[Freeswitch-users] Log of Authentication Attempts/Failures
Густаво Силва
gfs at etherway.ru
Mon Jun 15 15:05:00 MSD 2015
The profile config:
<profile name="internal">
<aliases>
</aliases>
<gateways>
<X-PRE-PROCESS cmd="include" data="internal/*.xml"/>
</gateways>
<domains>
<domain name="all" alias="true" parse="false"/>
</domains>
<settings>
<param name="debug" value="1"/>
<param name="sip-trace" value="yes"/>
<param name="sip-capture" value="no"/>
<param name="watchdog-enabled" value="no"/>
<param name="watchdog-step-timeout" value="30000"/>
<param name="watchdog-event-timeout" value="30000"/>
<param name="log-auth-failures" value="true"/>
<param name="forward-unsolicited-mwi-notify" value="false"/>
<param name="context" value="public"/>
<param name="rfc2833-pt" value="101"/>
<param name="sip-port" value="$${internal_sip_port}"/>
<param name="dialplan" value="XML"/>
<param name="dtmf-duration" value="2000"/>
<param name="inbound-codec-prefs" value="$${global_codec_prefs}"/>
<param name="outbound-codec-prefs" value="$${global_codec_prefs}"/>
<param name="rtp-timer-name" value="soft"/>
<param name="rtp-ip" value="$${local_ip_v4}"/>
<param name="sip-ip" value="$${local_ip_v4}"/>
<param name="hold-music" value="$${hold_music}"/>
<param name="apply-nat-acl" value="nat.auto"/>
<param name="enable-timer" value="true"/>
<param name="apply-inbound-acl" value="domains"/>
<param name="local-network-acl" value="localnet.auto"/>
<param name="send-message-query-on-register" value="false"/>
<param name="record-path" value="$${recordings_dir}"/>
<param name="record-template"
value="${caller_id_number}.${target_domain}.${strftime(%Y-%m-%d-%H-%M-%S)}.wav"/>
<param name="manage-presence" value="true"/>
<param name="presence-hosts" value="$${domain},$${local_ip_v4}"/>
<param name="presence-privacy" value="$${presence_privacy}"/>
<param name="inbound-codec-negotiation" value="generous"/>
<param name="tls" value="$${internal_ssl_enable}"/>
<param name="tls-only" value="false"/>
<param name="tls-bind-params" value="transport=tls"/>
<param name="tls-sip-port" value="$${internal_tls_port}"/>
<param name="tls-cert-dir" value="$${internal_ssl_dir}"/>
<param name="tls-passphrase" value=""/>
<param name="tls-verify-date" value="true"/>
<param name="tls-verify-policy" value="none"/>
<param name="tls-verify-depth" value="2"/>
<param name="tls-verify-in-subjects" value=""/>
<param name="tls-version" value="$${sip_tls_version}"/>
<param name="inbound-late-negotiation" value="true"/>
<param name="nonce-ttl" value="60"/>
<param name="auth-calls" value="$${internal_auth_calls}"/>
<param name="inbound-reg-force-matching-username" value="true"/>
<param name="auth-all-packets" value="false"/>
<param name="ext-rtp-ip" value="auto-nat"/>
<param name="ext-sip-ip" value="auto-nat"/>
<param name="rtp-timeout-sec" value="300"/>
<param name="rtp-hold-timeout-sec" value="1800"/>
<param name="challenge-realm" value="auto_from"/>
</settings>
</profile>
On 15.06.2015 11:26, Steven Ayre wrote:
> 1.2.11 is incredibly old, it's unsupported now and its age means there
> are a lot of bugs in it that are fixed in the latest versions. That
> includes performance, functionality and security bugs. I understand
> it's a production server but it would be well worth planning regular
> updates.
>
> That said, perhaps you can show us the entire profile config? Perhaps
> there's an XML error elsewhere preventing the parameter being read.
> And are you sure the profile you set it on is the same as the one
> receiving the packets?
>
>
>
>
> On 15 June 2015 at 07:27, Густаво Силва <gfs at etherway.ru
> <mailto:gfs at etherway.ru>> wrote:
>
> I have checked in the sofia_reg.c code of the freeswitch 1.2.11
> version, and this is available for this version.
>
> if (auth_res != AUTH_OK && auth_res != AUTH_RENEWED && !stale) {
> if (auth_res == AUTH_FORBIDDEN) {
> nua_respond(nh, SIP_403_FORBIDDEN,
> NUTAG_WITH_THIS_MSG(de->data->e_msg), TAG_END());
> forbidden = 1;
> } else {
> nua_respond(nh,
> SIP_401_UNAUTHORIZED, NUTAG_WITH_THIS_MSG(de->data->e_msg),
> TAG_END());
> }
>
> if (profile->debug) {
> switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Send %s
> for [%s@%s]\n",
> forbidden ? "forbidden" : "challenge", to_user, to_host);
> }
> /* Log line added to support Fail2Ban */
> if (sofia_test_pflag(profile,
> PFLAG_LOG_AUTH_FAIL)) {
> switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "SIP
> auth %s (%s) on sofia profile '%s' "
> "for [%s@%s] from ip %s\n", forbidden ? "failure" : "challenge",
> (regtype == REG_INVITE) ? "INVITE" : "REGISTER", profile->name,
> to_user, to_host, network_ip);
> }
>
> I am just getting this in the log file. I am avoiding to update
> cause this server is in production environment.
>
> Somehow it is not processing the last "if" statement.
>
>
> On 11.06.2015 17:19, Michael Jerris wrote:
>> You should start with trying our most recent release 1.4.19
>>
>> On Thursday, June 11, 2015, Густаво Силва <gfs at etherway.ru
>> <mailto:gfs at etherway.ru>> wrote:
>>
>> Hello Guys,
>>
>> I am trying to log the attempts and failures of the
>> authentication process but I am not able to get the log as
>> described in the freeswitch site.
>>
>> I have already set my profile to log it by doing:
>>
>> <param name="log-auth-failures" value="true"/>
>>
>> and I reloaded the sofia mod.
>>
>> I should get in the freeswitch log, "SIP auth challenge" or
>> "SIP auth failure", but I am getting only "Send challenge
>> for" and "Send forbidden for" if the authentication fails.
>>
>> I am using the freeswitch version 1.2.11.
>>
>> What else should I do?
>>
>> Regards,
>> Gustavo
>>
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150615/0e87f079/attachment.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list