<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello,</p>
<p>route[AUTH] allows calls from non-local users (from other sip
servers) to local users. The R-URI has the public IP address, so
it is considered to be for a local user.</p>
<p>If you do not want to allow non-local users to call your users,
just do auth_check() for all non-trusted traffic.</p>
<p>Cheers,<br>
Daniel<br>
</p>
<br>
<div class="moz-cite-prefix">On 11.04.18 17:15, Володимир Іванець
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAOQgkjaU3oQTSmFrLKBVwmRiSmb+sRqkEC94j_=Z6i-TY8snvg@mail.gmail.com">
<div dir="ltr">Hello all!
<div><br>
</div>
<div>I'm using Kamailio 5.1.0 on my testing machine.
Configuration includes slightly modified AUTH route from <a
href="http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb"
moz-do-not-send="true">http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb</a></div>
<div><br>
</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div>
<div>route[AUTH] {</div>
</div>
<div>
<div> xlog("L_DBG", "== TRACE. AUTH\n");</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div> # if caller is not local subscriber, then check if it
calls</div>
</div>
<div>
<div> # a local destination, otherwise deny, not an open
relay here</div>
</div>
<div>
<div> if (from_uri!=myself && uri!=myself) {</div>
</div>
<div>
<div> xlog("L_DBG", "== TRACE. AUTH. Not relaying.
Exiting.\n");</div>
</div>
<div>
<div> sl_send_reply("403","Not relaying");</div>
</div>
<div>
<div> exit;</div>
</div>
<div>
<div> }</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div> if(isflagset(TRUSTEDIP)) {</div>
</div>
<div>
<div> xlog("== TRACE. AUTH. TRUSTEDIP. Returning.\n");</div>
</div>
<div>
<div> return;</div>
</div>
<div>
<div> }</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div> if (is_method("REGISTER") || from_uri==myself) {</div>
</div>
<div>
<div> xlog("L_DBG", "== TRACE. AUTH. Method REGISTER\n");</div>
</div>
<div>
<div> # authenticate requests</div>
</div>
<div>
<div> if (!auth_check("$fd", "sipusers", "1")) {</div>
</div>
<div>
<div> auth_challenge("$fd", "0");</div>
</div>
<div>
<div> xlog("L_DBG", "== TRACE. AUTH. Exiting.\n");</div>
</div>
<div>
<div> exit;</div>
</div>
<div>
<div> }</div>
</div>
<div>
<div> # user authenticated - remove auth header</div>
</div>
<div>
<div> if(!is_method("REGISTER|PUBLISH")) {</div>
</div>
<div>
<div> xlog("L_DBG", "== TRACE. AUTH. Method is not
REGISTER|PUBLISH\n");</div>
</div>
<div>
<div> consume_credentials();</div>
</div>
<div>
<div> }</div>
</div>
<div>
<div> }</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div> xlog("L_DBG", "== TRACE. AUTH. Returning.\n");</div>
</div>
<div>
<div> return;</div>
</div>
<div>
<div>}</div>
</div>
<div><br>
</div>
</blockquote>
I opened port UDP/5060 to everyone today and started receiving
some SIP requests. Most INVITEs were stopped by <span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><b>auth_challenge</b> but
then I received this one:</span>
<div><span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br>
</span></div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div><span
style="text-align:start;text-indent:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">
<div>2018/04/11 16:32:44.385689 <a
href="http://38.91.106.211:5069"
moz-do-not-send="true">38.91.106.211:5069</a> -> <span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">172.16.30.205</span>:5060</div>
</span></div>
</blockquote>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div><span
style="text-align:start;text-indent:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">
<div>INVITE <a class="moz-txt-link-freetext" href="sip:100@">sip:100@</a><span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">MY_PUB_IP_ADDRESS</span>
SIP/2.0</div>
<div>v: SIP/2.0/UDP
38.91.106.211:5060;branch=z9hG4bK-929181129;rport</div>
<div>Content-Length: 0</div>
<div>f: "pbx"<<a href="mailto:sip%3A100@1.1.1.1"
moz-do-not-send="true">sip:100@1.1.1.1</a>>;tag=3535306165633930313363340131373533363938373235</div>
<div>i: 757925348661465531074812</div>
<div>m: <a href="http://sip:100@38.91.106.211:5069"
moz-do-not-send="true">sip:100@38.91.106.211:5069</a></div>
<div>Accept: application/sdp</div>
<div>CSeq: 1 INVITE</div>
<div>t: "pbx"<<a href="mailto:sip%3A100@1.1.1.1"
moz-do-not-send="true">sip:100@1.1.1.1</a>></div>
<div>Max-Forwards: 70</div>
<div><br>
</div>
</span></div>
</blockquote>
... and it came through AUTH route. Below are two fragments of
Kamailio log:
<div><br>
</div>
<div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <script>: ==
TRACE. INVITE From: <a href="mailto:sip%3A100@1.1.1.1"
moz-do-not-send="true">sip:100@1.1.1.1</a> (IP:<a
href="http://38.91.106.211:5069"
moz-do-not-send="true">38.91.106.211:5069</a>)</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <script>: ==
TRACE. To: <a href="mailto:sip%3A100@1.1.1.1"
moz-do-not-send="true">sip:100@1.1.1.1</a></div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: pv [pv_core.c:1286]:
pv_get_dsturi(): no destination URI</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <script>: ==
TRACE. Destination URI : <null></div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <script>: ==
TRACE. SIP Request header : <a class="moz-txt-link-freetext" href="sip:100@">sip:100@</a><span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">MY_PUB_IP_ADDRESS</span>
</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/parser/msg_parser.c:89]: get_hdr_field(): found
end of header</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: pv [pv_core.c:966]:
pv_get_useragent(): no User-Agent header</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <script>: ==
TRACE. User Agent header : <null></div>
</div>
<div>****************************************************************************************************</div>
<div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <script>: ==
TRACE. request_route ==> AUTH</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <script>: ==
TRACE. AUTH</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 7==9 && [1.1.1.1] == [127.0.0.1]</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:567]: grep_sock_info(): checking if
port 5060 (advertise 0) matches port 5060</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 7==13 && [1.1.1.1] == [172.16.30.205]</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:567]: grep_sock_info(): checking if
port 5060 (advertise 0) matches port 5060</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 7==9 && [1.1.1.1] == [127.0.0.1]</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:567]: grep_sock_info(): checking if
port 8088 (advertise 0) matches port 5060</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/forward.c:412]: check_self(): host != me</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 7==9 && [1.1.1.1] == [127.0.0.1]</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:567]: grep_sock_info(): checking if
port 5060 (advertise 0) matches port 5060</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 7==13 && [1.1.1.1] == [172.16.30.205]</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:567]: grep_sock_info(): checking if
port 5060 (advertise 0) matches port 5060</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 7==9 && [1.1.1.1] == [127.0.0.1]</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:567]: grep_sock_info(): checking if
port 8088 (advertise 0) matches port 5060</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/forward.c:412]: check_self(): host != me</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 13==9 && [
<span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">MY_PUB_IP_ADDRESS</span>
] == [127.0.0.1]</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:567]: grep_sock_info(): checking if
port 5060 (advertise 0) matches port 5060</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 13==13 && [
<span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">MY_PUB_IP_ADDRESS</span>
] == [172.16.30.205]</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:567]: grep_sock_info(): checking if
port 5060 (advertise 0) matches port 5060</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 13==9 && [
<span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">MY_PUB_IP_ADDRESS</span>
] == [127.0.0.1]</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <core>
[core/socket_info.c:567]: grep_sock_info(): checking if
port 8088 (advertise 0) matches port 5060</div>
<div>Apr 11 16:32:44 kamailio-dev
/usr/sbin/kamailio[31373]: DEBUG: <script>: ==
TRACE. AUTH. Returning.</div>
</div>
<div><br>
</div>
</blockquote>
As you can see all tests failed to catch this INVITE request
and Kamailio continued processing it. And I'm now wondering
what would be the best way to identify such packet.</div>
<div><br>
</div>
<div>Thanks.</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - April 16-18, 2018, Berlin - <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
Kamailio World Conference - May 14-16, 2018 - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>