[Freeswitch-users] Confusing SIP auth failure logging message?

Steven Ayre steveayre at gmail.com
Tue Feb 8 00:47:20 MSK 2011


I expect it's to handle where an attacker keeps sending unauthenticated packets which generate a 407, but don't do a subsequent authenticated invite so never actually fail. Those can still be detected and blocked this way.

Steve on iPhone

On 7 Feb 2011, at 20:31, Simon J Mudd <sjmudd at pobox.com> wrote:

> msc at freeswitch.org (Michael Collins) writes:
> 
> ...
> 
>> No. This is just saying that there was a challenge, not that there was a
>> failure. There is already a failure detection routine. To test it, setup a
>> SIP client with an incorrect password. You'll see two log lines like this:
>> 
>> 2011-02-07 12:23:28.490029 [WARNING] sofia_reg.c:1247 SIP auth challenge
>> (REGISTER) on sofia profile 'internal' for [1002 at 10.10.16.161] from ip
>> 10.10.16.161
>> 2011-02-07 12:23:29.035950 [WARNING] sofia_reg.c:1247 SIP auth challenge
>> (REGISTER) on sofia profile 'internal' for [1002 at 10.10.16.161] from ip
>> 10.10.16.161
>> 2011-02-07 12:23:29.240695 [WARNING] sofia_reg.c:1205 SIP auth failure
>> (REGISTER) on sofia profile 'internal' for [1002 at 10.10.16.161] from ip
>> 10.10.16.161
>> 
>> This allows you to differentiate between the mere fact that an auth
>> challenge was sent to the SIP client vs. the SIP client failing to auth.
>> (Someone asked for that differentiation a while back - I don't know who or
>> why...)
> 
> Thanks for the clarification. I must have missed the other message.
> Having both makes sense for example if used with fail2ban.
> 
> Simon
> 
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org



More information about the FreeSWITCH-users mailing list