[Spce-user] is temporarily banned, send 403

[Hohl Matthias]

Hello Daniel,

 

yes i know about this setting but your handbook doesn’t reference to this LOG format:

https://spce.telematica.at:1443/handbook/ar01s16.html#_securing_your_sip_provider_ce_against_sip_attacks

 

Apr 23 03:44:56 spce lb[3978]: WARNING: <script>: Subscriber '1111111111111111' UA='Cisco/SPA112-1.3.5(004p)' from IP='111.111.111.111’ is temporarily banned, send 403 –

 

Is this similar to:

Nov 9 13:31:56 sp1 lb[41952]: WARNING: <script>: Consecutive Authentication Failure for 'sipvicous at mydomain.com' UA='sipvicous-client' IP='1.2.3.4' - R=<null> ID=313793-3624525116-589163 at testlab.local

 

?

 

 

Von: Spce-user <spce-user-bounces at lists.sipwise.com> Im Auftrag von Daniel Grotti
Gesendet: Montag, 23. April 2018 14:18
An: spce-user at lists.sipwise.com
Betreff: Re: [Spce-user] is temporarily banned, send 403

 

Hi,
this is SPCE banning the user.
The DOS configuration section is in config.yml, e.g:

   security:
      dos_ban_enable: yes
      dos_ban_time: '300'
      dos_reqs_density_per_unit: '50'
      dos_sampling_time_unit: '5'
      dos_whitelisted_ips: 
      dos_whitelisted_subnets: []
      failed_auth_attempts: '3'
      failed_auth_ban_enable: yes
      failed_auth_ban_time: '3600'


dos_ section is to band DOS attack, whitl failed_aut_ section is to ban credential spoofing attack, so a user failing to authenticate more than 3 times in a row will be banned for 1h.

Cheers,
Daniel


On 04/23/2018 02:14 PM, Hohl Matthias wrote:



Hello,

 

today i found this in my kamailio-lb.log:




Apr 23 03:44:56 spce lb[3978]: WARNING: <script>: Subscriber '1111111111111111' UA='Cisco/SPA112-1.3.5(004p)' from IP='111.111.111.111’ is temporarily banned, send 403 –

 

I am not sure, which service/setting is banning this temporarily and how long is temporarily?

Cause fail2ban is not configured with this regex and the spce himself for DOS ban (looking for “is blocked or banned”) and SIP bruteforcing ban (looking for “consecutive authentication failure”), doesn’t look on this string or does I miss something?

 

Thanks for your help

 

Mit freundlichen Grüßen,

Matthias Hohl

 

 






_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com <mailto:Spce-user at lists.sipwise.com> 
https://lists.sipwise.com/listinfo/spce-user

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20180423/06eb85ab/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5532 bytes
Desc: not available
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20180423/06eb85ab/attachment-0001.p7s>