Thanks Samy.
On Sat, 24 Mar 2018, 8:50 pm SamyGo, govoiper@gmail.com wrote:
Yeah, so thats a sample script and definitely needs add-on functions to enable what you're expecting it to do. I believe in the past(*or maybe in opensips, Im not certain) it used to have the function db_check_from() / check_from() to validate user in DB if so then engage in AUTH. Check URI_DB module. You can also use this function is_subscriber("$fU","subscriber",3) http://www.kamailio.org/docs/modules/5.0.x/modules/auth_db.html#idp44935044 to ensure authentication is engaged for everyone.
On Fri, Mar 23, 2018 at 3:54 PM, Aqs Younas aqsyounas@gmail.com wrote:
Thanks Samy for replying.
I wanted if Caller IP was not allowed it should be asked for digest authentication. But above default AUTH route only do that if from_uri is local. If someone set a different URI in from header he will be able to bypass the security check. Correct me if I am wrong somewhere.
I know I can modify the route to get the expected request.
But just wanted to ask if setting #!define WITH_AUTH and #!define WITH_IPAUTH was not enough in default configuration just to make sure caller is legitimate.
Br. Aqs.
On 23 March 2018 at 23:54, SamyGo govoiper@gmail.com wrote:
Hi Aqs, What seems to be the problem ! do you want this caller to be IP Authenticated or Digest Authenticated or denied !?
On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas aqsyounas@gmail.com wrote:
Greetings list.
I can see that I was able to bypass the default route[AUTH] if I send an invite containing from_uri which is not local but requested line containing a local user.
llisten=udp:172.16.40.10:5060
route[AUTH] { #!ifdef WITH_AUTH #!ifdef WITH_IPAUTH if((!is_method("REGISTER")) && allow_source_address()) { # source IP allowed return; } #!endif if (is_method("REGISTER") || from_uri==myself) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; } # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } # if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; } #!else # authentication not enabled - do not relay at all to foreign networks if(uri!=myself) { sl_send_reply("403","Not relaying"); exit; } #!endif return; }
Below INVITE get passed above auth route.
INVITE sip:60129879190@172.16.40.10 SIP/2.0 Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport Max-Forwards: 70 From: sip:0128888877@139.5.177.99;tag=as2274e806 To: sip:60129879190@172.16.40.10 Contact: sip:0128888877@139.5.177.91:5060 Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060 CSeq: 102 INVITE User-Agent: FPBX-13.0.194.2(13.17.0) Date: Fri, 23 Mar 2018 09:33:01 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE Supported: replaces, timer Content-Type: application/sdp Content-Length: 321
v=0 o=root 237494576 237494576 IN IP4 139.5.177.99 s=Asterisk PBX 13.17.0 c=IN IP4 139.5.177.99 t=0 0 m=audio 15332 RTP/AVP 0 18 8 101 a=rtpmap:0 PCMU/8000 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=maxptime:150 a=sendrecv
From INVITE and route[AUTH] I can see why it is being passed.
But should not it by default authenticate every request if IP address is not allowed in permission module.
Br, Aqs.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users