[Spce-user] Asterisk client issues

Matthew Ogden matthew at tenacit.net
Sun May 10 13:14:12 EDT 2015


Hi

Thought, I'd raise this again. I've upgraded to to the lastest templates
for 2.8 LTS, I see I still need to use my own Stale nonce check. Did you
guys decide not to handle this, or is it an option based setting in version
3?

Kind Regards

On 31 January 2014 at 15:26, Daniel Grotti <dgrotti at sipwise.com> wrote:

> Yes,
> see my last email:
>
>
> Matthew,
> the case is here:
>
> /etc/ngcp-config/templates/etc/kamailio/proxy/kamailio.cfg.tt2
>
> Search for "stale".
>
> The second change you have to do in LB is here:
>
> /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.tt2
>
>
> #!ifdef ENABLE_AUTHCHECK
>     if((status == "401" || status == "407") &&
> is_present_hf("P-NGCP-Authorization") && !is_present_hf("P-NGCP-Stale"))
>
>
> adding the last string "&& !is_present_hf("P-NGCP-Stale")", so count the
> number of 407 if and only if it's a non-Stale 407.
>
>
> Daniel
>
>
>
>
>
>
> On 01/31/2014 02:15 PM, Matthew Ogden wrote:
> > Hi Daniel,
> >
> > Did you manage to check that out in 2.8?
> >
> > REgards
> >
> >> -----Original Message-----
> >> From: Daniel Grotti [mailto:dgrotti at sipwise.com]
> >> Sent: 29 January 2014 12:17 PM
> >> To: spce-user at lists.sipwise.com
> >> Cc: Matthew Ogden
> >> Subject: Re: [Spce-user] Asterisk client issues
> >>
> >> Hi,
> >> I briefly checked 3.0 templates.
> >> let me check 2.8.
> >>
> >> Daniel
> >>
> >>
> >>
> >>
> >> On 01/29/2014 10:16 AM, Matthew Ogden wrote:
> >>> I'm not sure where the proxy case statement is supposed to be, on
> >>> 2.8.18 templates, in proxy config there is no other case statements.
> >>> (LB modification was easy enough to find)
> >>>
> >>> So not sure which route section it should be in, or what the previous
> >>> case statement was checking against.
> >>>
> >>> Kind Regards
> >>>
> >>>> -----Original Message-----
> >>>> From: Matthew Ogden [mailto:matthew at tenacit.net]
> >>>> Sent: 29 January 2014 11:07 AM
> >>>> To: 'Daniel Grotti'; 'spce-user at lists.sipwise.com'
> >>>> Subject: RE: [Spce-user] Asterisk client issues
> >>>>
> >>>> Thanks Daniel
> >>>>
> >>>> Can I just put this in words of what you have explained to make sure
> >>>> I understand?
> >>>>
> >>>> The proxy is what is checking the for the stale nonce.  So we make it
> >>> tag it.
> >>>> Then we are modifying the authban on the LB to ignore 401 and 407
> >>>> requests that have that flag.
> >>>>
> >>>> I just wanted to also check, what are the risks of ingoring the stale
> >>> nonce?
> >>>> Since in any event, the DOS attack prevention will still check for
> >>> someone
> >>>> sending too many requests per second anyway? So additional risks is
> > low?
> >>>>
> >>>> Kind Regards
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: Daniel Grotti [mailto:dgrotti at sipwise.com]
> >>>>> Sent: 28 January 2014 04:40 PM
> >>>>> To: spce-user at lists.sipwise.com
> >>>>> Cc: Matthew Ogden
> >>>>> Subject: Re: [Spce-user] Asterisk client issues
> >>>>>
> >>>>> Of course, sorry, dos...you have the block of the user.
> >>>>>
> >>>>> You can add a custom header in /proxy/kamailio.cfg.customtt.tt2 in
> >>>>> case of stale nonce error, like "NGCP-X: Stale".
> >>>>>
> >>>>> So when you process the 407 reply on LB kamailio.cfg only if that
> >>>>> header is not present.
> >>>>>
> >>>>> Try to add the following in /proxy/kamailio.cfg.customtt.tt:
> >>>>>
> >>>>>
> >>>>> case -4:
> >>>>>       xlog("L_NOTICE", "Authentication failed, stale nonce - [%
> >>>>> logreq
> >>> -%]\n");
> >>>>>       append_to_reply("P-NGCP-Stale: yes\r\n");
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> then in lb/kamailio.cfg.customtt.tt2, you can test if the header
> >>> exist:
> >>>>>
> >>>>>
> >>>>> #!ifdef ENABLE_AUTHCHECK
> >>>>>                         if((status == "401" || status == "407") &&
> >>>>> is_present_hf("P-NGCP-Authorization") &&
> >>>>> !is_present_hf("P-NGCP-Stale"))
> >>>>>
> >>>>>
> >>>>>
> >>>>> Daniel
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 01/28/2014 03:20 PM, Matthew Ogden wrote:
> >>>>>> I don't have many static IP subscribers, though in the case of this
> >>>>>> one, it is already in dos_whitelisted_ips of config.yml, but the
> >>>>>> nonce issue still happens to it.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: spce-user-bounces at lists.sipwise.com [mailto:spce-user-
> >>>>>>> bounces at lists.sipwise.com] On Behalf Of Daniel Grotti
> >>>>>>> Sent: 28 January 2014 04:17 PM
> >>>>>>> To: spce-user at lists.sipwise.com
> >>>>>>> Subject: Re: [Spce-user] Asterisk client issues
> >>>>>>>
> >>>>>>> Hi Matthew,
> >>>>>>> what if you insert your Asterisk's IP in "dos_whitelisted_ips:"
> >>> line ?
> >>>>>>>
> >>>>>>> Daniel
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On 01/27/2014 04:35 PM, Matthew Ogden wrote:
> >>>>>>>> Did you guys end up making a decision on this? I still have
> >>>>>>>> Asterisk subscribers causing auth fail with stale nonce
> >>> situations.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Fri, Jul 19, 2013 at 4:12 PM, Jon Bonilla
> >>>>>>>> <jbonilla at sipwise.com <mailto:jbonilla at sipwise.com>> wrote:
> >>>>>>>>
> >>>>>>>>     El Fri, 19 Jul 2013 16:11:22 +0200
> >>>>>>>>     Jon Bonilla (Manwe) <jbonilla at sipwise.com
> >>>>>>>>     <mailto:jbonilla at sipwise.com>> escribió:
> >>>>>>>>
> >>>>>>>>     > El Fri, 19 Jul 2013 16:03:54 +0200
> >>>>>>>>     > Matthew Ogden <matthew at tenacit.net
> >>>>>>> <mailto:matthew at tenacit.net>>
> >>>>>>>>     escribió:
> >>>>>>>>     >
> >>>>>>>>     > > Thanks
> >>>>>>>>     > >
> >>>>>>>>     > > What will happen if I disable it, and a outside IP
> >>>>>>>> attacks
> >>>>>> using
> >>>>>>>>     this
> >>>>>>>>     > > username?
> >>>>>>>>     > >
> >>>>>>>>     > > Will they be caught by flooding auth packets?
> >>>>>>>>     > >
> >>>>>>>>     >
> >>>>>>>>     >
> >>>>>>>>     > The auth_ban protection check failed auth attepmts from
> >>> multiple
> >>>>>>>>     destinations
> >>>>>>>>     > and protects against ddos attacks bypassing dos protection.
> >>>>>> These
> >>>>>>>>     are quite
> >>>>>>>>     > uncommon. The dos protection bans ip addresses if they send
> >>>> more
> >>>>>>>>     than x
> >>>>>>>>     > requests per second. This is more useful and it's the most
> >>>>>> common
> >>>>>>>>     scenario.
> >>>>>>>>     >
> >>>>>>>>     > If an ip address tries to bruteforce attack your system,
> >>> that ip
> >>>>>>>>     address will
> >>>>>>>>     > be banned.
> >>>>>>>>     >
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>     Anyways, we're discussing internally if the stale_nonce
> >>> situation
> >>>>>>>>     should be
> >>>>>>>>     excluded from the auth_check_ban protection for these
> >>> situations.
> >>>>>> We
> >>>>>>>>     might
> >>>>>>>>     change the ddos protection a little bit in future versions
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> Spce-user mailing list
> >>>>>>>> Spce-user at lists.sipwise.com
> >>>>>>>> http://lists.sipwise.com/listinfo/spce-user
> >>>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Spce-user mailing list
> >>>>>>> Spce-user at lists.sipwise.com
> >>>>>>> http://lists.sipwise.com/listinfo/spce-user
>



-- 





*Matthew Ogden*

Management

TenacIT





*Strategic IT Consulting *•* Advanced Networking *• *Virtualisation*

*Custom Development *• *Hosting *• *Syspro Support  *• *MS Licensing*

National Tel: 041 10 10 100 | Cell: 084 205 4445 | Email:
matthew at tenacit.net

CT Tel: 021 201 0333 | Skype Name: matthew.ogden | Web:
http://www.tenacit.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20150510/a8f0a62c/attachment.html>


More information about the Spce-user mailing list