[SR-Users] Default AUTH route potential issue?
Daniel-Constantin Mierla
miconda at gmail.com
Wed Apr 11 17:27:25 CEST 2018
Hello,
route[AUTH] allows calls from non-local users (from other sip servers)
to local users. The R-URI has the public IP address, so it is considered
to be for a local user.
If you do not want to allow non-local users to call your users, just do
auth_check() for all non-trusted traffic.
Cheers,
Daniel
On 11.04.18 17:15, Володимир Іванець wrote:
> Hello all!
>
> I'm using Kamailio 5.1.0 on my testing machine. Configuration includes
> slightly modified AUTH route
> from http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
>
> route[AUTH] {
> xlog("L_DBG", "== TRACE. AUTH\n");
>
> # if caller is not local subscriber, then check if it calls
> # a local destination, otherwise deny, not an open relay here
> if (from_uri!=myself && uri!=myself) {
> xlog("L_DBG", "== TRACE. AUTH. Not relaying. Exiting.\n");
> sl_send_reply("403","Not relaying");
> exit;
> }
>
> if(isflagset(TRUSTEDIP)) {
> xlog("== TRACE. AUTH. TRUSTEDIP. Returning.\n");
> return;
> }
>
> if (is_method("REGISTER") || from_uri==myself) {
> xlog("L_DBG", "== TRACE. AUTH. Method REGISTER\n");
> # authenticate requests
> if (!auth_check("$fd", "sipusers", "1")) {
> auth_challenge("$fd", "0");
> xlog("L_DBG", "== TRACE. AUTH. Exiting.\n");
> exit;
> }
> # user authenticated - remove auth header
> if(!is_method("REGISTER|PUBLISH")) {
> xlog("L_DBG", "== TRACE. AUTH. Method is not
> REGISTER|PUBLISH\n");
> consume_credentials();
> }
> }
>
> xlog("L_DBG", "== TRACE. AUTH. Returning.\n");
> return;
> }
>
> I opened port UDP/5060 to everyone today and started receiving some
> SIP requests. Most INVITEs were stopped by *auth_challenge* but then I
> received this one:
>
> 2018/04/11 16:32:44.385689 38.91.106.211:5069
> <http://38.91.106.211:5069> -> 172.16.30.205:5060
>
> INVITE sip:100 at MY_PUB_IP_ADDRESS SIP/2.0
> v: SIP/2.0/UDP 38.91.106.211:5060;branch=z9hG4bK-929181129;rport
> Content-Length: 0
> f: "pbx"<sip:100 at 1.1.1.1
> <mailto:sip%3A100 at 1.1.1.1>>;tag=3535306165633930313363340131373533363938373235
> i: 757925348661465531074812
> m: sip:100 at 38.91.106.211:5069 <http://sip:100@38.91.106.211:5069>
> Accept: application/sdp
> CSeq: 1 INVITE
> t: "pbx"<sip:100 at 1.1.1.1 <mailto:sip%3A100 at 1.1.1.1>>
> Max-Forwards: 70
>
> ... and it came through AUTH route. Below are two fragments of
> Kamailio log:
>
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <script>: == TRACE. INVITE From: sip:100 at 1.1.1.1
> <mailto:sip%3A100 at 1.1.1.1> (IP:38.91.106.211:5069
> <http://38.91.106.211:5069>)
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <script>: == TRACE. To: sip:100 at 1.1.1.1
> <mailto:sip%3A100 at 1.1.1.1>
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: pv
> [pv_core.c:1286]: pv_get_dsturi(): no destination URI
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <script>: == TRACE. Destination URI : <null>
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <script>: == TRACE. SIP Request header : sip:100 at MY_PUB_IP_ADDRESS
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/parser/msg_parser.c:89]: get_hdr_field(): found end
> of header
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: pv
> [pv_core.c:966]: pv_get_useragent(): no User-Agent header
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <script>: == TRACE. User Agent header : <null>
> ****************************************************************************************************
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <script>: == TRACE. request_route ==> AUTH
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <script>: == TRACE. AUTH
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:564]: grep_sock_info(): checking if
> host==us: 7==9 && [1.1.1.1] == [127.0.0.1]
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:567]: grep_sock_info(): checking if
> port 5060 (advertise 0) matches port 5060
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:564]: grep_sock_info(): checking if
> host==us: 7==13 && [1.1.1.1] == [172.16.30.205]
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:567]: grep_sock_info(): checking if
> port 5060 (advertise 0) matches port 5060
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:564]: grep_sock_info(): checking if
> host==us: 7==9 && [1.1.1.1] == [127.0.0.1]
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:567]: grep_sock_info(): checking if
> port 8088 (advertise 0) matches port 5060
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/forward.c:412]: check_self(): host != me
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:564]: grep_sock_info(): checking if
> host==us: 7==9 && [1.1.1.1] == [127.0.0.1]
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:567]: grep_sock_info(): checking if
> port 5060 (advertise 0) matches port 5060
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:564]: grep_sock_info(): checking if
> host==us: 7==13 && [1.1.1.1] == [172.16.30.205]
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:567]: grep_sock_info(): checking if
> port 5060 (advertise 0) matches port 5060
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:564]: grep_sock_info(): checking if
> host==us: 7==9 && [1.1.1.1] == [127.0.0.1]
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:567]: grep_sock_info(): checking if
> port 8088 (advertise 0) matches port 5060
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/forward.c:412]: check_self(): host != me
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:564]: grep_sock_info(): checking if
> host==us: 13==9 && [ MY_PUB_IP_ADDRESS ] == [127.0.0.1]
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:567]: grep_sock_info(): checking if
> port 5060 (advertise 0) matches port 5060
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:564]: grep_sock_info(): checking if
> host==us: 13==13 && [ MY_PUB_IP_ADDRESS ] == [172.16.30.205]
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:567]: grep_sock_info(): checking if
> port 5060 (advertise 0) matches port 5060
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:564]: grep_sock_info(): checking if
> host==us: 13==9 && [ MY_PUB_IP_ADDRESS ] == [127.0.0.1]
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <core> [core/socket_info.c:567]: grep_sock_info(): checking if
> port 8088 (advertise 0) matches port 5060
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
> <script>: == TRACE. AUTH. Returning.
>
> As you can see all tests failed to catch this INVITE request and
> Kamailio continued processing it. And I'm now wondering what would be
> the best way to identify such packet.
>
> Thanks.
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - April 16-18, 2018, Berlin - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180411/62ffbb24/attachment.html>
More information about the sr-users
mailing list