7 Mar
2013
7 Mar
'13
11:30 p.m.
What gives you that idea? Most likely, they spoofed an IP.
Paul Belanger <paul.belanger(a)polybeacon.com> wrote:
On Thu, Mar 7, 2013 at 5:24 PM, Alex Balashov
<abalashov(a)evaristesys.com> wrote:
So that is what confuses me. Why do we
authenticate only when the
user requests it?
--
Paul Belanger | PolyBeacon, Inc.
Jabber: paul.belanger(a)polybeacon.com | IRC: pabelanger (Freenode)
Github: https://github.com/pabelanger | Twitter:
https://twitter.com/pabelanger
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Sent from my Nexus 10, with all the figments of autocorrect that might imply.
Alex Balashov - Principal
Evariste Systems LLC
235 E Ponce de Leon Ave
Suite 106
Decatur, GA 30030
United States
Tel: +1-678-954-0670
Web: http://www.evaristesys.com/, http://www.alexbalashov.com/
Because digest authentication is a far from
self-evident or universal
use-case for Kamailio.
Paul Belanger <paul.belanger(a)polybeacon.com> wrote:
> Greeting,
> Hopefully, I'm understanding the
following default kamailio.cfg[1]
> file. Over the weekend, I was attached by SipVicious. Following
> along with the example Daniel[2] create with kamailio and asterisk,
I
> have almost the same setup. Rather then
storing my SIP profiles in
> Asterisk database, I have then in Kamailio.
> To my point, the attacker was actually
able to by pass any sort of
> authentication, but simply sending an INIVTE message:
> ./svmap.py -e 18885551234
kamailio.example.org -m INVITE
> Which kamailio, forwarded to Asterisk
and because there is no
> additional auth within asterisk, was able to hit the asterisk
context
> for getting processed (they did not get out
to the real world).
> However, my question is.... why do we not
> authenticate INVITE
> messages? If my understanding is correct, if would require
something
> like the following:
> if (is_method("INVITE")) {
> if (!proxy_authorize("$fd", "subscriber")) {
> proxy_challenge("$fd", "0");
> exit;
> }
> }
> If so, why not also do it in the
default configuration file?
> [1]
>
http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=et…
> [2]
>
http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb