Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crowdsec ban NethVoice wizard and janus #7259

Open
Stell0 opened this issue Jan 16, 2025 · 4 comments
Open

Crowdsec ban NethVoice wizard and janus #7259

Stell0 opened this issue Jan 16, 2025 · 4 comments
Assignees
@Stell0
Labels
nethvoice Bug or features releted to the NethVoice project testing Packages are available from testing repositories
Milestone
NethVoice 1.2

Comments

@Stell0
Copy link

Stell0 commented Jan 16, 2025
edited
Loading

Some (wrong) api calls from NethVoice wizard triggers alerts on crowdsec that lead to an ip ban. There are three separate issue:

  1. 401 from login page
  2. 404 from user configuration page
  3. CTI user errors and failed attempt shouldn't ban the IP because usually more users connect from same IP and an user causing issue shouldn't disrupt a whole company phone service
  4. Janus user errors and failed attempt shouldn't ban the IP because usually more users connect from same IP and an user causing issue shouldn't disrupt a whole company phone service

1 - 401

Steps to reproduce

  • open NethVoice wizard login page
  • just idle there without attemptin login
  • some request are made to CTI that fails with 401:
    • /webrest/users/endpoints/all
    • /webrest/astproxy/extensions
    • /webrest/astproxy/trunks

Expected behavior

  • API calls shouldn't be made if the user isn't authenticated

Solution

  • Fix UI [edit] workaround on crowdsec

2 - 404

when configuring wizard, a lot of 404 are seen by crowdsec as http probe

Steps to reproduce

  • on nethvoice wizard open configuration-> users page then a user tab
  • multiple 404 are returned for unconfigured devices:
    • /freepbx/rest/webrtc/201
    • /freepbx/rest/mobiles/foo1
    • /freepbx/rest/nethlink/201
    • /freepbx/rest/mobileapp/201

Expected behavior

unconfigured device should be returned as 200 null

Solution

  • Fix backend
  • mdify UI accordingly

3 and 4 - CTI and Janus

CTI and Janus user errors and failed attempt shouldn't ban the IP because usually more users connect from same IP and an user causing issue shouldn't disrupt a whole company phone service

Steps to reproduce

here some example of failed authentication on CTI

  • POST /webrest/authentication/login HTTP/2.0" 401
  • GET /janus/
  • TODO add more example here

Expected behavior

Users error shouldn't trigger ban

Solution

  • Exclude /webrest /janus /socket.io (...) from crowdsec

See also

https://mattermost.nethesis.it/nethesis/pl/o1j6tygsqbggdrfpyiuqfwikfo
@Stell0 Stell0 added the nethvoice Bug or features releted to the NethVoice project label Jan 16, 2025
@Stell0 Stell0 added this to the NethVoice 1.2 milestone Jan 16, 2025
@Stell0 Stell0 mentioned this issue Jan 16, 2025
Merged
@stephdl stephdl mentioned this issue Jan 16, 2025
Merged
@stephdl
Copy link

stephdl commented Jan 16, 2025

point 4 workaround, whitelist the IP of the head office

@stephdl
Copy link

stephdl commented Jan 16, 2025
edited
Loading

for any points we needs complete log traces to try to whitelist

@stephdl stephdl self-assigned this Jan 17, 2025
Stell0 added a commit to nethesis/ns8-nethvoice that referenced this issue Jan 30, 2025
@Stell0
fix(wizard-api): return null with 200 instead of 404 for unconfigured…
a1a64d0 
… items (#361)

Updated the following endpoints to return null and HTTP status 200 when no configured items are found:
- GET /mobiles/{mainextension}
- GET /mobileapp/{mainextension}
- GET /nethlink/{mainextension}
- GET /webrtc/{mainextension}
- GET /voicemails/{extension}

NethServer/dev#7259
@Stell0
Copy link
Author

Stell0 commented Jan 30, 2025
edited by stephdl
Loading

Test case:

version to test : ghcr.io/nethserver/crowdsec:1.0.13-dev.1

  • Install nethvoice + crowdsec on NS8
  1. Idle on nethvoice wizard login page and verify that you're not banned
  • Open and close user's device tabs on user's configuration page on a user without configured devices. Verify that you aren't banned
  • Make sure that devices (web phone, webrtc phone, mobile app, mobile) works as expected
  1. Fail to authenticate on cti multiple times and verify you aren't banned
  2. play around on cti interface trying to do illicit stuff and make sure you aren't banned
  3. try to be banned with a simple jail like ssh

stephdl added a commit to NethServer/ns8-crowdsec that referenced this issue Jan 30, 2025
@stephdl
Add nethvoice whitelist configuration (#65)
4694157 
NethServer/dev#7259
@stephdl stephdl assigned Stell0 and unassigned stephdl Jan 30, 2025
@stephdl stephdl added the testing Packages are available from testing repositories label Jan 30, 2025
@nethbot nethbot moved this from Todo to Testing in NethVoice Jan 30, 2025
@Amygos
Copy link
Member

Amygos commented Jan 30, 2025

Testing release nethesis/ns8-nethvoice 1.1.4-testing.8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Stell0 Stell0

Labels
nethvoice Bug or features releted to the NethVoice project testing Packages are available from testing repositories
Projects
NethVoice
Status: Testing
Milestone
NethVoice 1.2
Development

No branches or pull requests
3 participants
@Amygos @stephdl @Stell0