[SR-Users] Can't get route[AUTH] working as expected.
Aqs Younas
aqsyounas at gmail.com
Sun Mar 25 08:28:11 CEST 2018
Thanks Samy.
On Sat, 24 Mar 2018, 8:50 pm SamyGo, <govoiper at gmail.com> wrote:
> Yeah, so thats a sample script and definitely needs add-on functions to
> enable what you're expecting it to do.
> I believe in the past(*or maybe in opensips, Im not certain) it used to
> have the function db_check_from() / check_from() to validate user in DB if
> so then engage in AUTH. Check URI_DB module.
> You can also use this function is_subscriber("$fU","subscriber",3)
> <http://www.kamailio.org/docs/modules/5.0.x/modules/auth_db.html#idp44935044> to
> ensure authentication is engaged for everyone.
>
>
>
> On Fri, Mar 23, 2018 at 3:54 PM, Aqs Younas <aqsyounas at gmail.com> wrote:
>
>> Thanks Samy for replying.
>>
>> I wanted if Caller IP was not allowed it should be asked for digest
>> authentication. But above default AUTH route only do that if from_uri is
>> local. If someone set a different URI in from header he will be able to
>> bypass the security check. Correct me if I am wrong somewhere.
>>
>> I know I can modify the route to get the expected request.
>>
>> But just wanted to ask if setting #!define WITH_AUTH and #!define
>> WITH_IPAUTH was not enough in default configuration just to make sure
>> caller is legitimate.
>>
>> Br. Aqs.
>>
>> On 23 March 2018 at 23:54, SamyGo <govoiper at gmail.com> wrote:
>>
>>> Hi Aqs,
>>> What seems to be the problem ! do you want this caller to be IP
>>> Authenticated or Digest Authenticated or denied !?
>>>
>>>
>>> On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas <aqsyounas at gmail.com> wrote:
>>>
>>>> Greetings list.
>>>>
>>>> I can see that I was able to bypass the default route[AUTH] if I send
>>>> an invite containing from_uri which is not local but requested line
>>>> containing a local user.
>>>>
>>>> llisten=udp:172.16.40.10:5060
>>>>
>>>> route[AUTH] {
>>>> #!ifdef WITH_AUTH
>>>> #!ifdef WITH_IPAUTH
>>>> if((!is_method("REGISTER")) && allow_source_address()) {
>>>> # source IP allowed
>>>> return;
>>>> }
>>>> #!endif
>>>> if (is_method("REGISTER") || from_uri==myself) {
>>>> # authenticate requests
>>>> if (!auth_check("$fd", "subscriber", "1")) {
>>>> auth_challenge("$fd", "0");
>>>> exit;
>>>> }
>>>> # user authenticated - remove auth header
>>>> if(!is_method("REGISTER|PUBLISH"))
>>>> consume_credentials();
>>>> }
>>>> # if caller is not local subscriber, then check if it calls
>>>> # a local destination, otherwise deny, not an open relay here
>>>> if (from_uri!=myself && uri!=myself) {
>>>> sl_send_reply("403","Not relaying");
>>>> exit;
>>>> }
>>>> #!else
>>>> # authentication not enabled - do not relay at all to foreign networks
>>>> if(uri!=myself) {
>>>> sl_send_reply("403","Not relaying");
>>>> exit;
>>>> }
>>>> #!endif
>>>> return;
>>>> }
>>>>
>>>> Below INVITE get passed above auth route.
>>>>
>>>>
>>>> INVITE sip:60129879190 at 172.16.40.10 SIP/2.0
>>>> Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport
>>>> Max-Forwards: 70
>>>> From: <sip:0128888877 at 139.5.177.99>;tag=as2274e806
>>>> To: <sip:60129879190 at 172.16.40.10>
>>>> Contact: <sip:0128888877 at 139.5.177.91:5060>
>>>> Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b at 139.5.177.91:5060
>>>> CSeq: 102 INVITE
>>>> User-Agent: FPBX-13.0.194.2(13.17.0)
>>>> Date: Fri, 23 Mar 2018 09:33:01 GMT
>>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
>>>> INFO, PUBLISH, MESSAGE
>>>> Supported: replaces, timer
>>>> Content-Type: application/sdp
>>>> Content-Length: 321
>>>>
>>>> v=0
>>>> o=root 237494576 237494576 IN IP4 139.5.177.99
>>>> s=Asterisk PBX 13.17.0
>>>> c=IN IP4 139.5.177.99
>>>> t=0 0
>>>> m=audio 15332 RTP/AVP 0 18 8 101
>>>> a=rtpmap:0 PCMU/8000
>>>> a=rtpmap:18 G729/8000
>>>> a=fmtp:18 annexb=no
>>>> a=rtpmap:8 PCMA/8000
>>>> a=rtpmap:101 telephone-event/8000
>>>> a=fmtp:101 0-16
>>>> a=ptime:20
>>>> a=maxptime:150
>>>> a=sendrecv
>>>>
>>>> From INVITE and route[AUTH] I can see why it is being passed.
>>>>
>>>> But should not it by default authenticate every request if IP address
>>>> is not allowed in permission module.
>>>>
>>>> Br, Aqs.
>>>>
>>>> _______________________________________________
>>>> Kamailio (SER) - Users Mailing List
>>>> sr-users at lists.kamailio.org
>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Kamailio (SER) - Users Mailing List
>>> sr-users at lists.kamailio.org
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180325/f97facdd/attachment.html>
More information about the sr-users
mailing list