On 7 March 2013 22:20, Paul Belanger <span dir="ltr"><<a href="mailto:paul.belanger@polybeacon.com" target="_blank">paul.belanger@polybeacon.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Greeting,<br>
<br>
Hopefully, I'm understanding the following default kamailio.cfg[1]<br>
file. Over the weekend, I was attached by SipVicious. Following<br>
along with the example Daniel[2] create with kamailio and asterisk, I<br>
have almost the same setup. Rather then storing my SIP profiles in<br>
Asterisk database, I have then in Kamailio.<br></blockquote><div><br></div><div>I also have a test installation originally based on Daniel's example and have come across the same issue. I also placed a stanza such as the one below into my [AUTH] route so that INVITES must be authenticated. Given that in this setup Asterisk is trusting any INVITES from Kamailio it seems like it should be there for sure.</div>
<div><br></div><div>However, I also found another issue on the Asterisk side related to this. I raised it on the Asterisk-users list but did not get any replies. Might be worth a read, and if anyone else here has any idea I would be grateful. Post is at <a href="http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html">http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html</a></div>
<div><br></div><div>Regards,</div><div><br></div><div>-Barry</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
To my point, the attacker was actually able to by pass any sort of<br>
authentication, but simply sending an INIVTE message:<br>
<br>
./svmap.py -e 18885551234 <a href="http://kamailio.example.org" target="_blank">kamailio.example.org</a> -m INVITE<br>
<br>
Which kamailio, forwarded to Asterisk and because there is no<br>
additional auth within asterisk, was able to hit the asterisk context<br>
for getting processed (they did not get out to the real world).<br>
However, my question is.... why do we not authenticate INVITE<br>
messages? If my understanding is correct, if would require something<br>
like the following:<br>
<br>
if (is_method("INVITE")) {<br>
if (!proxy_authorize("$fd", "subscriber")) {<br>
proxy_challenge("$fd", "0");<br>
exit;<br>
}<br>
}<br>
<br>
If so, why not also do it in the default configuration file?<br>
<br>
[1] <a href="http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD" target="_blank">http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD</a><br>
[2] <a href="http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb" target="_blank">http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb</a><br>
<span class="HOEnZb"><font color="#888888">--<br>
Paul Belanger | PolyBeacon, Inc.<br>
Jabber: <a href="mailto:paul.belanger@polybeacon.com">paul.belanger@polybeacon.com</a> | IRC: pabelanger (Freenode)<br>
Github: <a href="https://github.com/pabelanger" target="_blank">https://github.com/pabelanger</a> | Twitter: <a href="https://twitter.com/pabelanger" target="_blank">https://twitter.com/pabelanger</a><br>
<br>
_______________________________________________<br>
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br>
<a href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</font></span></blockquote></div><br>