br>
<blockquote type="cite"
cite="mid:1060729432.185533.1524485666341.JavaMail.zimbra@mx.telematica.at">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">today i found this in my
kamailio-lb.log:<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><i><span lang="EN-US">Apr 23 03:44:56 spce
lb[3978]: WARNING: <script>: Subscriber
'1111111111111111' UA='Cisco/SPA112-1.3.5(004p)' from
IP='111.111.111.111’ is temporarily banned, send 403 –<o:p></o:p></span></i></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I am not sure, which
service/setting is banning this temporarily and how long is
temporarily?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Cause fail2ban is not
configured with this regex and the spce himself for DOS ban
(looking for “is blocked or banned”) and SIP bruteforcing
ban (looking for “consecutive authentication failure”),
doesn’t look on this string or does I miss something?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks for your help<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:DE-AT">Mit
freundlichen Grüßen,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:DE-AT">Matthias
Hohl<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:DE-AT"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Spce-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a>
<a class="moz-txt-link-freetext" href="https://lists.sipwise.com/listinfo/spce-user">https://lists.sipwise.com/listinfo/spce-user</a>
</pre>
</blockquote>
<br>
</body>
</html>