[Spce-user] is temporarily banned, send 403

Daniel Grotti dgrotti at sipwise.com
Mon Apr 23 08:40:36 EDT 2018


Hi,
The Temporarily banned means: Subscriber 11111 was banned in the past 
(less than 36060 before) and now he's trying to authenticate for the 
n-th time (n>3).
It's another warning, something different from the Consecutive 
Authentication Failuremessage.

What is the issue exactly?


Daniel








On 04/23/2018 02:34 PM, Hohl Matthias wrote:
>
> Hello Daniel,
>
> yes i know about this setting but your handbook doesn’t reference to 
> this LOG format:
>
> https://spce.telematica.at:1443/handbook/ar01s16.html#_securing_your_sip_provider_ce_against_sip_attacks
>
> /Apr 23 03:44:56 spce lb[3978]: WARNING: <script>: Subscriber 
> '1111111111111111' UA='Cisco/SPA112-1.3.5(004p)' from 
> IP='111.111.111.111’ is temporarily banned, send 403 –/
>
> Is this similar to:
>
> Nov 9 13:31:56 sp1 lb[41952]: WARNING: <script>: Consecutive 
> Authentication Failure for 'sipvicous at mydomain.com' 
> UA='sipvicous-client' IP='1.2.3.4' - R=<null> 
> ID=313793-3624525116-589163 at testlab.local
>
> ?
>
> *Von:*Spce-user <spce-user-bounces at lists.sipwise.com> *Im Auftrag von 
> *Daniel Grotti
> *Gesendet:* Montag, 23. April 2018 14:18
> *An:* spce-user at lists.sipwise.com
> *Betreff:* Re: [Spce-user] is temporarily banned, send 403
>
> Hi,
> this is SPCE banning the user.
> The DOS configuration section is in config.yml, e.g:
>
>    security:
>       dos_ban_enable: yes
>       dos_ban_time: '300'
>       dos_reqs_density_per_unit: '50'
>       dos_sampling_time_unit: '5'
>       dos_whitelisted_ips:
>       dos_whitelisted_subnets: []
>       failed_auth_attempts: '3'
>       failed_auth_ban_enable: yes
>       failed_auth_ban_time: '3600'
>
>
> dos_ section is to band DOS attack, whitl failed_aut_ section is to 
> ban credential spoofing attack, so a user failing to authenticate more 
> than 3 times in a row will be banned for 1h.
>
> Cheers,
> Daniel
>
>
> On 04/23/2018 02:14 PM, Hohl Matthias wrote:
>
>     Hello,
>
>     today i found this in my kamailio-lb.log:
>
>
>     /Apr 23 03:44:56 spce lb[3978]: WARNING: <script>: Subscriber
>     '1111111111111111' UA='Cisco/SPA112-1.3.5(004p)' from
>     IP='111.111.111.111’ is temporarily banned, send 403 –/
>
>     I am not sure, which service/setting is banning this temporarily
>     and how long is temporarily?
>
>     Cause fail2ban is not configured with this regex and the spce
>     himself for DOS ban (looking for “is blocked or banned”) and SIP
>     bruteforcing ban (looking for “consecutive authentication
>     failure”), doesn’t look on this string or does I miss something?
>
>     Thanks for your help
>
>     Mit freundlichen Grüßen,
>
>     Matthias Hohl
>
>
>
>
>     _______________________________________________
>
>     Spce-user mailing list
>
>     Spce-user at lists.sipwise.com <mailto:Spce-user at lists.sipwise.com>
>
>     https://lists.sipwise.com/listinfo/spce-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20180423/565627fe/attachment-0001.html>


More information about the Spce-user mailing list