[Spce-user] IP & User ban feature are not working correctly anymore in mr4.5.5
Andrew Pogrebennyk
apogrebennyk at sipwise.com
Wed Sep 20 09:47:10 EDT 2017
Hi Matthias,
didn't have time yet to go over your message, but the User ban was
working for me in mr4.5 LTS and I just stumbled upon it again today in
trunk (the future mr5.5) so I am really not sure what could be the
problem on your system. This should have nothing to do with firewall, as
we have not changed anything in IP & User ban feature for a long time.
Any logs etc would be most helpful.
Regards,
Andrew
On 09/19/2017 05:20 PM, Matthias Hohl wrote:
>
> Hey,
>
>
>
> Anybody a hint for me?
>
>
>
> thanks
>
>
>
>
>
> *Von:*Spce-user [mailto:spce-user-bounces at lists.sipwise.com] *Im
> Auftrag von *Matthias Hohl
> *Gesendet:* Freitag, 15. September 2017 13:10
> *An:* spce-user at lists.sipwise.com
> *Betreff:* [Spce-user] IP & User ban feature are not working correctly
> anymore in mr4.5.5
>
>
>
> Hello,
>
>
>
> i did today a test on a testing enviroment with a device where i put
> in a wrong password.
>
> Normally this username and the ip adress should be blocked from spce
> and fail2ban for 1 hour.
>
> But it looks like that this is not working.
>
>
>
> In kamailio-lb.log i see about 6 times a REGISTER request each minute
> and a Reply from Inbound - S=401 - Unauthorized M=REGISTER
>
> But the username nor the IP get blocked.
>
>
>
> As far as i can remember, by wrong password, shoud there be not a
> „/Consecutive Authentication Failure“ /message in the log file?
>
> i can’t see this anywhere…
>
>
>
>
>
> *What i want?*
>
> If there are more then 100 messages in 2 seconds, the ip should be
> blocked for 1 hour. (ngcp rule)
>
> If there is more then 10 failed authentification of a username, the
> username should be blocked for 1 hour. (ngcp rule)
>
> If there is more then 10 failed authentification of a username in 1
> hour, the ip adress of the request should be blocked for 1 hour.
> (fail2ban rule but actually deactivated)
>
> If there is a malicious UA, the ip oft he request should be blocked.
> (fail2ban rule)
>
>
>
> Can you tell me whats wrong?
>
> I believe in older SPCE version my config worked. But in the latest
> not. Maybe cause you introduce a new spce firewall?
>
>
>
>
>
>
>
> The config
>
> ====================
>
>
>
> *Config.yml:*
>
> security:
>
> dos_ban_enable: yes
>
> dos_ban_time: '3600'
>
> dos_reqs_density_per_unit: '100'
>
> dos_sampling_time_unit: '2'
>
> dos_whitelisted_ips: []
>
> dos_whitelisted_subnets: []
>
> failed_auth_attempts: '10'
>
> failed_auth_ban_enable: yes
>
> failed_auth_ban_time: '3600'
>
>
>
>
>
>
>
> *fail2ban: jail.conf*
>
> [kamailio-iptables]
>
> enabled = true
>
> filter = kamailio
>
> action = iptables-allports[name=KAMAILIO, protocol=all]
>
> logpath = /var/log/ngcp/kamailio-lb.log
>
> maxretry = 1
>
> findtime = 3600
>
> bantime = 3600
>
>
>
>
>
>
>
> *kamailio.conf*
>
> [Definition]
>
> # filter for kamailio messages
>
> failregex = Request rejected, malicious UA='.*' from IP='<HOST>
>
> # Consecutive Authentication Failure for '.*' UA='.*' IP='<HOST>'
>
>
>
>
>
>
>
> *Kamailio.cfg.customtt.tt2*
>
> Request_route:
>
> ## filtering by UA : blacklist
>
> if( is_method("REGISTER|INVITE") && ($ua =~ "friendly-scanner" ||
> $ua =~ "friendly-request" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+") )
>
> {
>
> xlog("L_WARN", "Request rejected, malicious UA='$ua' from
> IP=$si - [% logreq_init -%]\n");
>
> exit;
>
> }
>
>
>
>
>
>
>
> *root at spce:~# iptables -L*
>
> Chain INPUT (policy ACCEPT)
>
> target prot opt source destination
>
> fail2ban-KAMAILIO all -- anywhere anywhere
>
> fail2ban-ssh tcp -- anywhere anywhere
> multiport dports ssh
>
>
>
> Chain FORWARD (policy DROP)
>
> target prot opt source destination
>
>
>
> Chain OUTPUT (policy ACCEPT)
>
> target prot opt source destination
>
>
>
> Chain fail2ban-KAMAILIO (1 references)
>
> target prot opt source destination
>
> RETURN all -- anywhere anywhere
>
>
>
> Chain fail2ban-ssh (1 references)
>
> target prot opt source destination
>
> REJECT all -- 117.71.18.20 anywhere
> reject-with icmp-port-unreachable
>
> RETURN all -- anywhere anywhere
>
>
>
> Chain rtpengine (0 references)
>
> target prot opt source destination
>
>
>
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20170920/56142ed4/attachment-0001.html>
More information about the Spce-user
mailing list