check out my patch Ive just posted to jira.<div><a href="http://jira.freeswitch.org/browse/FS-3094">http://jira.freeswitch.org/browse/FS-3094</a></div><div><br></div><div>you can subscribe to "Auth" events now - <span class="Apple-style-span" style="font-family: Arial, sans-serif; font-size: 12px; ">SWITCH_EVENT_AUTH</span></div>
<div><span class="Apple-style-span" style="font-family: Arial, sans-serif; font-size: 12px; ">which are generic for Register & Invite ( and any other auth'd packet I guess )</span></div><div><span class="Apple-style-span" style="font-family: Arial, sans-serif; font-size: 12px; ">and there is an auth_state which will tell you if its an auth fail or a expire etc..</span></div>
<div><span class="Apple-style-span" style="font-family: Arial, sans-serif; font-size: 12px; ">you can get the to_user, to_host, useragent, sip profile and network_ip</span></div><div><span class="Apple-style-span" style="font-family: Arial, sans-serif; font-size: 12px; "><br>
</span></div><div><font class="Apple-style-span" face="Arial, sans-serif" size="3"><span class="Apple-style-span" style="font-size: 12px;">Auth Expires also have a Log messages similar to Auth Failures ( fail2ban compatible )</span></font></div>
<div><span class="Apple-style-span" style="font-family: Arial, sans-serif; font-size: 12px; "><br></span></div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div>PLEASE guys give this some testing. I only banged this together in a few hours today in my currently sleep deprived state. So im sure its going to have things that can be improved or work better, but at least the bones of it are there now.</div>
<div><br></div><div>let me know your thoughts.</div><div><br></div><div>Jay</div><div><br></div><div><br></div><div><br><div class="gmail_quote">On Mon, Feb 21, 2011 at 11:08 PM, <a href="mailto:Jmesquita@freeswitch.org">Jmesquita@freeswitch.org</a> <span dir="ltr"><<a href="mailto:jmesquita@freeswitch.org">jmesquita@freeswitch.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Just an idea for the other developers. Wouldn't be cool to have and event thrown by each module that does authentication so that other application modules are able to listen in those events and do whatever with it? Some people might even like to have that running an eel daemon and throw some snmp traps based on that?<br>
<br>
Just an idea that might be completely ridiculous or might raise some interest. Events are pretty cheap so there wouldn't be a lot of overhead involved.<br>
<br>
Regards,<br>
<br>
João Mesquita<br>
<div><div></div><div class="h5"><br>
On 21/02/2011, at 07:28, Spencer Thomason <<a href="mailto:spencer@5ninesolutions.com">spencer@5ninesolutions.com</a>> wrote:<br>
<br>
> After tinkering with it, I think that might be the best way. The<br>
> iptables method is cool but I'd like to have more dynamic control and<br>
> with Fail2Ban looking at the challenges you could specifically ignore<br>
> certain high traffic IPs and block others. What would be very cool is<br>
> if instead of logging every challenge, a log entry was written if<br>
> there was a high number from a specific IP, then you could decide what<br>
> to do about it with fail2ban, similar to the pike module for opensips<br>
> does.<br>
><br>
><br>
> On Feb 21, 2011, at 1:31 AM, <a href="mailto:covici@ccs.covici.com">covici@ccs.covici.com</a> wrote:<br>
><br>
>> I would change sip auth failure to challenge and then have sufficient<br>
>> times to only block if there are too many challenges in a certain<br>
>> time.<br>
>> I am not even sure the failure works any more in recent gits.<br>
>><br>
>> Spencer Thomason <<a href="mailto:spencer@5ninesolutions.com">spencer@5ninesolutions.com</a>> wrote:<br>
>><br>
>>> Yes, that works great if they respond to the challenge with a failed<br>
>>> auth. But the scenario I'm trying to prevent is if they just send the<br>
>>> INVITE and never respond to the challenge. Fail2Ban will not work as<br>
>>> every endpoint will initially send an INVITE and receive a challenge.<br>
>>> Legit calls will then respond correctly and not be logged as a SIP<br>
>>> auth failure but every call that is challenged will show up as SIP<br>
>>> auth challenge in the logs so there is no regex to differentiate<br>
>>> between legit an non legit traffic.<br>
>>><br>
>>> Spencer<br>
>>><br>
>>> On Feb 20, 2011, at 10:39 PM, Ken Rice wrote:<br>
>>><br>
>>>> Fail2Ban ... This is block an IP with too many failed attempts from<br>
>>>> something like SipVicious pretty quickly<br>
>>>><br>
>>>><br>
>>>> On 2/20/11 11:07 PM, "Spencer Thomason" <<a href="mailto:spencer@5ninesolutions.com">spencer@5ninesolutions.com</a>><br>
>>>> wrote:<br>
>>>><br>
>>>>> Hi,<br>
>>>>> We run hosted Freeswitch instances in VMs with the internal profile<br>
>>>>> on<br>
>>>>> port 5060 connecting to clients mostly behind NAT and then the<br>
>>>>> external profile connecting to our proxies only. Protecting the<br>
>>>>> external profile its straightforward.. we only allow traffic to/<br>
>>>>> from<br>
>>>>> our proxies at the firewall level. But protecting the internal<br>
>>>>> profile seems to be a bit more difficult because the UACs could be<br>
>>>>> theoretically anywhere on the network.<br>
>>>>><br>
>>>>> I'm currently using Fail2Ban to prevent brute force registration<br>
>>>>> and<br>
>>>>> INVITEs on auth failures, e.g.:<br>
>>>>> failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \<br>
>>>>> (REGISTER\)<br>
>>>>> on sofia profile \'\w+\' for \[.*\] from ip <HOST><br>
>>>>> \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\)<br>
>>>>> on sofia profile \'\w+\' for \[.*\] from ip <HOST><br>
>>>>><br>
>>>>> My question is, since its part of a normal SIP dialog to challenge<br>
>>>>> the<br>
>>>>> INVITE, is there any way to prevent a possible DoS from just sheer<br>
>>>>> volume of incoming INVITEs on an Internet facing server<br>
>>>>> automatically. I.e., If you block the logged challenge, you'd<br>
>>>>> block<br>
>>>>> all legitimate INVITEs and registrations. Since its UDP traffic I<br>
>>>>> couldn't come up with a way to do it automatically at the iptables<br>
>>>>> level. i.e. number of concurrent connections. Is there some option<br>
>>>>> to<br>
>>>>> just not respond if a client is sending a number of requests over a<br>
>>>>> certain threshold? It might not stop them from sending the traffic<br>
>>>>> but pretty soon they'd get the idea that it wasn't going to go<br>
>>>>> anywhere. My concern is say there are 50 Freeswitch instances on a<br>
>>>>> box (albeit 8 core, 32GB ram, 8 15K raid 10 storage) and someone<br>
>>>>> starts sending thousands of rouge INVITEs to every VM on a physical<br>
>>>>> box that the CPU load from just challenging the incoming INVITEs<br>
>>>>> would<br>
>>>>> create a DoS. We the logs regularly to try to catch people doing<br>
>>>>> this<br>
>>>>> sort of thing and drop them at a router upstream of the core<br>
>>>>> network,<br>
>>>>> but I'd like to have it happen without human intervention. Have I<br>
>>>>> completely over thought this and am missing something obvious?<br>
>>>>><br>
>>>>> Thanks,<br>
>>>>> Spencer<br>
>>>>><br>
>>>>><br>
>>>>> _______________________________________________<br>
>>>>> FreeSWITCH-users mailing list<br>
>>>>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
>>>>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
>>>>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
>>>>> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
>>>><br>
>>>><br>
>>>><br>
>>>> _______________________________________________<br>
>>>> FreeSWITCH-users mailing list<br>
>>>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
>>>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
>>>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
>>>> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
>>>><br>
>>><br>
>>><br>
>>> _______________________________________________<br>
>>> FreeSWITCH-users mailing list<br>
>>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
>>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
>>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
>>> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
>><br>
>> --<br>
>> Your life is like a penny. You're going to lose it. The question is:<br>
>> How do<br>
>> you spend it?<br>
>><br>
>> John Covici<br>
>> <a href="mailto:covici@ccs.covici.com">covici@ccs.covici.com</a><br>
>><br>
>> _______________________________________________<br>
>> FreeSWITCH-users mailing list<br>
>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
>> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br>
_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Sincerely<br><br>Jay<br>
</div>