[Spce-user] is temporarily banned, send 403
Daniel Grotti
dgrotti at sipwise.com
Mon Apr 23 08:18:26 EDT 2018
Hi,
this is SPCE banning the user.
The DOS configuration section is in config.yml, e.g:
security:
dos_ban_enable: yes
dos_ban_time: '300'
dos_reqs_density_per_unit: '50'
dos_sampling_time_unit: '5'
dos_whitelisted_ips:
dos_whitelisted_subnets: []
failed_auth_attempts: '3'
failed_auth_ban_enable: yes
failed_auth_ban_time: '3600'
dos_ section is to band DOS attack, whitl failed_aut_ section is to ban
credential spoofing attack, so a user failing to authenticate more than
3 times in a row will be banned for 1h.
Cheers,
Daniel
On 04/23/2018 02:14 PM, Hohl Matthias wrote:
>
> Hello,
>
> today i found this in my kamailio-lb.log:
>
> /Apr 23 03:44:56 spce lb[3978]: WARNING: <script>: Subscriber
> '1111111111111111' UA='Cisco/SPA112-1.3.5(004p)' from
> IP='111.111.111.111’ is temporarily banned, send 403 –/
>
> I am not sure, which service/setting is banning this temporarily and
> how long is temporarily?
>
> Cause fail2ban is not configured with this regex and the spce himself
> for DOS ban (looking for “is blocked or banned”) and SIP bruteforcing
> ban (looking for “consecutive authentication failure”), doesn’t look
> on this string or does I miss something?
>
> Thanks for your help
>
> Mit freundlichen Grüßen,
>
> Matthias Hohl
>
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20180423/da36eaac/attachment-0001.html>
More information about the Spce-user
mailing list