On 7 March 2013 22:20, Paul Belanger <paul.belan...@polybeacon.com> wrote:
> Greeting, > > Hopefully, I'm understanding the following default kamailio.cfg[1] > file. Over the weekend, I was attached by SipVicious. Following > along with the example Daniel[2] create with kamailio and asterisk, I > have almost the same setup. Rather then storing my SIP profiles in > Asterisk database, I have then in Kamailio. > I also have a test installation originally based on Daniel's example and have come across the same issue. I also placed a stanza such as the one below into my [AUTH] route so that INVITES must be authenticated. Given that in this setup Asterisk is trusting any INVITES from Kamailio it seems like it should be there for sure. However, I also found another issue on the Asterisk side related to this. I raised it on the Asterisk-users list but did not get any replies. Might be worth a read, and if anyone else here has any idea I would be grateful. Post is at http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html Regards, -Barry > To my point, the attacker was actually able to by pass any sort of > authentication, but simply sending an INIVTE message: > > ./svmap.py -e 18885551234 kamailio.example.org -m INVITE > > Which kamailio, forwarded to Asterisk and because there is no > additional auth within asterisk, was able to hit the asterisk context > for getting processed (they did not get out to the real world). > However, my question is.... why do we not authenticate INVITE > messages? If my understanding is correct, if would require something > like the following: > > if (is_method("INVITE")) { > if (!proxy_authorize("$fd", "subscriber")) { > proxy_challenge("$fd", "0"); > exit; > } > } > > If so, why not also do it in the default configuration file? > > [1] > http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD > [2] > http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb > -- > Paul Belanger | PolyBeacon, Inc. > Jabber: paul.belan...@polybeacon.com | IRC: pabelanger (Freenode) > Github: https://github.com/pabelanger | Twitter: > https://twitter.com/pabelanger > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
