Re: [SR-Users] Can't get route[AUTH] working as expected.

2018-03-25 Thread Aqs Younas 
Thanks Samy.

On Sat, 24 Mar 2018, 8:50 pm SamyGo,  wrote:

> Yeah, so thats a sample script and definitely needs add-on functions to
> enable what you're expecting it to do.
> I believe in the past(*or maybe in opensips, Im not certain) it used to
> have the function db_check_from() / check_from()  to validate user in DB if
> so then engage in AUTH. Check URI_DB module.
> You can also use this function is_subscriber("$fU","subscriber",3)
>  
> to
> ensure authentication is engaged for everyone.
>
>
>
> On Fri, Mar 23, 2018 at 3:54 PM, Aqs Younas  wrote:
>
>> Thanks Samy for replying.
>>
>> I wanted if Caller IP was not allowed it should be asked for digest
>> authentication. But above default AUTH route only do that if from_uri is
>> local. If someone set a different URI in from header he will be able to
>> bypass the security check. Correct me if I am wrong somewhere.
>>
>> I know I can modify the route to get the expected request.
>>
>> But just wanted to ask if setting #!define WITH_AUTH and #!define
>> WITH_IPAUTH was not enough in default configuration just to make sure
>> caller is legitimate.
>>
>> Br. Aqs.
>>
>> On 23 March 2018 at 23:54, SamyGo  wrote:
>>
>>> Hi Aqs,
>>> What seems to be the problem ! do you want this caller to be IP
>>> Authenticated or Digest Authenticated or denied !?
>>>
>>>
>>> On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas  wrote:
>>>
 Greetings list.

 I can see that I was able to bypass the default route[AUTH] if I send
 an invite containing from_uri which is not local but requested line
 containing a local user.

 llisten=udp:172.16.40.10:5060

 route[AUTH] {
 #!ifdef WITH_AUTH
 #!ifdef WITH_IPAUTH
 if((!is_method("REGISTER")) && allow_source_address()) {
 # source IP allowed
 return;
 }
 #!endif
 if (is_method("REGISTER") || from_uri==myself) {
 # authenticate requests
 if (!auth_check("$fd", "subscriber", "1")) {
 auth_challenge("$fd", "0");
 exit;
 }
 # user authenticated - remove auth header
 if(!is_method("REGISTER|PUBLISH"))
 consume_credentials();
 }
 # if caller is not local subscriber, then check if it calls
 # a local destination, otherwise deny, not an open relay here
 if (from_uri!=myself && uri!=myself) {
 sl_send_reply("403","Not relaying");
 exit;
 }
 #!else
 # authentication not enabled - do not relay at all to foreign networks
 if(uri!=myself) {
 sl_send_reply("403","Not relaying");
 exit;
 }
 #!endif
 return;
 }

 Below INVITE get passed above auth route.


 INVITE sip:60129879190@172.16.40.10 SIP/2.0
 Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport
 Max-Forwards: 70
 From: ;tag=as2274e806
 To: 
 Contact: 
 Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060
 CSeq: 102 INVITE
 User-Agent: FPBX-13.0.194.2(13.17.0)
 Date: Fri, 23 Mar 2018 09:33:01 GMT
 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
 INFO, PUBLISH, MESSAGE
 Supported: replaces, timer
 Content-Type: application/sdp
 Content-Length: 321

 v=0
 o=root 237494576 237494576 IN IP4 139.5.177.99
 s=Asterisk PBX 13.17.0
 c=IN IP4 139.5.177.99
 t=0 0
 m=audio 15332 RTP/AVP 0 18 8 101
 a=rtpmap:0 PCMU/8000
 a=rtpmap:18 G729/8000
 a=fmtp:18 annexb=no
 a=rtpmap:8 PCMA/8000
 a=rtpmap:101 telephone-event/8000
 a=fmtp:101 0-16
 a=ptime:20
 a=maxptime:150
 a=sendrecv

 From INVITE and route[AUTH] I can see why it is being passed.

 But should not it by default authenticate every request if IP address
 is not allowed in permission module.

 Br, Aqs.

 ___
 Kamailio (SER) - Users Mailing List
 sr-users@lists.kamailio.org
 https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


>>>
>>> ___
>>> Kamailio (SER) - Users Mailing List
>>> sr-users@lists.kamailio.org
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>
>> ___
>> Kamailio (SER) - Users Mailing List
>> sr-users@lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] Can't get route[AUTH] working as expected.

2018-03-24 Thread SamyGo 
Yeah, so thats a sample script and definitely needs add-on functions to
enable what you're expecting it to do.
I believe in the past(*or maybe in opensips, Im not certain) it used to
have the function db_check_from() / check_from()  to validate user in DB if
so then engage in AUTH. Check URI_DB module.
You can also use this function is_subscriber("$fU","subscriber",3)

to
ensure authentication is engaged for everyone.



On Fri, Mar 23, 2018 at 3:54 PM, Aqs Younas  wrote:

> Thanks Samy for replying.
>
> I wanted if Caller IP was not allowed it should be asked for digest
> authentication. But above default AUTH route only do that if from_uri is
> local. If someone set a different URI in from header he will be able to
> bypass the security check. Correct me if I am wrong somewhere.
>
> I know I can modify the route to get the expected request.
>
> But just wanted to ask if setting #!define WITH_AUTH and #!define
> WITH_IPAUTH was not enough in default configuration just to make sure
> caller is legitimate.
>
> Br. Aqs.
>
> On 23 March 2018 at 23:54, SamyGo  wrote:
>
>> Hi Aqs,
>> What seems to be the problem ! do you want this caller to be IP
>> Authenticated or Digest Authenticated or denied !?
>>
>>
>> On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas  wrote:
>>
>>> Greetings list.
>>>
>>> I can see that I was able to bypass the default route[AUTH] if I send an
>>> invite containing from_uri which is not local but requested line containing
>>> a local user.
>>>
>>> llisten=udp:172.16.40.10:5060
>>>
>>> route[AUTH] {
>>> #!ifdef WITH_AUTH
>>> #!ifdef WITH_IPAUTH
>>> if((!is_method("REGISTER")) && allow_source_address()) {
>>> # source IP allowed
>>> return;
>>> }
>>> #!endif
>>> if (is_method("REGISTER") || from_uri==myself) {
>>> # authenticate requests
>>> if (!auth_check("$fd", "subscriber", "1")) {
>>> auth_challenge("$fd", "0");
>>> exit;
>>> }
>>> # user authenticated - remove auth header
>>> if(!is_method("REGISTER|PUBLISH"))
>>> consume_credentials();
>>> }
>>> # if caller is not local subscriber, then check if it calls
>>> # a local destination, otherwise deny, not an open relay here
>>> if (from_uri!=myself && uri!=myself) {
>>> sl_send_reply("403","Not relaying");
>>> exit;
>>> }
>>> #!else
>>> # authentication not enabled - do not relay at all to foreign networks
>>> if(uri!=myself) {
>>> sl_send_reply("403","Not relaying");
>>> exit;
>>> }
>>> #!endif
>>> return;
>>> }
>>>
>>> Below INVITE get passed above auth route.
>>>
>>>
>>> INVITE sip:60129879190@172.16.40.10 SIP/2.0
>>> Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport
>>> Max-Forwards: 70
>>> From: ;tag=as2274e806
>>> To: 
>>> Contact: 
>>> Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060
>>> CSeq: 102 INVITE
>>> User-Agent: FPBX-13.0.194.2(13.17.0)
>>> Date: Fri, 23 Mar 2018 09:33:01 GMT
>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
>>> INFO, PUBLISH, MESSAGE
>>> Supported: replaces, timer
>>> Content-Type: application/sdp
>>> Content-Length: 321
>>>
>>> v=0
>>> o=root 237494576 237494576 IN IP4 139.5.177.99
>>> s=Asterisk PBX 13.17.0
>>> c=IN IP4 139.5.177.99
>>> t=0 0
>>> m=audio 15332 RTP/AVP 0 18 8 101
>>> a=rtpmap:0 PCMU/8000
>>> a=rtpmap:18 G729/8000
>>> a=fmtp:18 annexb=no
>>> a=rtpmap:8 PCMA/8000
>>> a=rtpmap:101 telephone-event/8000
>>> a=fmtp:101 0-16
>>> a=ptime:20
>>> a=maxptime:150
>>> a=sendrecv
>>>
>>> From INVITE and route[AUTH] I can see why it is being passed.
>>>
>>> But should not it by default authenticate every request if IP address is
>>> not allowed in permission module.
>>>
>>> Br, Aqs.
>>>
>>> ___
>>> Kamailio (SER) - Users Mailing List
>>> sr-users@lists.kamailio.org
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>
>> ___
>> Kamailio (SER) - Users Mailing List
>> sr-users@lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] Can't get route[AUTH] working as expected.

2018-03-23 Thread Aqs Younas 
Thanks Samy for replying.

I wanted if Caller IP was not allowed it should be asked for digest
authentication. But above default AUTH route only do that if from_uri is
local. If someone set a different URI in from header he will be able to
bypass the security check. Correct me if I am wrong somewhere.

I know I can modify the route to get the expected request.

But just wanted to ask if setting #!define WITH_AUTH and #!define
WITH_IPAUTH was not enough in default configuration just to make sure
caller is legitimate.

Br. Aqs.

On 23 March 2018 at 23:54, SamyGo  wrote:

> Hi Aqs,
> What seems to be the problem ! do you want this caller to be IP
> Authenticated or Digest Authenticated or denied !?
>
>
> On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas  wrote:
>
>> Greetings list.
>>
>> I can see that I was able to bypass the default route[AUTH] if I send an
>> invite containing from_uri which is not local but requested line containing
>> a local user.
>>
>> llisten=udp:172.16.40.10:5060
>>
>> route[AUTH] {
>> #!ifdef WITH_AUTH
>> #!ifdef WITH_IPAUTH
>> if((!is_method("REGISTER")) && allow_source_address()) {
>> # source IP allowed
>> return;
>> }
>> #!endif
>> if (is_method("REGISTER") || from_uri==myself) {
>> # authenticate requests
>> if (!auth_check("$fd", "subscriber", "1")) {
>> auth_challenge("$fd", "0");
>> exit;
>> }
>> # user authenticated - remove auth header
>> if(!is_method("REGISTER|PUBLISH"))
>> consume_credentials();
>> }
>> # if caller is not local subscriber, then check if it calls
>> # a local destination, otherwise deny, not an open relay here
>> if (from_uri!=myself && uri!=myself) {
>> sl_send_reply("403","Not relaying");
>> exit;
>> }
>> #!else
>> # authentication not enabled - do not relay at all to foreign networks
>> if(uri!=myself) {
>> sl_send_reply("403","Not relaying");
>> exit;
>> }
>> #!endif
>> return;
>> }
>>
>> Below INVITE get passed above auth route.
>>
>>
>> INVITE sip:60129879190@172.16.40.10 SIP/2.0
>> Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport
>> Max-Forwards: 70
>> From: ;tag=as2274e806
>> To: 
>> Contact: 
>> Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060
>> CSeq: 102 INVITE
>> User-Agent: FPBX-13.0.194.2(13.17.0)
>> Date: Fri, 23 Mar 2018 09:33:01 GMT
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
>> PUBLISH, MESSAGE
>> Supported: replaces, timer
>> Content-Type: application/sdp
>> Content-Length: 321
>>
>> v=0
>> o=root 237494576 237494576 IN IP4 139.5.177.99
>> s=Asterisk PBX 13.17.0
>> c=IN IP4 139.5.177.99
>> t=0 0
>> m=audio 15332 RTP/AVP 0 18 8 101
>> a=rtpmap:0 PCMU/8000
>> a=rtpmap:18 G729/8000
>> a=fmtp:18 annexb=no
>> a=rtpmap:8 PCMA/8000
>> a=rtpmap:101 telephone-event/8000
>> a=fmtp:101 0-16
>> a=ptime:20
>> a=maxptime:150
>> a=sendrecv
>>
>> From INVITE and route[AUTH] I can see why it is being passed.
>>
>> But should not it by default authenticate every request if IP address is
>> not allowed in permission module.
>>
>> Br, Aqs.
>>
>> ___
>> Kamailio (SER) - Users Mailing List
>> sr-users@lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] Can't get route[AUTH] working as expected.

2018-03-23 Thread SamyGo 
Hi Aqs,
What seems to be the problem ! do you want this caller to be IP
Authenticated or Digest Authenticated or denied !?


On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas  wrote:

> Greetings list.
>
> I can see that I was able to bypass the default route[AUTH] if I send an
> invite containing from_uri which is not local but requested line containing
> a local user.
>
> llisten=udp:172.16.40.10:5060
>
> route[AUTH] {
> #!ifdef WITH_AUTH
> #!ifdef WITH_IPAUTH
> if((!is_method("REGISTER")) && allow_source_address()) {
> # source IP allowed
> return;
> }
> #!endif
> if (is_method("REGISTER") || from_uri==myself) {
> # authenticate requests
> if (!auth_check("$fd", "subscriber", "1")) {
> auth_challenge("$fd", "0");
> exit;
> }
> # user authenticated - remove auth header
> if(!is_method("REGISTER|PUBLISH"))
> consume_credentials();
> }
> # if caller is not local subscriber, then check if it calls
> # a local destination, otherwise deny, not an open relay here
> if (from_uri!=myself && uri!=myself) {
> sl_send_reply("403","Not relaying");
> exit;
> }
> #!else
> # authentication not enabled - do not relay at all to foreign networks
> if(uri!=myself) {
> sl_send_reply("403","Not relaying");
> exit;
> }
> #!endif
> return;
> }
>
> Below INVITE get passed above auth route.
>
>
> INVITE sip:60129879190@172.16.40.10 SIP/2.0
> Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport
> Max-Forwards: 70
> From: ;tag=as2274e806
> To: 
> Contact: 
> Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060
> CSeq: 102 INVITE
> User-Agent: FPBX-13.0.194.2(13.17.0)
> Date: Fri, 23 Mar 2018 09:33:01 GMT
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
> PUBLISH, MESSAGE
> Supported: replaces, timer
> Content-Type: application/sdp
> Content-Length: 321
>
> v=0
> o=root 237494576 237494576 IN IP4 139.5.177.99
> s=Asterisk PBX 13.17.0
> c=IN IP4 139.5.177.99
> t=0 0
> m=audio 15332 RTP/AVP 0 18 8 101
> a=rtpmap:0 PCMU/8000
> a=rtpmap:18 G729/8000
> a=fmtp:18 annexb=no
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-16
> a=ptime:20
> a=maxptime:150
> a=sendrecv
>
> From INVITE and route[AUTH] I can see why it is being passed.
>
> But should not it by default authenticate every request if IP address is
> not allowed in permission module.
>
> Br, Aqs.
>
> ___
> Kamailio (SER) - Users Mailing List
> sr-users@lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

[SR-Users] Can't get route[AUTH] working as expected.

2018-03-23 Thread Aqs Younas 
Greetings list.

I can see that I was able to bypass the default route[AUTH] if I send an
invite containing from_uri which is not local but requested line containing
a local user.

llisten=udp:172.16.40.10:5060

route[AUTH] {
#!ifdef WITH_AUTH
#!ifdef WITH_IPAUTH
if((!is_method("REGISTER")) && allow_source_address()) {
# source IP allowed
return;
}
#!endif
if (is_method("REGISTER") || from_uri==myself) {
# authenticate requests
if (!auth_check("$fd", "subscriber", "1")) {
auth_challenge("$fd", "0");
exit;
}
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH"))
consume_credentials();
}
# if caller is not local subscriber, then check if it calls
# a local destination, otherwise deny, not an open relay here
if (from_uri!=myself && uri!=myself) {
sl_send_reply("403","Not relaying");
exit;
}
#!else
# authentication not enabled - do not relay at all to foreign networks
if(uri!=myself) {
sl_send_reply("403","Not relaying");
exit;
}
#!endif
return;
}

Below INVITE get passed above auth route.


INVITE sip:60129879190@172.16.40.10 SIP/2.0
Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport
Max-Forwards: 70
From: ;tag=as2274e806
To: 
Contact: 
Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060
CSeq: 102 INVITE
User-Agent: FPBX-13.0.194.2(13.17.0)
Date: Fri, 23 Mar 2018 09:33:01 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 321

v=0
o=root 237494576 237494576 IN IP4 139.5.177.99
s=Asterisk PBX 13.17.0
c=IN IP4 139.5.177.99
t=0 0
m=audio 15332 RTP/AVP 0 18 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

>From INVITE and route[AUTH] I can see why it is being passed.

But should not it by default authenticate every request if IP address is
not allowed in permission module.

Br, Aqs.
___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users