[SR-Users] INVITE messages not authenticated (default configuration)?
Alex Balashov
abalashov at evaristesys.com
Thu Mar 7 23:24:01 CET 2013
Because digest authentication is a far from self-evident or universal use-case for Kamailio.
Paul Belanger <paul.belanger at polybeacon.com> wrote:
>Greeting,
>
>Hopefully, I'm understanding the following default kamailio.cfg[1]
>file. Over the weekend, I was attached by SipVicious. Following
>along with the example Daniel[2] create with kamailio and asterisk, I
>have almost the same setup. Rather then storing my SIP profiles in
>Asterisk database, I have then in Kamailio.
>
>To my point, the attacker was actually able to by pass any sort of
>authentication, but simply sending an INIVTE message:
>
>./svmap.py -e 18885551234 kamailio.example.org -m INVITE
>
>Which kamailio, forwarded to Asterisk and because there is no
>additional auth within asterisk, was able to hit the asterisk context
>for getting processed (they did not get out to the real world).
>However, my question is.... why do we not authenticate INVITE
>messages? If my understanding is correct, if would require something
>like the following:
>
>if (is_method("INVITE")) {
> if (!proxy_authorize("$fd", "subscriber")) {
> proxy_challenge("$fd", "0");
> exit;
> }
>}
>
>If so, why not also do it in the default configuration file?
>
>[1]
>http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD
>[2]
>http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
>--
>Paul Belanger | PolyBeacon, Inc.
>Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
>Github: https://github.com/pabelanger | Twitter:
>https://twitter.com/pabelanger
>
>_______________________________________________
>SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>sr-users at lists.sip-router.org
>http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Sent from my Nexus 10, with all the figments of autocorrect that might imply.
Alex Balashov - Principal
Evariste Systems LLC
235 E Ponce de Leon Ave
Suite 106
Decatur, GA 30030
United States
Tel: +1-678-954-0670
Web: http://www.evaristesys.com/, http://www.alexbalashov.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20130307/fc46a296/attachment.htm>
More information about the sr-users
mailing list