Thanks Samy for replying. I wanted if Caller IP was not allowed it should be asked for digest authentication. But above default AUTH route only do that if from_uri is local. If someone set a different URI in from header he will be able to bypass the security check. Correct me if I am wrong somewhere.
I know I can modify the route to get the expected request. But just wanted to ask if setting #!define WITH_AUTH and #!define WITH_IPAUTH was not enough in default configuration just to make sure caller is legitimate. Br. Aqs. On 23 March 2018 at 23:54, SamyGo <govoi...@gmail.com> wrote: > Hi Aqs, > What seems to be the problem ! do you want this caller to be IP > Authenticated or Digest Authenticated or denied !? > > > On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas <aqsyou...@gmail.com> wrote: > >> Greetings list. >> >> I can see that I was able to bypass the default route[AUTH] if I send an >> invite containing from_uri which is not local but requested line containing >> a local user. >> >> llisten=udp:172.16.40.10:5060 >> >> route[AUTH] { >> #!ifdef WITH_AUTH >> #!ifdef WITH_IPAUTH >> if((!is_method("REGISTER")) && allow_source_address()) { >> # source IP allowed >> return; >> } >> #!endif >> if (is_method("REGISTER") || from_uri==myself) { >> # authenticate requests >> if (!auth_check("$fd", "subscriber", "1")) { >> auth_challenge("$fd", "0"); >> exit; >> } >> # user authenticated - remove auth header >> if(!is_method("REGISTER|PUBLISH")) >> consume_credentials(); >> } >> # if caller is not local subscriber, then check if it calls >> # a local destination, otherwise deny, not an open relay here >> if (from_uri!=myself && uri!=myself) { >> sl_send_reply("403","Not relaying"); >> exit; >> } >> #!else >> # authentication not enabled - do not relay at all to foreign networks >> if(uri!=myself) { >> sl_send_reply("403","Not relaying"); >> exit; >> } >> #!endif >> return; >> } >> >> Below INVITE get passed above auth route. >> >> >> INVITE sip:60129879190@172.16.40.10 SIP/2.0 >> Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport >> Max-Forwards: 70 >> From: <sip:0128888877@139.5.177.99>;tag=as2274e806 >> To: <sip:60129879190@172.16.40.10> >> Contact: <sip:0128888877@139.5.177.91:5060> >> Call-ID: 7b6d32bc6c679bb23eb248b955c0ac8b@139.5.177.91:5060 >> CSeq: 102 INVITE >> User-Agent: FPBX-13.0.194.2(13.17.0) >> Date: Fri, 23 Mar 2018 09:33:01 GMT >> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, >> PUBLISH, MESSAGE >> Supported: replaces, timer >> Content-Type: application/sdp >> Content-Length: 321 >> >> v=0 >> o=root 237494576 237494576 IN IP4 139.5.177.99 >> s=Asterisk PBX 13.17.0 >> c=IN IP4 139.5.177.99 >> t=0 0 >> m=audio 15332 RTP/AVP 0 18 8 101 >> a=rtpmap:0 PCMU/8000 >> a=rtpmap:18 G729/8000 >> a=fmtp:18 annexb=no >> a=rtpmap:8 PCMA/8000 >> a=rtpmap:101 telephone-event/8000 >> a=fmtp:101 0-16 >> a=ptime:20 >> a=maxptime:150 >> a=sendrecv >> >> From INVITE and route[AUTH] I can see why it is being passed. >> >> But should not it by default authenticate every request if IP address is >> not allowed in permission module. >> >> Br, Aqs. >> >> _______________________________________________ >> Kamailio (SER) - Users Mailing List >> sr-users@lists.kamailio.org >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> >> > > _______________________________________________ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > >
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users