Hi! I was just testing the digest replay possibilities against Kamailio. (findings: http://www.kamailio.org/wiki/tutorials/security/kamailio-security#digest_authentication)
It looks that by default (the typical default configs), a SIP replay attack can be done during 300 seconds (?) . Now I tried the code snippet from the auth module: http://kamailio.org/docs/modules/4.1.x/modules/auth.html#auth.p.nonce_count But my setup can’t seem to find back the digest_challenge. I did read somewhere digest_challenge has been taken out of the codebase. Is the documentation out of sync, or am I really having a facepalm moment? Btw I’m on 4.2. Grtz, Davy Op 29-jan.-2014, om 12:37 heeft davy van de moere <davy.van.de.mo...@gmail.com> het volgende geschreven: > I started the pages, to be found : > > http://www.kamailio.org/wiki/tutorials/security/security-threats > http://www.kamailio.org/wiki/tutorials/security/kamailio-security > > They are a long from being complete, but it's a start, feel free to > modify/correct/add content! > > > 2013-12-18 davy <davy.van.de.mo...@gmail.com> > ACK > > :) > > Op 18-dec.-2013, om 15:30 heeft Daniel-Constantin Mierla <mico...@gmail.com> > het volgende geschreven: > > > Hello, > > > > On 18/12/13 10:53, davy wrote: > >> Cool, I'll spend some time this weekend to have a first stake in the > >> ground on the wiki ! > > > > great! Just use namespaces when creating new pages, to have a good > > structure of the wiki. It can be something under tutorials, such as: > > > > tutorials:security:TITLE > > > > where TITLE can be what you consider more appropriate, such as 'how-to', > > 'remarks' or what so ever... > > > > Cheers, > > Daniel > >> > >> It's better to have our security measures being checked by peers than by > >> hackers ;) > >> > >> > >> > >> Op 18-dec.-2013, om 09:33 heeft Daniel-Constantin Mierla > >> <mico...@gmail.com> het volgende geschreven: > >> > >>> Hello, > >>> > >>> On 17/12/13 17:27, davy wrote: > >>>> Hi all, > >>>> > >>>> we all enjoy our FAIL2BAN and snippets of our Kamailio config when we > >>>> see it successfully fight off the "friendly-scanner", and multiple > >>>> futile attempts to fool our systems. But it got me thinking… > >>>> > >>>> What is a sufficient level of security on our Kamailio machinery… ? Are > >>>> we all just doing whatever, or is the nature of the beast, that every > >>>> setup is different? > >>> Indeed, Kamailio being more like a framework, lot of deployments are > >>> different, even when targeting same features. In some cases, dictionary > >>> attacks don't apply (e.g., carriers interconnect when traffic is allowed > >>> by IP address). > >>>> Eventually while having a beer, we will end up in the discussion > >>>> Kamailio is as good (and even much better) as most of the commercially > >>>> available SBCs. But, imho, that all depends on the configuration. > >>>> > >>>> There are a few good reads available, and on the security front I > >>>> personally love Pike, Topoh, Dnssec, Htable and recently I think I'm > >>>> doing rather clever stuff with CNXCC… And I do feel comfortable on my > >>>> setups, them won't be hacked… > >>>> > >>>> But do we have a-sort -of stake in the ground example configuration > >>>> which we can consider as being more than sufficiently secure? Some > >>>> config where we can tick off all the known security risks for SIP (as > >>>> chapter 26 of rfc3261 gives a state of the art back in 2002) Or would > >>>> that be a nice idea for a micro project? > >>> It would be good to create a page (or group or pages) in > >>> kamailio.org/wiki to approach security considerations. Besides the well > >>> known situations and solutions for attacks, it happens quite often to see > >>> new types of attacks, so adding notes there along with hints on how to > >>> solve with Kamailio would be very useful for everybody. > >>> > >>> Long time ago I made a wiki tutorial on my company site: > >>> - http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack > >>> > >>> I don't mind being cloned and improved (well, I guess some parts could be > >>> trimmed as might not be relevant in general and some need to be updated > >>> for latest version). > >>> > >>> There are many types of attacks not mentioned there, that can be > >>> highlighted for everyone to pay attention, e.g.,: > >>> - nonce reply (use one time nonce with auth module) > >>> - proper handling of route headers to avoid preset route headers in > >>> initial invite (is done in the default config file, but pointing at it > >>> makes people be more careful and don't miss it when building new configs) > >>> > >>> Overall, yes, security is a topic very useful, hopefully there are be > >>> enough people willing to spend some time and share information. > >>> > >>> Cheers, > >>> Daniel > >>> - > >>> > >>> -- > >>> Daniel-Constantin Mierla - http://www.asipto.com > >>> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda > >>> > > > > -- > > Daniel-Constantin Mierla - http://www.asipto.com > > http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda > > > >
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
