<div dir="ltr">log auth failures only logs when there's been an actual failure:<div>reg -> 401 (send password again with md5 hashed password -> reg failure.</div><div><br></div><div>It sounds like this attack was just "reg" so it didn't get triggered.</div>
<div><br></div><div>That's why there's a separate fail2ban profile for floods -- <a href="http://wiki.freeswitch.org/wiki/Fail2ban#SIP_DOS_Attack">http://wiki.freeswitch.org/wiki/Fail2ban#SIP_DOS_Attack</a></div>
<div>
<br></div><div>There's another module that makes a dedicated log for fail2ban but I don't think it's been tested much:</div><div><a href="http://wiki.freeswitch.org/wiki/Mod_fail2ban">http://wiki.freeswitch.org/wiki/Mod_fail2ban</a></div>
<div><br></div>
<div><br clear="all"><div><div dir="ltr"><span style="font-family:Verdana,Arial,Helvetica,sans-serif;font-size:small">-Avi Marcus</span><br>BestFone</div></div>
<br><br><div class="gmail_quote">On Wed, Mar 20, 2013 at 6:21 AM, Phil Quesinberry <span dir="ltr"><<a href="mailto:philq@qsystemsengineering.com" target="_blank">philq@qsystemsengineering.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div>
<p dir="LTR"><span lang="en-us"><font face="Calibri">We were the recipients of another script-kiddie SIPVicious attack this evening</font></span><span lang="en-us"><font face="Calibri">, but Fail2ban didn</font></span><span lang="en-us"><font face="Calibri">’</font></span><span lang="en-us"><font face="Calibri">t catch it because there was no failure message in the log, just repeated registration messages. I added the following to sofia.conf.xml</font></span><span lang="en-us"> <font face="Calibri">and reloaded</font></span><span lang="en-us"> <font face="Calibri">but</font></span><span lang="en-us"> <font face="Calibri">there was no change in behavior</font></span><span lang="en-us"><font face="Calibri">:</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri"><param name="log-auth-failures" value="true"/></font></span><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri">Interestingly, if I tell</font></span><span lang="en-us"> <font face="Calibri">the</font></span><span lang="en-us"><font face="Calibri"> Aastra</font></span><span lang="en-us"> <font face="Calibri">on my desk</font></span><span lang="en-us"> <font face="Calibri">to register with the wrong password, there is a failure message logged.</font></span><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri">I</font></span><span lang="en-us"><font face="Calibri">’</font></span><span lang="en-us"><font face="Calibri">m n</font></span><span lang="en-us"><font face="Calibri">ot sure why</font></span><span lang="en-us"> <font face="Calibri">this attack doesn</font></span><span lang="en-us"><font face="Calibri">’</font></span><span lang="en-us"><font face="Calibri">t generate a failure</font></span><span lang="en-us"><font face="Calibri"> message</font></span><span lang="en-us"><font face="Calibri"> but</font></span><span lang="en-us"><font face="Calibri"></font></span><span lang="en-us"> <font face="Calibri">I added a rule</font></span><span lang="en-us"> <font face="Calibri">under filter.d to ban IPs with too many registration attempts in a certain period of time</font></span><span lang="en-us"><font face="Calibri">.</font></span><span lang="en-us"><font face="Calibri"></font></span><span lang="en-us"> <font face="Calibri"> Of course</font></span><span lang="en-us"> <font face="Calibri">I</font></span><span lang="en-us"><font face="Calibri">’</font></span><span lang="en-us"><font face="Calibri">d prefer to</font></span><span lang="en-us"><font face="Calibri"> ban</font></span><span lang="en-us"><font face="Calibri"></font></span><span lang="en-us"> <font face="Calibri">only</font></span><span lang="en-us"><font face="Calibri"></font></span><span lang="en-us"> <font face="Calibri">on</font></span><span lang="en-us"><font face="Calibri"> failures.</font></span><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri">The user agent string</font></span><span lang="en-us"> <font face="Calibri">would</font></span><span lang="en-us"> <font face="Calibri">seem to indicate that this is an older version of SIPVicious</font></span><span lang="en-us"><font face="Calibri"> but I was unable to crash it with svcrash.</font></span><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri">Here is an excerpt of the traffic:</font></span></p>
<p dir="LTR"><span lang="en-us"></span><span lang="en-us"><font face="Consolas">2013-03-19 21:48:24.160919 [WARNING] sofia_reg.c:1520 SIP auth challenge (REGISTER) on sofia profile 'internal' for [4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">] from ip 70.38.71.75</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">2013-03-19 21:48:24.160919 [WARNING] sofia_reg.c:1520 SIP auth challenge (REGISTER) on sofia profile 'internal' for [4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">] from ip 70.38.71.75</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge (REGISTER) on sofia profile 'internal' for [4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">] from ip 70.38.71.75</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge (REGISTER) on sofia profile 'internal' for [4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">] from ip 70.38.71.75</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge (REGISTER) on sofia profile 'internal' for [4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">] from ip 70.38.71.75</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">2013-03-19 21:48:24.201143 [WARNING] sofia_reg.c:1520 SIP auth challenge (REGISTER) on sofia profile 'internal' for [4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">] from ip 70.38.71.75</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">freeswitch@internal> sofia profile internal siptrace on</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">Enabled sip debugging on internal</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">2013-03-19 21:48:24.201143 [WARNING] sofia_reg.c:1520 SIP auth challenge (REGISTER) on sofia profile 'internal' for [4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">] from ip 70.38.71.75</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">recv 333 bytes from udp/[70.38.71.75]:5115 at 01:48:24.223941:</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> ------------------------------------------------------------------------</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> REGISTER sip:</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas"> SIP/2.0</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-1676888071;rport</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Content-Length: 0</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> From: "4623" <sip:4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">></font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Accept: application/sdp</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> User-Agent: friendly-scanner</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> To: "4623" <sip:4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">></font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a></font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> CSeq: 1 REGISTER</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Call-ID: 1757394</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Max-Forwards: 70</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> </font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> ------------------------------------------------------------------------</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">2013-03-19 21:48:24.220953 [WARNING] sofia_reg.c:1520 SIP auth challenge (REGISTER) on sofia profile 'internal' for [4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">] from ip 70.38.71.75</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">send 621 bytes to udp/[70.38.71.75]:5115 at 01:48:24.225084:</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> ------------------------------------------------------------------------</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> SIP/2.0 401 Unauthorized</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-1676888071;rport=5115;received=70.38.71.75</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> From: "4623" <sip:4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">></font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> To: "4623" <sip:4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">>;tag=tNtgHUjZSej3F</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Call-ID: 1757394</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> CSeq: 1 REGISTER</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> User-Agent: FreeSWITCH-mod_sofia/1.3.14b+git~20130301T214848Z~c35a41e4ca</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Supported: timer, precondition, path, replaces</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> WWW-Authenticate: Digest realm="</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">", nonce="c34ebd55-e53c-4590-b7e8-423e21fc26b9", algorithm=MD5, qop="auth"</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Content-Length: 0</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> </font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> ------------------------------------------------------------------------</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">recv 336 bytes from udp/[70.38.71.75]:5115 at 01:48:24.234418:</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> ------------------------------------------------------------------------</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> REGISTER sip:</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas"> SIP/2.0</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-<a href="tel:2042428707" value="+12042428707" target="_blank">2042428707</a>;rport</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Content-Length: 0</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> From: "4623" <sip:4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">></font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Accept: application/sdp</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> User-Agent: friendly-scanner</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> To: "4623" <sip:4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">></font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a></font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> CSeq: 1 REGISTER</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Call-ID: 2727970266</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Max-Forwards: 70</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> </font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> ------------------------------------------------------------------------</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">2013-03-19 21:48:24.220953 [WARNING] sofia_reg.c:1520 SIP auth challenge (REGISTER) on sofia profile 'internal' for [4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">] from ip 70.38.71.75</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas">send 624 bytes to udp/[70.38.71.75]:5115 at 01:48:24.235851:</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> ------------------------------------------------------------------------</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> SIP/2.0 401 Unauthorized</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-<a href="tel:2042428707" value="+12042428707" target="_blank">2042428707</a>;rport=5115;received=70.38.71.75</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> From: "4623" <sip:4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">></font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> To: "4623" <sip:4623@</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">>;tag=UyK9jp32pQ8NB</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Call-ID: 2727970266</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> CSeq: 1 REGISTER</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> User-Agent: FreeSWITCH-mod_sofia/1.3.14b+git~20130301T214848Z~c35a41e4ca</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Supported: timer, precondition, path, replaces</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> WWW-Authenticate: Digest realm="</font></span><span lang="en-us"><font face="Consolas">xx.xx.xx.xx</font></span><span lang="en-us"><font face="Consolas">", nonce="6343aee4-d0a4-4357-b34d-11a4658b954c", algorithm=MD5, qop="auth"</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Consolas"> Content-Length: 0</font></span></p>
<p dir="LTR"><span lang="en-us"></span><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><i></i></span><span lang="en-us"><i></i></span><i><span lang="en-us"></span></i><i><span lang="en-us"><font face="Times New Roman">Phil Quesinberry</font></span></i><span lang="en-us"></span><span lang="en-us"></span><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font face="Arial">Q Systems Engineering, Inc.</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Arial">Electronic Controls and Embedded Systems Development</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Arial"><a href="tel:%28410%29%20969-8002" value="+14109698002" target="_blank">(410) 969-8002</a></font></span></p>
<p dir="LTR"><span lang="en-us"></span><a href="http://www.qsystemsengineering.com" target="_blank"><span lang="en-us"></span><span lang="en-us"><u></u></span><u><span lang="en-us"></span></u><u><span lang="en-us"><font color="#0000FF" face="Arial">http://www.qsystemsengineering.com</font></span></u><span lang="en-us"></span></a><span lang="en-us"></span><span lang="en-us"></span><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"></span></p>
</div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div></div>