[SR-Users] Configuring Kamailio as an authenticating SIP Proxy?

Will Ferrer will.ferrer at switchsoft.com
Tue Dec 10 21:42:06 CET 2013


Hi Mark

In case it is helpful for your situation what we do is as follows:

We use 1 box as a sort of SBC, where we do all our IP authentication and
then we route the call through to various call processing boxes using the
kamailio dispatcher module.

On our dispatcher box we test the ip and from uri as a pair of the
connecting party via the allow_trusted function and then on the
callprocessing boxes we make sure the messages are coming from the
dispatcher box via the allow_source_address function. user credentials
authentication is passed through from the dispatcher to the callprocessing
box in our set up.

Using the dispatcher module all our sip traffic first passes through the
dispatcher (which sounds similar to what you want to accomplish I believe).

Here are the 2 modules I mentioned above:

http://kamailio.org/docs/modules/3.1.x/modules_k/dispatcher.html

http://kamailio.org/docs/modules/3.0.x/modules_k/permissions.html

This a fairly basic set up we have so hopefully you can put together
something similar if it suits your needs.

All the best.

Will Ferrer






On Tue, Dec 10, 2013 at 2:39 AM, Mark D. Montgomery II <
techiem2 at techiem2.net> wrote:

> Here's the issue:
> I have a FreePBX server running at a location that
> 1.  Is not directly accessible from all the outside locations I would be at
> 2.  I don't want the SIP ports directly open to it from the whole world
> anyway for security reasons.
>
> I have a VPS that I am currently using as a pure SIP redirector via
> firewall rules, and the main location allows connection from the VPS only.
>
> The issue I've run into (which is the same issue as having the main server
> open to the world), is that I still get a fair number of exploit hits to
> the server.
>
> What I'd like to do is use Kamailio as an authenticating proxy so I could
> use fail2ban on the VPS to ban the offenders when they try to exploit the
> server.
> Basically I want Kamailio to handle passing authentication back and forth
> from the client to the actual server and then handle proxying the full
> connection when the auth is correct.
>
> Is this doable?
> If so, how would I go about setting it up?
> It looks like Kamailio should be able to do just about anything, but I
> don't know where to start.
>
> Thanks.
>
> Mark II
>
> --
> Mark D. Montgomery II
> http://www.techiem2.net
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20131210/1fcbaeaf/attachment.html>


More information about the sr-users mailing list