[Serusers] Proxy_authorize, www_authorize
Lasse Jansson
lasse at solstiernan.nu
Fri Mar 7 00:49:41 CET 2003
OK, I see what you mean. I think the policy you recommend will do just fine in
order to stop the most obvious types of abuse of a sip server. (If you want
more paranoid "firewalling" you need to know sip really well, and there is
always a risk that you stop legal cases).
Thanks for yor advice. The following script should do the trick then, huh ?
Lasse
# REQUESTS DIRECTED TO MY DOMAIN
if (uri=~"[@:]mydomain\.com") {
# Challenge registrations
if (method=="REGISTER") {
if (!www_authorize("mydomain.com", "subscriber")) {
www_challenge("mydomain.com", "1");
break;
};
save("location");
break;
};
# Challenge any other request where the sender has my domain in From
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
# REQUESTS DIRECTED TO OTHER DOMAINS
} else {
# Challenge any request where the sender has my domain in From
if (search("(f|From).*mydomain\.com")) {
if (!proxy_authorize("mydomain.com", "subscriber")) {
proxy_challenge("mydomain.com", "1");
break;
};
# Drop INVITE requests where the sender does not have my domain in From
} else {
if (method=="INVITE") {
sl_send_reply("403", "Forbidden");
break;
};
};
};
# forward to current uri now
if (!t_relay()) {
sl_reply_error();
};
On Wednesday 05 March 2003 23.05, Jiri Kuthan wrote:
> Lasse,
>
> I see two limitations:
> - if you only challenge INVITEs to outside domain, people out of your
> domain can call people in your domain and claim shamelessly your domain
> name in From, which is then sort of rubberstamped by the proxy; so I
> think you can combine challenging based on From along with "anti-spam"
> policy "drop invites which have my domain neither in From nor in r-uri" -
> if you apply such policies to other requests than BYE, you will run into
> troubles, better be permissive about non-INVITEs. See
>
> http://www.ietf.org/mail-archive/working-groups/sipping/current/msg04002.ht
>ml
>
> -Jiri
>
> At 10:10 PM 3/5/2003, Lasse Jansson wrote:
> >Thanks,
> >
> >One last question: I guess that if I want my server to offer <forwarding
> > of requests to other domains> only to authorized users in my domain I
> > should restrict the last part more, as follows:
> >
> ># For requests to other domains
> > if (!proxy_authorize("mydomain.com", "subscriber")) {
> > proxy_challenge("mydomain.com", "1");
> > break;
> > };
> >
> >(i.e. I can skip the (search("(f|From).*mydomain\.com")) condition in this
> >case)
> >
> >Lasse
> >
> >On Wednesday 05 March 2003 02.08, Jiri Kuthan wrote:
> >> At 10:43 PM 3/4/2003, Lasse Jansson wrote:
> >> >Thanks for your answer !
> >> >
> >> >I guess then that the following lines (based on the default script)
> >> > would work to implement all of Michael's example ?
> >> >
> >> >Lasse
> >> >
> >> > if (uri=~mydomain.com) {
> >>
> >> perhaps better (uri=~"[@:]mydomain\.com"). Everything else seems
> >> reasonable to me.
> >>
> >> -Jiri
> >>
> >> _______________________________________________
> >> Serusers mailing list
> >> serusers at lists.iptel.org
> >> http://lists.iptel.org/mailman/listinfo/serusers
>
> --
> Jiri Kuthan http://iptel.org/~jiri/
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
More information about the sr-users
mailing list