[SR-Users] Can't get route[AUTH] working as expected.

Fri Mar 23 20:54:52 CET 2018

Thanks Samy for replying.

I wanted if Caller IP was not allowed it should be asked for digest
authentication. But above default AUTH route only do that if from_uri is
local. If someone set a different URI in from header he will be able to
bypass the security check. Correct me if I am wrong somewhere.

I know I can modify the route to get the expected request.

But just wanted to ask if setting #!define WITH_AUTH and #!define
WITH_IPAUTH was not enough in default configuration just to make sure
caller is legitimate.

Br. Aqs.

On 23 March 2018 at 23:54, SamyGo <govoiper at gmail.com> wrote:

> Hi Aqs,
> What seems to be the problem ! do you want this caller to be IP
> Authenticated or Digest Authenticated or denied !?
>
>
> On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas <aqsyounas at gmail.com> wrote:
>
>> Greetings list.
>>
>> I can see that I was able to bypass the default route[AUTH] if I send an
>> invite containing from_uri which is not local but requested line containing
>> a local user.
>>
>> llisten=udp:172.16.40.10:5060
>>
>> route[AUTH] {
>> #!ifdef WITH_AUTH
>> #!ifdef WITH_IPAUTH
>> if((!is_method("REGISTER")) && allow_source_address()) {
>> # source IP allowed
>> return;
>> }
>> #!endif
>> if (is_method("REGISTER") || from_uri==myself) {
>> # authenticate requests
>> if (!auth_check("$fd", "subscriber", "1")) {
>> auth_challenge("$fd", "0");
>> exit;
>> }
>> # user authenticated - remove auth header
>> if(!is_method("REGISTER|PUBLISH"))
>> consume_credentials();
>> }
>> # if caller is not local subscriber, then check if it calls
>> # a local destination, otherwise deny, not an open relay here
>> if (from_uri!=myself && uri!=myself) {
>> sl_send_reply("403","Not relaying");
>> exit;
>> }
>> #!else
>> # authentication not enabled - do not relay at all to foreign networks
>> if(uri!=myself) {
>> sl_send_reply("403","Not relaying");
>> exit;
>> }
>> #!endif
>> return;
>> }
>>
>> Below INVITE get passed above auth route.
>>
>>
>> INVITE sip:60129879190 at 172.16.40.10 SIP/2.0
>> Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport
>> Max-Forwards: 70
>> From: <sip:0128888877 at 139.5.177.99>;tag=as2274e806
>> To: <sip:60129879190 at 172.16.40.10>
>> Contact: <sip:0128888877 at 139.5.177.91:5060>
>> Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b at 139.5.177.91:5060
>> CSeq: 102 INVITE
>> User-Agent: FPBX-13.0.194.2(13.17.0)
>> Date: Fri, 23 Mar 2018 09:33:01 GMT
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
>> PUBLISH, MESSAGE
>> Supported: replaces, timer
>> Content-Type: application/sdp
>> Content-Length: 321
>>
>> v=0
>> o=root 237494576 237494576 IN IP4 139.5.177.99
>> s=Asterisk PBX 13.17.0
>> c=IN IP4 139.5.177.99
>> t=0 0
>> m=audio 15332 RTP/AVP 0 18 8 101
>> a=rtpmap:0 PCMU/8000
>> a=rtpmap:18 G729/8000
>> a=fmtp:18 annexb=no
>> a=rtpmap:8 PCMA/8000
>> a=rtpmap:101 telephone-event/8000
>> a=fmtp:101 0-16
>> a=ptime:20
>> a=maxptime:150
>> a=sendrecv
>>
>> From INVITE and route[AUTH] I can see why it is being passed.
>>
>> But should not it by default authenticate every request if IP address is
>> not allowed in permission module.
>>
>> Br, Aqs.
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180324/13a1e6a3/attachment.html>