[OpenSER-Users] Security hole in REGISTER's Contact using domain
Juha Heinanen
jh at tutpro.com
Fri Dec 14 11:04:40 CET 2007
Iñaki Baz Castillo writes:
> > 1) buy pstn gws that accept no hostnames (just its own ip address) in
> > the hostpart of r-uri. example, cisco ios with later software
> > releases.
>
> So really isn't there solution just in OpenSer-Registrar side??
this is registrar solution. you use parmissions module and don;t accept
registrations where ip address in hostpart of contact belongs to your
gws.
> > 2) forget the hostpart check all together and instead check the
> > userpart, where you have put something special that the gw then
> > removes.
>
> So you mean for example:
>
> register.deny:
> --------------------
> ALL : "^sip:.*secret_word_.*@"
> ----------------------
>
> And later, in any call to PSTN OpenSer should add:
>
> $ru = "secret_word_" + $ru;
you can use lcr module to add the prefix.
> so the uri arriving to the gw becomes:
>
> sip:secret_word_01666555444 at gw_ip_or_hostname
>
> And the gw should just allow calls from OpenSer with urri username beginning
> with "secret_word_" and it should strip it.
that is correct, but the prefix does not need to be secret, just
something that doesn't normally appear in userparts.
> Is this what you mean? anyway, a little complex, isn't it? XDD
why do you think it is complex? one row in register.deny and one strip
at the gateway.
-- juha
More information about the sr-users
mailing list