Francesco Bottà wrote:
Hi all,
always about this...is it possible to do IP accounting by acc module, introducing something like to another parameter of log_mft for the Contact (if applicable) Header Field in the INVITE, BYE method?
I see no immediate purpose of logging contact? or...? bogdan
Thanks in advance.
Franz ----- Original Message ----- From: "Bogdan-Andrei IANCU" iancu@fokus.fraunhofer.de To: zolia@z1sys.com Cc: serusers@lists.iptel.org Sent: Wednesday, July 28, 2004 2:12 PM Subject: Re: [Serusers] account + IP binding
zolia@z1sys.com wrote:
hello,
is it possible to do source ip authentication besides normal www_authorize() for every user account?. This, as i understand, should prevent from intercepting credentials and later faking sip message to bypass www_authorization ?
this doesn't work. for each authentication challenge, ser generates an noun that is kept into memory for a short period of time. So, this kind of exploit is very limited - only if somebody trys in real time to do it and in very narrow time window. IP checking doesn't help you - they can be also spoof. Plus, against what address you check when the user register for the first time? or if the user use multiple client in the same time? bogdan
Or maybe there are some other counter measures against such fraud?
Does src_ip comes directly from ip layer? If so, i could probably use
this
to check with some external database (ie. ser subscriber)?
Antanas NTT
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers