18 Mar
2015
18 Mar
'15
6:03 p.m.
On Wednesday 18 March 2015 08:32:10 canuck15 wrote:
I can run a cron job every hour to DNS lookup and
update the ip_addr
table as needed so I think this is a satisfactory solution for IP
authentication.
Is there a mechanism to identify all originating servers for a
hostname/domain? If the answer is no (and AFAIK is it) then this solution
doesn't work.
I used this in the past, a subscriber has a userpref with ip/port combo. But
this ins't an answer for subaccounts on trunks (unles you can get the sender
to actually use different ports). 3 is the whitelist for ip adresses on
record. I abandoned this due to to much problems with trunks, they just have
to authenticate or go elsewere.
BTW only for tcp since udp sources can be spoofed. I guess the best way is to
use tls with certificate verification (good luck getting the trunks to
implement this :)
route[AUTHENTICATE]
{
if(!is_method("REGISTER") && allow_address("3",
"$si", "$sp") &&
$proto=="tcp")
{
if(!avp_db_query("select username from usr_preferences where
attribute='ip_authentication' and domain='$td' and
(value='$si:$sp' or value
like '$si:%') order by length(value) limit 1"))
{
xlog("L_ALERT","ACL: $rm from $fu
(IP:$si:$sp)\n");
sl_send_reply("403", "Not Allowed by AUTHENTICATE
ACL");
exit;
}
$avp(au)=$avp(i:1);
}
else
{
$var(authenticated)=www_authenticate("$td",
"subscriber");
if (!www_authenticate("$td", "subscriber")) {
xlog("L_ALERT","AUTHENTICATE: $rm from $fu to $tu
(IP:
$si:$sp)\n");
www_challenge("$td", "1");
exit;
}
$avp(au)=$au;
consume_credentials();
}