11 Apr
2018
11 Apr
'18
11:27 a.m.
Hello,
route[AUTH] allows calls from non-local users (from other sip servers)
to local users. The R-URI has the public IP address, so it is considered
to be for a local user.
If you do not want to allow non-local users to call your users, just do
auth_check() for all non-trusted traffic.
Cheers,
Daniel
On 11.04.18 17:15, Володимир Іванець wrote:
Hello all!
I'm using Kamailio 5.1.0 on my testing machine. Configuration includes
slightly modified AUTH route
from http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
route[AUTH] {
xlog("L_DBG", "== TRACE. AUTH\n");
# if caller is not local subscriber, then check if it calls
# a local destination, otherwise deny, not an open relay here
if (from_uri!=myself && uri!=myself) {
xlog("L_DBG", "== TRACE. AUTH. Not relaying. Exiting.\n");
sl_send_reply("403","Not relaying");
exit;
}
if(isflagset(TRUSTEDIP)) {
xlog("== TRACE. AUTH. TRUSTEDIP. Returning.\n");
return;
}
if (is_method("REGISTER") || from_uri==myself) {
xlog("L_DBG", "== TRACE. AUTH. Method REGISTER\n");
# authenticate requests
if (!auth_check("$fd", "sipusers", "1")) {
auth_challenge("$fd", "0");
xlog("L_DBG", "== TRACE. AUTH. Exiting.\n");
exit;
}
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH")) {
xlog("L_DBG", "== TRACE. AUTH. Method is not
REGISTER|PUBLISH\n");
consume_credentials();
}
}
xlog("L_DBG", "== TRACE. AUTH. Returning.\n");
return;
}
I opened port UDP/5060 to everyone today and started receiving some
SIP requests. Most INVITEs were stopped by *auth_challenge* but then I
received this one:
2018/04/11 16:32:44.385689 38.91.106.211:5069
<http://38.91.106.211:5069> -> 172.16.30.205:5060
INVITE sip:100@MY_PUB_IP_ADDRESS SIP/2.0
v: SIP/2.0/UDP 38.91.106.211:5060;branch=z9hG4bK-929181129;rport
Content-Length: 0
f: "pbx"<sip:100@1.1.1.1
<mailto:sip%3A100@1.1.1.1>>;tag=3535306165633930313363340131373533363938373235
i: 757925348661465531074812
m: sip:100@38.91.106.211:5069 <http://sip:100@38.91.106.211:5069>
Accept: application/sdp
CSeq: 1 INVITE
t: "pbx"<sip:100@1.1.1.1 <mailto:sip%3A100@1.1.1.1>>
Max-Forwards: 70
... and it came through AUTH route. Below are two fragments of
Kamailio log:
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<script>: == TRACE. INVITE From: sip:100@1.1.1.1
<mailto:sip%3A100@1.1.1.1> (IP:38.91.106.211:5069
<http://38.91.106.211:5069>)
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<script>: == TRACE. To: sip:100@1.1.1.1
<mailto:sip%3A100@1.1.1.1>
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: pv
[pv_core.c:1286]: pv_get_dsturi(): no destination URI
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<script>: == TRACE. Destination URI : <null>
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<script>: == TRACE. SIP Request header : sip:100@MY_PUB_IP_ADDRESS
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/parser/msg_parser.c:89]: get_hdr_field(): found end
of header
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: pv
[pv_core.c:966]: pv_get_useragent(): no User-Agent header
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<script>: == TRACE. User Agent header : <null>
****************************************************************************************************
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<script>: == TRACE. request_route ==> AUTH
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<script>: == TRACE. AUTH
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 7==9 && [1.1.1.1] == [127.0.0.1]
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:567]: grep_sock_info(): checking if
port 5060 (advertise 0) matches port 5060
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 7==13 && [1.1.1.1] == [172.16.30.205]
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:567]: grep_sock_info(): checking if
port 5060 (advertise 0) matches port 5060
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 7==9 && [1.1.1.1] == [127.0.0.1]
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:567]: grep_sock_info(): checking if
port 8088 (advertise 0) matches port 5060
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/forward.c:412]: check_self(): host != me
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 7==9 && [1.1.1.1] == [127.0.0.1]
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:567]: grep_sock_info(): checking if
port 5060 (advertise 0) matches port 5060
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 7==13 && [1.1.1.1] == [172.16.30.205]
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:567]: grep_sock_info(): checking if
port 5060 (advertise 0) matches port 5060
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 7==9 && [1.1.1.1] == [127.0.0.1]
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:567]: grep_sock_info(): checking if
port 8088 (advertise 0) matches port 5060
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/forward.c:412]: check_self(): host != me
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 13==9 && [ MY_PUB_IP_ADDRESS ] == [127.0.0.1]
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:567]: grep_sock_info(): checking if
port 5060 (advertise 0) matches port 5060
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 13==13 && [ MY_PUB_IP_ADDRESS ] == [172.16.30.205]
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:567]: grep_sock_info(): checking if
port 5060 (advertise 0) matches port 5060
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:564]: grep_sock_info(): checking if
host==us: 13==9 && [ MY_PUB_IP_ADDRESS ] == [127.0.0.1]
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<core> [core/socket_info.c:567]: grep_sock_info(): checking if
port 8088 (advertise 0) matches port 5060
Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
<script>: == TRACE. AUTH. Returning.
As you can see all tests failed to catch this INVITE request and
Kamailio continued processing it. And I'm now wondering what would be
the best way to identify such packet.
Thanks.
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - April 16-18, 2018, Berlin - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com