Thanks Samy. 

On Sat, 24 Mar 2018, 8:50 pm SamyGo, <govoiper@gmail.com> wrote:
Yeah, so thats a sample script and definitely needs add-on functions to enable what you're expecting it to do. 
I believe in the past(*or maybe in opensips, Im not certain) it used to have the function db_check_from() / check_from()  to validate user in DB if so then engage in AUTH. Check URI_DB module. 
You can also use this function is_subscriber("$fU","subscriber",3) to ensure authentication is engaged for everyone.



On Fri, Mar 23, 2018 at 3:54 PM, Aqs Younas <aqsyounas@gmail.com> wrote:
Thanks Samy for replying. 

I wanted if Caller IP was not allowed it should be asked for digest authentication. But above default AUTH route only do that if from_uri is local. If someone set a different URI in from header he will be able to bypass the security check. Correct me if I am wrong somewhere.  

I know I can modify the route to get the expected request.

But just wanted to ask if setting #!define WITH_AUTH and #!define WITH_IPAUTH was not enough in default configuration just to make sure caller is legitimate. 

Br. Aqs. 

On 23 March 2018 at 23:54, SamyGo <govoiper@gmail.com> wrote:
Hi Aqs,
What seems to be the problem ! do you want this caller to be IP Authenticated or Digest Authenticated or denied !?


On Fri, Mar 23, 2018 at 6:16 AM, Aqs Younas <aqsyounas@gmail.com> wrote:
Greetings list. 

I can see that I was able to bypass the default route[AUTH] if I send an invite containing from_uri which is not local but requested line containing a local user. 

llisten=udp:172.16.40.10:5060

route[AUTH] {
#!ifdef WITH_AUTH
#!ifdef WITH_IPAUTH
if((!is_method("REGISTER")) && allow_source_address()) {
# source IP allowed
return;
}
#!endif
if (is_method("REGISTER") || from_uri==myself) {
# authenticate requests
if (!auth_check("$fd", "subscriber", "1")) {
auth_challenge("$fd", "0");
exit;
}
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH"))
consume_credentials();
}
# if caller is not local subscriber, then check if it calls
# a local destination, otherwise deny, not an open relay here
if (from_uri!=myself && uri!=myself) {
sl_send_reply("403","Not relaying");
exit;
}
#!else
# authentication not enabled - do not relay at all to foreign networks
if(uri!=myself) {
sl_send_reply("403","Not relaying");
exit;
}
#!endif
return;
}

Below INVITE get passed above auth route. 


Via: SIP/2.0/UDP 139.5.177.91:5060;branch=z9hG4bK31edc7f4;rport
Max-Forwards: 70
From: <sip:0128888877@139.5.177.99>;tag=as2274e806
CSeq: 102 INVITE
User-Agent: FPBX-13.0.194.2(13.17.0)
Date: Fri, 23 Mar 2018 09:33:01 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 321

v=0
o=root 237494576 237494576 IN IP4 139.5.177.99
s=Asterisk PBX 13.17.0
c=IN IP4 139.5.177.99
t=0 0
m=audio 15332 RTP/AVP 0 18 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

From INVITE and route[AUTH] I can see why it is being passed. 

But should not it by default authenticate every request if IP address is not allowed in permission module. 

Br, Aqs. 

_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users



_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users



_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users