[Spce-user] IP & User ban feature are not working correctly anymore in mr4.5.5

Matthias Hohl matthias.hohl at telematica.at
Tue Sep 19 11:20:30 EDT 2017 

Hey,

 

Anybody a hint for me?

 

thanks

 

 

Von: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] Im Auftrag von
Matthias Hohl
Gesendet: Freitag, 15. September 2017 13:10
An: spce-user at lists.sipwise.com
Betreff: [Spce-user] IP & User ban feature are not working correctly anymore
in mr4.5.5

 

Hello,

 

i did today a test on a testing enviroment with a device where i put in a
wrong password.

Normally this username and the ip adress should be blocked from spce and
fail2ban for 1 hour.

But it looks like that this is not working.

 

In kamailio-lb.log i see about 6 times a REGISTER request each minute and a
Reply from Inbound - S=401 - Unauthorized M=REGISTER

But the username nor the IP get blocked.

 

As far as i can remember, by wrong password, shoud there be not a
"Consecutive Authentication Failure" message in the log file?

i can't see this anywhere.

 

 

What i want?

If there are more then 100 messages in 2 seconds, the ip should be blocked
for 1 hour. (ngcp rule)

If there is more then 10 failed authentification of a username, the username
should be blocked for 1 hour. (ngcp rule)

If there is more then 10 failed authentification of a username in 1 hour,
the ip adress of the request should be blocked for 1 hour. (fail2ban rule
but actually deactivated) 

If there is a malicious UA, the ip oft he request should be blocked.
(fail2ban rule)

 

Can you tell me whats wrong?

I believe in older SPCE version my config worked. But in the latest not.
Maybe cause you introduce a new spce firewall?

 

 

 

The config

====================

 

Config.yml:

    security:

      dos_ban_enable: yes

      dos_ban_time: '3600'

      dos_reqs_density_per_unit: '100'

      dos_sampling_time_unit: '2'

      dos_whitelisted_ips: []

      dos_whitelisted_subnets: []

      failed_auth_attempts: '10'

      failed_auth_ban_enable: yes

      failed_auth_ban_time: '3600'

 

 

 

fail2ban: jail.conf

[kamailio-iptables]

enabled = true

filter = kamailio

action = iptables-allports[name=KAMAILIO, protocol=all]

logpath = /var/log/ngcp/kamailio-lb.log

maxretry = 1

findtime = 3600

bantime = 3600

 

 

 

kamailio.conf

[Definition]

# filter for kamailio messages

failregex = Request rejected, malicious UA='.*' from IP='<HOST>

# Consecutive Authentication Failure for '.*' UA='.*' IP='<HOST>'

 

 

 

Kamailio.cfg.customtt.tt2

Request_route:

    ## filtering by UA : blacklist

    if( is_method("REGISTER|INVITE") && ($ua =~ "friendly-scanner" || $ua =~
"friendly-request" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+") )

    {

        xlog("L_WARN", "Request rejected, malicious UA='$ua' from IP=$si -
[% logreq_init -%]\n");

        exit;

    }

 

 

 

root at spce:~# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

fail2ban-KAMAILIO  all  --  anywhere             anywhere

fail2ban-ssh  tcp  --  anywhere             anywhere             multiport
dports ssh

 

Chain FORWARD (policy DROP)

target     prot opt source               destination

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

 

Chain fail2ban-KAMAILIO (1 references)

target     prot opt source               destination

RETURN     all  --  anywhere             anywhere

 

Chain fail2ban-ssh (1 references)

target     prot opt source               destination

REJECT     all  --  117.71.18.20         anywhere             reject-with
icmp-port-unreachable

RETURN     all  --  anywhere             anywhere

 

Chain rtpengine (0 references)

target     prot opt source               destination

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20170919/17a5c271/attachment-0001.html>

More information about the Spce-user mailing list