Log authentication errors

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Log authentication errors

Joan-2-2
Hello,

Since some time ago there are plenty of hackers trying to stole
accounts and bruteforcing passwords. I would like to log all the
wrong authentications so I can use fail2ban to block those ips.
I've been reading all the mailing list history and I don't see
anything related althought is quite interesting.
I've been trying something and at the moment the best I could do is this:

        if (is_method("REGISTER")) {
                # authenticate the REGISTER requests
                if (!www_authorize("", "subscriber")) {
                        xlog("L_ERR","Auth error for $fU@$fd from $si");
                        www_challenge("", "0");
                        exit;
                }


So when the device tries to register with a wrong password/username i
will log  the errors. After that I still have to do the fail2ban
script, but that's quite easy.
I'd like to know your opinion about this.

Thanks

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Log authentication errors

Brett Nemeroff
On Fri, Aug 27, 2010 at 10:24 AM, Joan <[hidden email]> wrote:

So when the device tries to register with a wrong password/username i
will log  the errors. After that I still have to do the fail2ban
script, but that's quite easy.
I'd like to know your opinion about this.


Joan,
I recommend to all of my clients to use Fail2Ban. I think it's a great tool. I think you should share your log entry filter and action on the wiki for others to see. :)
-Brett
 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Log authentication errors

Joan-2-2
2010/8/27 Brett Nemeroff <[hidden email]>:

> On Fri, Aug 27, 2010 at 10:24 AM, Joan <[hidden email]> wrote:
>>
>> So when the device tries to register with a wrong password/username i
>> will log  the errors. After that I still have to do the fail2ban
>> script, but that's quite easy.
>> I'd like to know your opinion about this.
>>
>
> Joan,
> I recommend to all of my clients to use Fail2Ban. I think it's a great tool.
> I think you should share your log entry filter and action on the wiki for
> others to see. :)
Sure I will :)
At the moment I still have some doubts on where to put the logging
part, to minimize the false positives (setting like in the example it
marks the first packet as wrong)


> -Brett
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Log authentication errors

Brett Nemeroff
On Fri, Aug 27, 2010 at 10:36 AM, Joan <[hidden email]> wrote:
2010/8/27 Brett Nemeroff <[hidden email]>:
> On Fri, Aug 27, 2010 at 10:24 AM, Joan <[hidden email]> wrote:
>>At the moment I still have some doubts on where to put the logging
part, to minimize the false positives (setting like in the example it
marks the first packet as wrong)


Joan,
you could either take care of that in the script , or just add a failure allowance into the fail2ban config to account for that (easy). 
-Brett


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Log authentication errors

Stanisław Pitucha
In reply to this post by Joan-2-2
On 27/08/10 16:36, Joan wrote:
> At the moment I still have some doubts on where to put the logging
> part, to minimize the false positives (setting like in the example it
> marks the first packet as wrong)

Not tested at all - but something like that should work.

if (is_method("REGISTER")) {
        # authenticate the REGISTER requests
        if (!www_authorize("", "subscriber")) {
                if (is_present_hf("Authorization"))
                        xlog("L_ERR","Auth error for $fU@$fd from $si");
                www_challenge("", "0");
                exit;
        }

Regards,
Stan

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Log authentication errors

Bogdan-Andrei Iancu
Note that by checking the return code of www_authorize() you can get the
reason of the failure:
http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228268

Regards,
Bogdan

Stanisław Pitucha wrote:

> On 27/08/10 16:36, Joan wrote:
>  
>> At the moment I still have some doubts on where to put the logging
>> part, to minimize the false positives (setting like in the example it
>> marks the first packet as wrong)
>>    
>
> Not tested at all - but something like that should work.
>
> if (is_method("REGISTER")) {
>         # authenticate the REGISTER requests
>         if (!www_authorize("", "subscriber")) {
>                 if (is_present_hf("Authorization"))
>                         xlog("L_ERR","Auth error for $fU@$fd from $si");
>                 www_challenge("", "0");
>                 exit;
>         }
>
> Regards,
> Stan
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>  


--
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Log authentication errors

Kennard White
In reply to this post by Joan-2-2

Hi Joan,

Interesting idea. There are a few edge-cases you might want to consider:

1. A legitimate client will have periodic auth failure due to expired nonce serialization (see "nonce_expire" parameter). This is expected behavior when the nonce cached by a client is expired (by default every 30sec). The return code -3 from www_authorize() indicates this case, and the reply to client has stale=1 parameter.

2. Similar to above, a legitimate client will have auth failure due to nonce serialization (see "disable_nonce_check" parameter). This also has a -3 return code; however, the response back to the client does NOT have the stale=1 parameter.

3. Generally the "first" request doesn't have any credentials at all (because client doesn't have a nonce), and probably isn't an "attack". Someone else one else suggested searching for "Authorization" header field to detect this. You can also detect this via the -4 return code.

Thus, I'm suggesting something like:
$var(auth_code) = www_authorize(...);
if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
xlog("L_ERR","Auth error for $fU@$fd from $si cause $var(auth_code)");
}
if ( $var(auth_code) < 0 ) {
www_challenge(...);
exit;
}


Also, I wonder if it is possible store the data using db_flatstore. Is there an interface to to call db_flatstore's insert method from script land? avpops doesn't seem to have an avp_db_insert() method.

Regards,
Kennard

Inactive hide details for Joan ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of hackers trying to stoJoan ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of hackers trying to stole

From: Joan <[hidden email]>
To: OpenSIPS users mailling list <[hidden email]>
Date: 08/27/2010 08:25 AM
Subject: [OpenSIPS-Users] Log authentication errors
Sent by: [hidden email]





Hello,

Since some time ago there are plenty of hackers trying to stole
accounts and bruteforcing passwords. I would like to log all the
wrong authentications so I can use fail2ban to block those ips.
I've been reading all the mailing list history and I don't see
anything related althought is quite interesting.
I've been trying something and at the moment the best I could do is this:

       if (is_method("REGISTER")) {
               # authenticate the REGISTER requests
               if (!www_authorize("", "subscriber")) {
                       xlog("L_ERR","Auth error for $fU@$fd from $si");
                       www_challenge("", "0");
                       exit;
               }


So when the device tries to register with a wrong password/username i
will log  the errors. After that I still have to do the fail2ban
script, but that's quite easy.
I'd like to know your opinion about this.

Thanks

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Log authentication errors

Joan-2-2
Ok, I finally got all the pieces together. I wanted to create a new page on the wiki with the information, but I couldn't find the place to register.

Shall I post it here so someone with the rights can create the page? Or can someone point me to the page so I can register to edit the wiki.

2010/8/27 <[hidden email]>

Hi Joan,

Interesting idea. There are a few edge-cases you might want to consider:

1. A legitimate client will have periodic auth failure due to expired nonce serialization (see "nonce_expire" parameter). This is expected behavior when the nonce cached by a client is expired (by default every 30sec). The return code -3 from www_authorize() indicates this case, and the reply to client has stale=1 parameter.

2. Similar to above, a legitimate client will have auth failure due to nonce serialization (see "disable_nonce_check" parameter). This also has a -3 return code; however, the response back to the client does NOT have the stale=1 parameter.

3. Generally the "first" request doesn't have any credentials at all (because client doesn't have a nonce), and probably isn't an "attack". Someone else one else suggested searching for "Authorization" header field to detect this. You can also detect this via the -4 return code.

Thus, I'm suggesting something like:
$var(auth_code) = www_authorize(...);
if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
xlog("L_ERR","Auth error for $fU@$fd from $si cause $var(auth_code)");
}
if ( $var(auth_code) < 0 ) {
www_challenge(...);
exit;
}


Also, I wonder if it is possible store the data using db_flatstore. Is there an interface to to call db_flatstore's insert method from script land? avpops doesn't seem to have an avp_db_insert() method.

Regards,
Kennard

Inactive hide details for Joan ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of hackers trying to stoJoan ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of hackers trying to stole

From: Joan <[hidden email]>
To: OpenSIPS users mailling list <[hidden email]>
Date: 08/27/2010 08:25 AM
Subject: [OpenSIPS-Users] Log authentication errors
Sent by: [hidden email]





Hello,

Since some time ago there are plenty of hackers trying to stole
accounts and bruteforcing passwords. I would like to log all the
wrong authentications so I can use fail2ban to block those ips.
I've been reading all the mailing list history and I don't see
anything related althought is quite interesting.
I've been trying something and at the moment the best I could do is this:

       if (is_method("REGISTER")) {
               # authenticate the REGISTER requests
               if (!www_authorize("", "subscriber")) {
                       xlog("L_ERR","Auth error for $fU@$fd from $si");
                       www_challenge("", "0");
                       exit;
               }


So when the device tries to register with a wrong password/username i
will log  the errors. After that I still have to do the fail2ban
script, but that's quite easy.
I'd like to know your opinion about this.

Thanks

_______________________________________________
Users mailing list
[hidden email]


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Log authentication errors

Joan-2-2
Hey, I finally was able to open an account in the wiki (it's quite strange wiki system tough).
In any case I could create this entry:

But currently is not referenced from anywhere, could someone make it indexable from the wiki content!.

And thanks for the people who helped with the code!

2010/8/30 Joan <[hidden email]>
Ok, I finally got all the pieces together. I wanted to create a new page on the wiki with the information, but I couldn't find the place to register.

Shall I post it here so someone with the rights can create the page? Or can someone point me to the page so I can register to edit the wiki.

2010/8/27 <[hidden email]>

Hi Joan,

Interesting idea. There are a few edge-cases you might want to consider:

1. A legitimate client will have periodic auth failure due to expired nonce serialization (see "nonce_expire" parameter). This is expected behavior when the nonce cached by a client is expired (by default every 30sec). The return code -3 from www_authorize() indicates this case, and the reply to client has stale=1 parameter.

2. Similar to above, a legitimate client will have auth failure due to nonce serialization (see "disable_nonce_check" parameter). This also has a -3 return code; however, the response back to the client does NOT have the stale=1 parameter.

3. Generally the "first" request doesn't have any credentials at all (because client doesn't have a nonce), and probably isn't an "attack". Someone else one else suggested searching for "Authorization" header field to detect this. You can also detect this via the -4 return code.

Thus, I'm suggesting something like:
$var(auth_code) = www_authorize(...);
if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
xlog("L_ERR","Auth error for $fU@$fd from $si cause $var(auth_code)");
}
if ( $var(auth_code) < 0 ) {
www_challenge(...);
exit;
}


Also, I wonder if it is possible store the data using db_flatstore. Is there an interface to to call db_flatstore's insert method from script land? avpops doesn't seem to have an avp_db_insert() method.

Regards,
Kennard

Inactive hide details for Joan ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of hackers trying to stoJoan ---08/27/2010 08:25:11 AM---Hello, Since some time ago there are plenty of hackers trying to stole

From: Joan <[hidden email]>
To: OpenSIPS users mailling list <[hidden email]>
Date: 08/27/2010 08:25 AM
Subject: [OpenSIPS-Users] Log authentication errors
Sent by: [hidden email]





Hello,

Since some time ago there are plenty of hackers trying to stole
accounts and bruteforcing passwords. I would like to log all the
wrong authentications so I can use fail2ban to block those ips.
I've been reading all the mailing list history and I don't see
anything related althought is quite interesting.
I've been trying something and at the moment the best I could do is this:

       if (is_method("REGISTER")) {
               # authenticate the REGISTER requests
               if (!www_authorize("", "subscriber")) {
                       xlog("L_ERR","Auth error for $fU@$fd from $si");
                       www_challenge("", "0");
                       exit;
               }


So when the device tries to register with a wrong password/username i
will log  the errors. After that I still have to do the fail2ban
script, but that's quite easy.
I'd like to know your opinion about this.

Thanks

_______________________________________________
Users mailing list
[hidden email]


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Log authentication errors

Bogdan-Andrei Iancu
Hi Joan,

Thank you for your contribution - the proper place for the page should
be under  http://www.opensips.org/Resources/DocsTutorials , like
http://www.opensips.org/Resources/Fail2ban...

If you want, I can help you with the migration.

Thanks and regards,
Bogdan



Joan wrote:

> Hey, I finally was able to open an account in the wiki (it's quite
> strange wiki system tough).
> In any case I could create this entry:
> http://www.opensips.org/PmWiki/Fail2ban
>
> But currently is not referenced from anywhere, could someone make it
> indexable from the wiki content!.
>
> And thanks for the people who helped with the code!
>
> 2010/8/30 Joan <[hidden email] <mailto:[hidden email]>>
>
>     Ok, I finally got all the pieces together. I wanted to create a
>     new page on the wiki with the information, but I couldn't find the
>     place to register.
>
>     Shall I post it here so someone with the rights can create the
>     page? Or can someone point me to the page so I can register to
>     edit the wiki.
>
>     2010/8/27 <[hidden email]
>     <mailto:[hidden email]>>
>
>         Hi Joan,
>
>         Interesting idea. There are a few edge-cases you might want to
>         consider:
>
>         1. A legitimate client will have periodic auth failure due to
>         expired nonce serialization (see "nonce_expire" parameter).
>         This is expected behavior when the nonce cached by a client is
>         expired (by default every 30sec). The return code -3 from
>         www_authorize() indicates this case, and the reply to client
>         has stale=1 parameter.
>
>         2. Similar to above, a legitimate client will have auth
>         failure due to nonce serialization (see "disable_nonce_check"
>         parameter). This also has a -3 return code; however, the
>         response back to the client does NOT have the stale=1 parameter.
>
>         3. Generally the "first" request doesn't have any credentials
>         at all (because client doesn't have a nonce), and probably
>         isn't an "attack". Someone else one else suggested searching
>         for "Authorization" header field to detect this. You can also
>         detect this via the -4 return code.
>
>         Thus, I'm suggesting something like:
>         $var(auth_code) = www_authorize(...);
>         if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
>         xlog("L_ERR","Auth error for $fU@$fd from $si cause
>         $var(auth_code)");
>         }
>         if ( $var(auth_code) < 0 ) {
>         www_challenge(...);
>         exit;
>         }
>
>
>         Also, I wonder if it is possible store the data using
>         db_flatstore. Is there an interface to to call db_flatstore's
>         insert method from script land? avpops doesn't seem to have an
>         avp_db_insert() method.
>
>         Regards,
>         Kennard
>
>         Inactive hide details for Joan ---08/27/2010 08:25:11
>         AM---Hello, Since some time ago there are plenty of hackers
>         trying to stoJoan ---08/27/2010 08:25:11 AM---Hello, Since
>         some time ago there are plenty of hackers trying to stole
>
>         From: Joan <[hidden email] <mailto:[hidden email]>>
>         To: OpenSIPS users mailling list <[hidden email]
>         <mailto:[hidden email]>>
>         Date: 08/27/2010 08:25 AM
>         Subject: [OpenSIPS-Users] Log authentication errors
>         Sent by: [hidden email]
>         <mailto:[hidden email]>
>
>         ------------------------------------------------------------------------
>
>
>
>         Hello,
>
>         Since some time ago there are plenty of hackers trying to stole
>         accounts and bruteforcing passwords. I would like to log all the
>         wrong authentications so I can use fail2ban to block those ips.
>         I've been reading all the mailing list history and I don't see
>         anything related althought is quite interesting.
>         I've been trying something and at the moment the best I could
>         do is this:
>
>                if (is_method("REGISTER")) {
>                        # authenticate the REGISTER requests
>                        if (!www_authorize("", "subscriber")) {
>                                xlog("L_ERR","Auth error for $fU@$fd
>         from $si");
>                                www_challenge("", "0");
>                                exit;
>                        }
>
>
>         So when the device tries to register with a wrong
>         password/username i
>         will log  the errors. After that I still have to do the fail2ban
>         script, but that's quite easy.
>         I'd like to know your opinion about this.
>
>         Thanks
>
>         _______________________________________________
>         Users mailing list
>         [hidden email] <mailto:[hidden email]>
>         http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>         _______________________________________________
>         Users mailing list
>         [hidden email] <mailto:[hidden email]>
>         http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>  


--
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Log authentication errors

Joan-2-2
2010/8/31 Bogdan-Andrei Iancu <[hidden email]>:
> Hi Joan,
>
> Thank you for your contribution - the proper place for the page should
> be under  http://www.opensips.org/Resources/DocsTutorials , like
> http://www.opensips.org/Resources/Fail2ban...
>
> If you want, I can help you with the migration.
Ok, it's moved the only remaing part is to remove the old link
http://www.opensips.org/PmWiki/Fail2ban

I suppose that only admins can do that.

Cheers

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Log authentication errors

Brett Nemeroff
On Wed, Sep 1, 2010 at 5:12 AM, Joan <[hidden email]> wrote:
> If you want, I can help you with the migration.
Ok, it's moved the only remaing part is to remove the old link

Joan,
Thanks for this. It's a very useful contribution!
-Brett


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users