Greetings list.
I can see that I was able to bypass the default route[AUTH] if I send an invite containing from_uri which is not local but requested line containing a local user.
llisten=udp:172.16.40.10:5060
route[AUTH] { #!ifdef WITH_AUTH #!ifdef WITH_IPAUTH if((!is_method("REGISTER")) && allow_source_address()) { # source IP allowed return; } #!endif if (is_method("REGISTER") || from_uri==myself) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; } # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } # if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; } #!else # authentication not enabled - do not relay at all to foreign networks if(uri!=myself) { sl_send_reply("403","Not relaying"); exit; } #!endif return; }
Below INVITE get passed above auth route.
INVITE sip:60129879190@172.16.40.10 SIP/2.0 Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport Max-Forwards: 70 From: sip:0128888877@139.5.177.99;tag=as2274e806 To: sip:60129879190@172.16.40.10 Contact: sip:0128888877@139.5.177.91:5060 Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060 CSeq: 102 INVITE User-Agent: FPBX-13.0.194.2(13.17.0) Date: Fri, 23 Mar 2018 09:33:01 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE Supported: replaces, timer Content-Type: application/sdp Content-Length: 321
v=0 o=root 237494576 237494576 IN IP4 139.5.177.99 s=Asterisk PBX 13.17.0 c=IN IP4 139.5.177.99 t=0 0 m=audio 15332 RTP/AVP 0 18 8 101 a=rtpmap:0 PCMU/8000 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=maxptime:150 a=sendrecv
From INVITE and route[AUTH] I can see why it is being passed.
But should not it by default authenticate every request if IP address is not allowed in permission module.
Br, Aqs.
Hi Aqs, What seems to be the problem ! do you want this caller to be IP Authenticated or Digest Authenticated or denied !?
On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas aqsyounas@gmail.com wrote:
Greetings list.
I can see that I was able to bypass the default route[AUTH] if I send an invite containing from_uri which is not local but requested line containing a local user.
llisten=udp:172.16.40.10:5060
route[AUTH] { #!ifdef WITH_AUTH #!ifdef WITH_IPAUTH if((!is_method("REGISTER")) && allow_source_address()) { # source IP allowed return; } #!endif if (is_method("REGISTER") || from_uri==myself) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; } # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } # if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; } #!else # authentication not enabled - do not relay at all to foreign networks if(uri!=myself) { sl_send_reply("403","Not relaying"); exit; } #!endif return; }
Below INVITE get passed above auth route.
INVITE sip:60129879190@172.16.40.10 SIP/2.0 Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport Max-Forwards: 70 From: sip:0128888877@139.5.177.99;tag=as2274e806 To: sip:60129879190@172.16.40.10 Contact: sip:0128888877@139.5.177.91:5060 Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060 CSeq: 102 INVITE User-Agent: FPBX-13.0.194.2(13.17.0) Date: Fri, 23 Mar 2018 09:33:01 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE Supported: replaces, timer Content-Type: application/sdp Content-Length: 321
v=0 o=root 237494576 237494576 IN IP4 139.5.177.99 s=Asterisk PBX 13.17.0 c=IN IP4 139.5.177.99 t=0 0 m=audio 15332 RTP/AVP 0 18 8 101 a=rtpmap:0 PCMU/8000 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=maxptime:150 a=sendrecv
From INVITE and route[AUTH] I can see why it is being passed.
But should not it by default authenticate every request if IP address is not allowed in permission module.
Br, Aqs.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Thanks Samy for replying.
I wanted if Caller IP was not allowed it should be asked for digest authentication. But above default AUTH route only do that if from_uri is local. If someone set a different URI in from header he will be able to bypass the security check. Correct me if I am wrong somewhere.
I know I can modify the route to get the expected request.
But just wanted to ask if setting #!define WITH_AUTH and #!define WITH_IPAUTH was not enough in default configuration just to make sure caller is legitimate.
Br. Aqs.
On 23 March 2018 at 23:54, SamyGo govoiper@gmail.com wrote:
Hi Aqs, What seems to be the problem ! do you want this caller to be IP Authenticated or Digest Authenticated or denied !?
On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas aqsyounas@gmail.com wrote:
Greetings list.
I can see that I was able to bypass the default route[AUTH] if I send an invite containing from_uri which is not local but requested line containing a local user.
llisten=udp:172.16.40.10:5060
route[AUTH] { #!ifdef WITH_AUTH #!ifdef WITH_IPAUTH if((!is_method("REGISTER")) && allow_source_address()) { # source IP allowed return; } #!endif if (is_method("REGISTER") || from_uri==myself) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; } # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } # if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; } #!else # authentication not enabled - do not relay at all to foreign networks if(uri!=myself) { sl_send_reply("403","Not relaying"); exit; } #!endif return; }
Below INVITE get passed above auth route.
INVITE sip:60129879190@172.16.40.10 SIP/2.0 Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport Max-Forwards: 70 From: sip:0128888877@139.5.177.99;tag=as2274e806 To: sip:60129879190@172.16.40.10 Contact: sip:0128888877@139.5.177.91:5060 Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060 CSeq: 102 INVITE User-Agent: FPBX-13.0.194.2(13.17.0) Date: Fri, 23 Mar 2018 09:33:01 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE Supported: replaces, timer Content-Type: application/sdp Content-Length: 321
v=0 o=root 237494576 237494576 IN IP4 139.5.177.99 s=Asterisk PBX 13.17.0 c=IN IP4 139.5.177.99 t=0 0 m=audio 15332 RTP/AVP 0 18 8 101 a=rtpmap:0 PCMU/8000 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=maxptime:150 a=sendrecv
From INVITE and route[AUTH] I can see why it is being passed.
But should not it by default authenticate every request if IP address is not allowed in permission module.
Br, Aqs.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Yeah, so thats a sample script and definitely needs add-on functions to enable what you're expecting it to do. I believe in the past(*or maybe in opensips, Im not certain) it used to have the function db_check_from() / check_from() to validate user in DB if so then engage in AUTH. Check URI_DB module. You can also use this function is_subscriber("$fU","subscriber",3) http://www.kamailio.org/docs/modules/5.0.x/modules/auth_db.html#idp44935044 to ensure authentication is engaged for everyone.
On Fri, Mar 23, 2018 at 3:54 PM, Aqs Younas aqsyounas@gmail.com wrote:
Thanks Samy for replying.
I wanted if Caller IP was not allowed it should be asked for digest authentication. But above default AUTH route only do that if from_uri is local. If someone set a different URI in from header he will be able to bypass the security check. Correct me if I am wrong somewhere.
I know I can modify the route to get the expected request.
But just wanted to ask if setting #!define WITH_AUTH and #!define WITH_IPAUTH was not enough in default configuration just to make sure caller is legitimate.
Br. Aqs.
On 23 March 2018 at 23:54, SamyGo govoiper@gmail.com wrote:
Hi Aqs, What seems to be the problem ! do you want this caller to be IP Authenticated or Digest Authenticated or denied !?
On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas aqsyounas@gmail.com wrote:
Greetings list.
I can see that I was able to bypass the default route[AUTH] if I send an invite containing from_uri which is not local but requested line containing a local user.
llisten=udp:172.16.40.10:5060
route[AUTH] { #!ifdef WITH_AUTH #!ifdef WITH_IPAUTH if((!is_method("REGISTER")) && allow_source_address()) { # source IP allowed return; } #!endif if (is_method("REGISTER") || from_uri==myself) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; } # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } # if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; } #!else # authentication not enabled - do not relay at all to foreign networks if(uri!=myself) { sl_send_reply("403","Not relaying"); exit; } #!endif return; }
Below INVITE get passed above auth route.
INVITE sip:60129879190@172.16.40.10 SIP/2.0 Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport Max-Forwards: 70 From: sip:0128888877@139.5.177.99;tag=as2274e806 To: sip:60129879190@172.16.40.10 Contact: sip:0128888877@139.5.177.91:5060 Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060 CSeq: 102 INVITE User-Agent: FPBX-13.0.194.2(13.17.0) Date: Fri, 23 Mar 2018 09:33:01 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE Supported: replaces, timer Content-Type: application/sdp Content-Length: 321
v=0 o=root 237494576 237494576 IN IP4 139.5.177.99 s=Asterisk PBX 13.17.0 c=IN IP4 139.5.177.99 t=0 0 m=audio 15332 RTP/AVP 0 18 8 101 a=rtpmap:0 PCMU/8000 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=maxptime:150 a=sendrecv
From INVITE and route[AUTH] I can see why it is being passed.
But should not it by default authenticate every request if IP address is not allowed in permission module.
Br, Aqs.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Thanks Samy.
On Sat, 24 Mar 2018, 8:50 pm SamyGo, govoiper@gmail.com wrote:
Yeah, so thats a sample script and definitely needs add-on functions to enable what you're expecting it to do. I believe in the past(*or maybe in opensips, Im not certain) it used to have the function db_check_from() / check_from() to validate user in DB if so then engage in AUTH. Check URI_DB module. You can also use this function is_subscriber("$fU","subscriber",3) http://www.kamailio.org/docs/modules/5.0.x/modules/auth_db.html#idp44935044 to ensure authentication is engaged for everyone.
On Fri, Mar 23, 2018 at 3:54 PM, Aqs Younas aqsyounas@gmail.com wrote:
Thanks Samy for replying.
I wanted if Caller IP was not allowed it should be asked for digest authentication. But above default AUTH route only do that if from_uri is local. If someone set a different URI in from header he will be able to bypass the security check. Correct me if I am wrong somewhere.
I know I can modify the route to get the expected request.
But just wanted to ask if setting #!define WITH_AUTH and #!define WITH_IPAUTH was not enough in default configuration just to make sure caller is legitimate.
Br. Aqs.
On 23 March 2018 at 23:54, SamyGo govoiper@gmail.com wrote:
Hi Aqs, What seems to be the problem ! do you want this caller to be IP Authenticated or Digest Authenticated or denied !?
On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas aqsyounas@gmail.com wrote:
Greetings list.
I can see that I was able to bypass the default route[AUTH] if I send an invite containing from_uri which is not local but requested line containing a local user.
llisten=udp:172.16.40.10:5060
route[AUTH] { #!ifdef WITH_AUTH #!ifdef WITH_IPAUTH if((!is_method("REGISTER")) && allow_source_address()) { # source IP allowed return; } #!endif if (is_method("REGISTER") || from_uri==myself) { # authenticate requests if (!auth_check("$fd", "subscriber", "1")) { auth_challenge("$fd", "0"); exit; } # user authenticated - remove auth header if(!is_method("REGISTER|PUBLISH")) consume_credentials(); } # if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself) { sl_send_reply("403","Not relaying"); exit; } #!else # authentication not enabled - do not relay at all to foreign networks if(uri!=myself) { sl_send_reply("403","Not relaying"); exit; } #!endif return; }
Below INVITE get passed above auth route.
INVITE sip:60129879190@172.16.40.10 SIP/2.0 Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport Max-Forwards: 70 From: sip:0128888877@139.5.177.99;tag=as2274e806 To: sip:60129879190@172.16.40.10 Contact: sip:0128888877@139.5.177.91:5060 Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060 CSeq: 102 INVITE User-Agent: FPBX-13.0.194.2(13.17.0) Date: Fri, 23 Mar 2018 09:33:01 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE Supported: replaces, timer Content-Type: application/sdp Content-Length: 321
v=0 o=root 237494576 237494576 IN IP4 139.5.177.99 s=Asterisk PBX 13.17.0 c=IN IP4 139.5.177.99 t=0 0 m=audio 15332 RTP/AVP 0 18 8 101 a=rtpmap:0 PCMU/8000 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=maxptime:150 a=sendrecv
From INVITE and route[AUTH] I can see why it is being passed.
But should not it by default authenticate every request if IP address is not allowed in permission module.
Br, Aqs.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-
Aqs Younas -
SamyGo