[SR-Users] INVITE messages not authenticated (default configuration)?

Olle E. Johansson oej at edvina.net
Fri Mar 8 09:40:43 CET 2013


7 mar 2013 kl. 23:20 skrev Paul Belanger <paul.belanger at polybeacon.com>:

> Greeting,
> 
> Hopefully, I'm understanding the following default kamailio.cfg[1]
> file.  Over the weekend, I was attached by SipVicious.  Following
> along with the example Daniel[2] create with kamailio and asterisk, I
> have almost the same setup.  Rather then storing my SIP profiles in
> Asterisk database, I have then in Kamailio.
> 
> To my point, the attacker was actually able to by pass any sort of
> authentication, but simply sending an INIVTE message:
> 
> ./svmap.py -e 18885551234 kamailio.example.org -m INVITE
> 
> Which kamailio, forwarded to Asterisk and because there is no
> additional auth within asterisk, was able to hit the asterisk context
> for getting processed (they did not get out to the real world).
> However, my question is.... why do we not authenticate INVITE
> messages?  If my understanding is correct, if would require something
> like the following:
> 
> if (is_method("INVITE")) {
>    if (!proxy_authorize("$fd", "subscriber")) {
>        proxy_challenge("$fd", "0");
>        exit;
>    }
> }
> 
> If so, why not also do it in the default configuration file?
The default configuration file is set up to be userfriendly and easy to start with and learn from, 
it's not  something that should be deployed in production.

To add authentication in Kamailio, you would need some sort of external datastore
with accounts, which is not easy to ship with the default config. If you enable auth
in the config file, which is documented in there and a database with subscribers,
I'm pretty sure it will authenticate properly.

We could also add a PV-based authentication with a static password in the
configuration file, like "KAMAILIOADMIN" and password "ABBA4EVER" but it would take five 
minutes from commit until that password and username would be on top
of the list for SIPvicious. Especially since I would tell Sandro about it... ;-)

Now, you did enable authentication and something went wrong. Did Daniel's
example rely on Asterisk authentication maybe and you disabled that?

Maybe we should add text to the default config, like in Asterisks README.SERIOUSLY,
that not using proper authentication is a bad thing (TM).

/O
> 
> [1] http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD
> [2] http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
> -- 
> Paul Belanger | PolyBeacon, Inc.
> Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
> Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger
> 
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users




More information about the sr-users mailing list