[Spce-user] Asterisk client issues
Daniel Grotti
dgrotti at sipwise.com
Tue Jan 28 09:40:02 EST 2014
Of course, sorry, dos...you have the block of the user.
You can add a custom header in /proxy/kamailio.cfg.customtt.tt2 in case
of stale nonce error, like "NGCP-X: Stale".
So when you process the 407 reply on LB kamailio.cfg only if that header
is not present.
Try to add the following in /proxy/kamailio.cfg.customtt.tt:
case -4:
xlog("L_NOTICE", "Authentication failed, stale nonce - [% logreq
-%]\n");
append_to_reply("P-NGCP-Stale: yes\r\n");
then in lb/kamailio.cfg.customtt.tt2, you can test if the header exist:
#!ifdef ENABLE_AUTHCHECK
if((status == "401" || status == "407") &&
is_present_hf("P-NGCP-Authorization") && !is_present_hf("P-NGCP-Stale"))
Daniel
On 01/28/2014 03:20 PM, Matthew Ogden wrote:
> I don't have many static IP subscribers, though in the case of this one,
> it is already in dos_whitelisted_ips of config.yml, but the nonce issue
> still happens to it.
>
>
>
>> -----Original Message-----
>> From: spce-user-bounces at lists.sipwise.com [mailto:spce-user-
>> bounces at lists.sipwise.com] On Behalf Of Daniel Grotti
>> Sent: 28 January 2014 04:17 PM
>> To: spce-user at lists.sipwise.com
>> Subject: Re: [Spce-user] Asterisk client issues
>>
>> Hi Matthew,
>> what if you insert your Asterisk's IP in "dos_whitelisted_ips:" line ?
>>
>> Daniel
>>
>>
>>
>>
>>
>>
>> On 01/27/2014 04:35 PM, Matthew Ogden wrote:
>>> Did you guys end up making a decision on this? I still have Asterisk
>>> subscribers causing auth fail with stale nonce situations.
>>>
>>>
>>>
>>>
>>> On Fri, Jul 19, 2013 at 4:12 PM, Jon Bonilla <jbonilla at sipwise.com
>>> <mailto:jbonilla at sipwise.com>> wrote:
>>>
>>> El Fri, 19 Jul 2013 16:11:22 +0200
>>> Jon Bonilla (Manwe) <jbonilla at sipwise.com
>>> <mailto:jbonilla at sipwise.com>> escribió:
>>>
>>> > El Fri, 19 Jul 2013 16:03:54 +0200
>>> > Matthew Ogden <matthew at tenacit.net
>> <mailto:matthew at tenacit.net>>
>>> escribió:
>>> >
>>> > > Thanks
>>> > >
>>> > > What will happen if I disable it, and a outside IP attacks
> using
>>> this
>>> > > username?
>>> > >
>>> > > Will they be caught by flooding auth packets?
>>> > >
>>> >
>>> >
>>> > The auth_ban protection check failed auth attepmts from multiple
>>> destinations
>>> > and protects against ddos attacks bypassing dos protection.
> These
>>> are quite
>>> > uncommon. The dos protection bans ip addresses if they send more
>>> than x
>>> > requests per second. This is more useful and it's the most
> common
>>> scenario.
>>> >
>>> > If an ip address tries to bruteforce attack your system, that ip
>>> address will
>>> > be banned.
>>> >
>>>
>>>
>>> Anyways, we're discussing internally if the stale_nonce situation
>>> should be
>>> excluded from the auth_check_ban protection for these situations.
> We
>>> might
>>> change the ddos protection a little bit in future versions
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Spce-user mailing list
>>> Spce-user at lists.sipwise.com
>>> http://lists.sipwise.com/listinfo/spce-user
>>>
>>
>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> http://lists.sipwise.com/listinfo/spce-user
More information about the Spce-user
mailing list