<p>Keep in mind there is also a register attempt event but this is probably an ok addition.</p>
<div class="gmail_quote">On Feb 23, 2011 12:59 AM, "jay binks" <<a href="mailto:jaybinks@gmail.com">jaybinks@gmail.com</a>> wrote:<br type="attribution">> check out my patch Ive just posted to jira.<br>
> <a href="http://jira.freeswitch.org/browse/FS-3094">http://jira.freeswitch.org/browse/FS-3094</a><br>> <br>> you can subscribe to "Auth" events now - SWITCH_EVENT_AUTH<br>> which are generic for Register & Invite ( and any other auth'd packet I<br>
> guess )<br>> and there is an auth_state which will tell you if its an auth fail or a<br>> expire etc..<br>> you can get the to_user, to_host, useragent, sip profile and network_ip<br>> <br>> Auth Expires also have a Log messages similar to Auth Failures ( fail2ban<br>
> compatible )<br>> <br>> PLEASE guys give this some testing. I only banged this together in a few<br>> hours today in my currently sleep deprived state. So im sure its going to<br>> have things that can be improved or work better, but at least the bones of<br>
> it are there now.<br>> <br>> let me know your thoughts.<br>> <br>> Jay<br>> <br>> <br>> <br>> On Mon, Feb 21, 2011 at 11:08 PM, <a href="mailto:Jmesquita@freeswitch.org">Jmesquita@freeswitch.org</a> <<br>
> <a href="mailto:jmesquita@freeswitch.org">jmesquita@freeswitch.org</a>> wrote:<br>> <br>>> Just an idea for the other developers. Wouldn't be cool to have and event<br>>> thrown by each module that does authentication so that other application<br>
>> modules are able to listen in those events and do whatever with it? Some<br>>> people might even like to have that running an eel daemon and throw some<br>>> snmp traps based on that?<br>>><br>>> Just an idea that might be completely ridiculous or might raise some<br>
>> interest. Events are pretty cheap so there wouldn't be a lot of overhead<br>>> involved.<br>>><br>>> Regards,<br>>><br>>> Joćo Mesquita<br>>><br>>> On 21/02/2011, at 07:28, Spencer Thomason <<a href="mailto:spencer@5ninesolutions.com">spencer@5ninesolutions.com</a>><br>
>> wrote:<br>>><br>>> > After tinkering with it, I think that might be the best way. The<br>>> > iptables method is cool but I'd like to have more dynamic control and<br>>> > with Fail2Ban looking at the challenges you could specifically ignore<br>
>> > certain high traffic IPs and block others. What would be very cool is<br>>> > if instead of logging every challenge, a log entry was written if<br>>> > there was a high number from a specific IP, then you could decide what<br>
>> > to do about it with fail2ban, similar to the pike module for opensips<br>>> > does.<br>>> ><br>>> ><br>>> > On Feb 21, 2011, at 1:31 AM, <a href="mailto:covici@ccs.covici.com">covici@ccs.covici.com</a> wrote:<br>
>> ><br>>> >> I would change sip auth failure to challenge and then have sufficient<br>>> >> times to only block if there are too many challenges in a certain<br>>> >> time.<br>
>> >> I am not even sure the failure works any more in recent gits.<br>>> >><br>>> >> Spencer Thomason <<a href="mailto:spencer@5ninesolutions.com">spencer@5ninesolutions.com</a>> wrote:<br>
>> >><br>>> >>> Yes, that works great if they respond to the challenge with a failed<br>>> >>> auth. But the scenario I'm trying to prevent is if they just send the<br>>> >>> INVITE and never respond to the challenge. Fail2Ban will not work as<br>
>> >>> every endpoint will initially send an INVITE and receive a challenge.<br>>> >>> Legit calls will then respond correctly and not be logged as a SIP<br>>> >>> auth failure but every call that is challenged will show up as SIP<br>
>> >>> auth challenge in the logs so there is no regex to differentiate<br>>> >>> between legit an non legit traffic.<br>>> >>><br>>> >>> Spencer<br>>> >>><br>
>> >>> On Feb 20, 2011, at 10:39 PM, Ken Rice wrote:<br>>> >>><br>>> >>>> Fail2Ban ... This is block an IP with too many failed attempts from<br>>> >>>> something like SipVicious pretty quickly<br>
>> >>>><br>>> >>>><br>>> >>>> On 2/20/11 11:07 PM, "Spencer Thomason" <<a href="mailto:spencer@5ninesolutions.com">spencer@5ninesolutions.com</a>><br>>> >>>> wrote:<br>
>> >>>><br>>> >>>>> Hi,<br>>> >>>>> We run hosted Freeswitch instances in VMs with the internal profile<br>>> >>>>> on<br>>> >>>>> port 5060 connecting to clients mostly behind NAT and then the<br>
>> >>>>> external profile connecting to our proxies only. Protecting the<br>>> >>>>> external profile its straightforward.. we only allow traffic to/<br>>> >>>>> from<br>
>> >>>>> our proxies at the firewall level. But protecting the internal<br>>> >>>>> profile seems to be a bit more difficult because the UACs could be<br>>> >>>>> theoretically anywhere on the network.<br>
>> >>>>><br>>> >>>>> I'm currently using Fail2Ban to prevent brute force registration<br>>> >>>>> and<br>>> >>>>> INVITEs on auth failures, e.g.:<br>
>> >>>>> failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \<br>>> >>>>> (REGISTER\)<br>>> >>>>> on sofia profile \'\w+\' for \[.*\] from ip <HOST><br>
>> >>>>> \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\)<br>>> >>>>> on sofia profile \'\w+\' for \[.*\] from ip <HOST><br>>> >>>>><br>
>> >>>>> My question is, since its part of a normal SIP dialog to challenge<br>>> >>>>> the<br>>> >>>>> INVITE, is there any way to prevent a possible DoS from just sheer<br>
>> >>>>> volume of incoming INVITEs on an Internet facing server<br>>> >>>>> automatically. I.e., If you block the logged challenge, you'd<br>>> >>>>> block<br>
>> >>>>> all legitimate INVITEs and registrations. Since its UDP traffic I<br>>> >>>>> couldn't come up with a way to do it automatically at the iptables<br>>> >>>>> level. i.e. number of concurrent connections. Is there some option<br>
>> >>>>> to<br>>> >>>>> just not respond if a client is sending a number of requests over a<br>>> >>>>> certain threshold? It might not stop them from sending the traffic<br>
>> >>>>> but pretty soon they'd get the idea that it wasn't going to go<br>>> >>>>> anywhere. My concern is say there are 50 Freeswitch instances on a<br>>> >>>>> box (albeit 8 core, 32GB ram, 8 15K raid 10 storage) and someone<br>
>> >>>>> starts sending thousands of rouge INVITEs to every VM on a physical<br>>> >>>>> box that the CPU load from just challenging the incoming INVITEs<br>>> >>>>> would<br>
>> >>>>> create a DoS. We the logs regularly to try to catch people doing<br>>> >>>>> this<br>>> >>>>> sort of thing and drop them at a router upstream of the core<br>
>> >>>>> network,<br>>> >>>>> but I'd like to have it happen without human intervention. Have I<br>>> >>>>> completely over thought this and am missing something obvious?<br>
>> >>>>><br>>> >>>>> Thanks,<br>>> >>>>> Spencer<br>>> >>>>><br>>> >>>>><br>>> >>>>> _______________________________________________<br>
>> >>>>> FreeSWITCH-users mailing list<br>>> >>>>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>>> >>>>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
>> >>>>> UNSUBSCRIBE:<br>>> <a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>>> >>>>> <a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br>
>> >>>><br>>> >>>><br>>> >>>><br>>> >>>> _______________________________________________<br>>> >>>> FreeSWITCH-users mailing list<br>
>> >>>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>>> >>>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
>> >>>> UNSUBSCRIBE:<br>>> <a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>>> >>>> <a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br>
>> >>>><br>>> >>><br>>> >>><br>>> >>> _______________________________________________<br>>> >>> FreeSWITCH-users mailing list<br>>> >>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
>> >>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>>> >>> UNSUBSCRIBE:<br>>> <a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
>> >>> <a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br>>> >><br>>> >> --<br>>> >> Your life is like a penny. You're going to lose it. The question is:<br>
>> >> How do<br>>> >> you spend it?<br>>> >><br>>> >> John Covici<br>>> >> <a href="mailto:covici@ccs.covici.com">covici@ccs.covici.com</a><br>>> >><br>
>> >> _______________________________________________<br>>> >> FreeSWITCH-users mailing list<br>>> >> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
>> >> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>>> >> UNSUBSCRIBE:<br>>> <a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
>> >> <a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br>>> >><br>>> ><br>>> ><br>>> > _______________________________________________<br>>> > FreeSWITCH-users mailing list<br>
>> > <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>>> > <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
>> > UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>>> > <a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br>
>><br>>> _______________________________________________<br>>> FreeSWITCH-users mailing list<br>>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
>> <a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br>>><br>> <br>> <br>> <br>> -- <br>> Sincerely<br>> <br>> Jay<br></div>