Hi!

I was just testing the digest replay possibilities against Kamailio. (findings: http://www.kamailio.org/wiki/tutorials/security/kamailio-security#digest_authentication)

It looks that by default (the typical default configs), a SIP replay attack can be done during 300 seconds (?) . 

Now I tried the code snippet from the auth module:

http://kamailio.org/docs/modules/4.1.x/modules/auth.html#auth.p.nonce_count

But my setup can’t seem to find back the digest_challenge. I did read somewhere digest_challenge has been taken out of the codebase.

Is the documentation out of sync, or am I really having a facepalm moment? Btw I’m on 4.2.

Grtz,
Davy



Op 29-jan.-2014, om 12:37 heeft davy van de moere <davy.van.de.moere@gmail.com> het volgende geschreven:

I started the pages, to be found :

http://www.kamailio.org/wiki/tutorials/security/security-threats
http://www.kamailio.org/wiki/tutorials/security/kamailio-security

They are a long from being complete, but it's a start, feel free to modify/correct/add content!


2013-12-18 davy <davy.van.de.moere@gmail.com>
ACK

:)

Op 18-dec.-2013, om 15:30 heeft Daniel-Constantin Mierla <miconda@gmail.com> het volgende geschreven:

> Hello,
>
> On 18/12/13 10:53, davy wrote:
>> Cool, I'll spend some time this weekend to have a first stake in the ground on the wiki !
>
> great! Just use namespaces when creating new pages, to have a good structure of the wiki. It can be something under tutorials, such as:
>
> tutorials:security:TITLE
>
> where TITLE can be what you consider more appropriate, such  as 'how-to', 'remarks' or what so ever...
>
> Cheers,
> Daniel
>>
>> It's better to have our security measures being checked by peers than by hackers ;)
>>
>>
>>
>> Op 18-dec.-2013, om 09:33 heeft Daniel-Constantin Mierla <miconda@gmail.com> het volgende geschreven:
>>
>>> Hello,
>>>
>>> On 17/12/13 17:27, davy wrote:
>>>> Hi all,
>>>>
>>>> we all enjoy our FAIL2BAN and snippets of our Kamailio config when we see it successfully fight off the "friendly-scanner", and multiple futile attempts to fool our systems. But it got me thinking…
>>>>
>>>> What is a sufficient level of security on our Kamailio machinery… ? Are we all just doing whatever, or is the nature of the beast, that every setup is different?
>>> Indeed, Kamailio being more like a framework, lot of deployments are different, even when targeting same features. In some cases, dictionary attacks don't apply (e.g., carriers interconnect when traffic is allowed by IP address).
>>>> Eventually while having a beer, we will end up in the discussion Kamailio is as good (and even much better) as most of the commercially available SBCs. But, imho, that all depends on the configuration.
>>>>
>>>> There are a few good reads available, and on the security front I personally love Pike, Topoh, Dnssec, Htable and recently I think I'm doing rather clever stuff with CNXCC… And I do feel comfortable on my setups, them won't be hacked…
>>>>
>>>> But do we have a-sort -of stake in the ground example configuration which we can consider as being more than sufficiently secure? Some config where we can tick off all the known security risks for SIP (as chapter 26 of rfc3261 gives a state of the art back in 2002) Or would that be a nice idea for a micro project?
>>> It would be good to create a page (or group or pages) in kamailio.org/wiki to approach security considerations. Besides the well known situations and solutions for attacks, it happens quite often to see new types of attacks, so adding notes there along with hints on how to solve with Kamailio would be very useful for everybody.
>>>
>>> Long time ago I made a wiki tutorial on my company site:
>>> - http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack
>>>
>>> I don't mind being cloned and improved (well, I guess some parts could be trimmed as might not be relevant in general and some need to be updated for latest version).
>>>
>>> There are many types of attacks not mentioned there, that can be highlighted for everyone to pay attention, e.g.,:
>>> - nonce reply (use one time nonce with auth module)
>>> - proper handling of route headers to avoid preset route headers in initial invite (is done in the default config file, but pointing at it makes people be more careful and don't miss it when building new configs)
>>>
>>> Overall, yes, security is a topic very useful, hopefully there are be enough people willing to spend some time and share information.
>>>
>>> Cheers,
>>> Daniel
>>> -
>>>
>>> --
>>> Daniel-Constantin Mierla - http://www.asipto.com
>>> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
>>>
>
> --
> Daniel-Constantin Mierla - http://www.asipto.com
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
>