On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
> I can run a cron job every hour to DNS lookup and update the ip_addr
> table as needed so I think this is a satisfactory solution for IP
> authentication.
Is there a mechanism to identify all originating servers for a
hostname/domain? If the answer is no (and AFAIK is it) then this solution
doesn't work.
I used this in the past, a subscriber has a userpref with ip/port combo. But
this ins't an answer for subaccounts on trunks (unles you can get the sender
to actually use different ports). 3 is the whitelist for ip adresses on
record. I abandoned this due to to much problems with trunks, they just have
to authenticate or go elsewere.
BTW only for tcp since udp sources can be spoofed. I guess the best way is to
use tls with certificate verification (good luck getting the trunks to
implement this :)
route[AUTHENTICATE]
{
if(!is_method("REGISTER") && allow_address("3", "$si", "$sp") &&
$proto=="tcp")
{
if(!avp_db_query("select username from usr_preferences where
attribute='ip_authentication' and domain='$td' and (value='$si:$sp' or value
like '$si:%') order by length(value) limit 1"))
{
xlog("L_ALERT","ACL: $rm from $fu (IP:$si:$sp)\n");
sl_send_reply("403", "Not Allowed by AUTHENTICATE
ACL");
exit;
}
$avp(au)=$avp(i:1);
}
else
{
$var(authenticated)=www_authenticate("$td", "subscriber");
if (!www_authenticate("$td", "subscriber")) {
xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu (IP:
$si:$sp)\n");
www_challenge("$td", "1");
exit;
}
$avp(au)=$au;
consume_credentials();
}
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
