Hello,

route[AUTH] allows calls from non-local users (from other sip servers) to local users. The R-URI has the public IP address, so it is considered to be for a local user.

If you do not want to allow non-local users to call your users, just do auth_check() for all non-trusted traffic.

Cheers,
Daniel

Hello all!

I'm using Kamailio 5.1.0 on my testing machine. Configuration includes slightly modified AUTH route from http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb

route[AUTH] {

  xlog("L_DBG", "== TRACE. AUTH\n");

  # if caller is not local subscriber, then check if it calls

  # a local destination, otherwise deny, not an open relay here

  if (from_uri!=myself && uri!=myself) {

    xlog("L_DBG", "== TRACE. AUTH. Not relaying. Exiting.\n");

    sl_send_reply("403","Not relaying");

    exit;

  }

  if(isflagset(TRUSTEDIP)) {

    xlog("== TRACE. AUTH. TRUSTEDIP. Returning.\n");

    return;

  }

  if (is_method("REGISTER") || from_uri==myself) {

    xlog("L_DBG", "== TRACE. AUTH. Method REGISTER\n");

    # authenticate requests

    if (!auth_check("$fd", "sipusers", "1")) {

      auth_challenge("$fd", "0");

      xlog("L_DBG", "== TRACE. AUTH. Exiting.\n");

      exit;

    }

    # user authenticated - remove auth header

    if(!is_method("REGISTER|PUBLISH")) {

      xlog("L_DBG", "== TRACE. AUTH. Method is not REGISTER|PUBLISH\n");

      consume_credentials();

    }

  }

  xlog("L_DBG", "== TRACE. AUTH. Returning.\n");

  return;

}

I opened port UDP/5060 to everyone today and started receiving some SIP requests. Most INVITEs were stopped by auth_challenge but then I received this one:

2018/04/11 16:32:44.385689 38.91.106.211:5069 -> 172.16.30.205:5060

INVITE sip:100@MY_PUB_IP_ADDRESS SIP/2.0

v: SIP/2.0/UDP 38.91.106.211:5060;branch=z9hG4bK-929181129;rport

Content-Length: 0

f: "pbx"<sip:100@1.1.1.1>;tag=3535306165633930313363340131373533363938373235

i: 757925348661465531074812

m: sip:100@38.91.106.211:5069

Accept: application/sdp

CSeq: 1 INVITE

t: "pbx"<sip:100@1.1.1.1>

Max-Forwards: 70

... and it came through AUTH route. Below are two fragments of Kamailio log:

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <script>: == TRACE. INVITE From: sip:100@1.1.1.1 (IP:38.91.106.211:5069)

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <script>: == TRACE.       To: sip:100@1.1.1.1

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: pv [pv_core.c:1286]: pv_get_dsturi(): no destination URI

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <script>: == TRACE.    Destination URI : <null>

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <script>: == TRACE. SIP Request header : sip:100@MY_PUB_IP_ADDRESS

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/parser/msg_parser.c:89]: get_hdr_field(): found end of header

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: pv [pv_core.c:966]: pv_get_useragent(): no User-Agent header

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <script>: == TRACE.  User Agent header : <null>

****************************************************************************************************

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <script>: == TRACE. request_route ==> AUTH

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <script>: == TRACE. AUTH

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:564]: grep_sock_info(): checking if host==us: 7==9 && [1.1.1.1] == [127.0.0.1]

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:567]: grep_sock_info(): checking if port 5060 (advertise 0) matches port 5060

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:564]: grep_sock_info(): checking if host==us: 7==13 && [1.1.1.1] == [172.16.30.205]

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:567]: grep_sock_info(): checking if port 5060 (advertise 0) matches port 5060

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:564]: grep_sock_info(): checking if host==us: 7==9 && [1.1.1.1] == [127.0.0.1]

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:567]: grep_sock_info(): checking if port 8088 (advertise 0) matches port 5060

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/forward.c:412]: check_self(): host != me

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:564]: grep_sock_info(): checking if host==us: 7==9 && [1.1.1.1] == [127.0.0.1]

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:567]: grep_sock_info(): checking if port 5060 (advertise 0) matches port 5060

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:564]: grep_sock_info(): checking if host==us: 7==13 && [1.1.1.1] == [172.16.30.205]

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:567]: grep_sock_info(): checking if port 5060 (advertise 0) matches port 5060

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:564]: grep_sock_info(): checking if host==us: 7==9 && [1.1.1.1] == [127.0.0.1]

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:567]: grep_sock_info(): checking if port 8088 (advertise 0) matches port 5060

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/forward.c:412]: check_self(): host != me

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:564]: grep_sock_info(): checking if host==us: 13==9 && [ MY_PUB_IP_ADDRESS ] == [127.0.0.1]

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:567]: grep_sock_info(): checking if port 5060 (advertise 0) matches port 5060

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:564]: grep_sock_info(): checking if host==us: 13==13 && [ MY_PUB_IP_ADDRESS ] == [172.16.30.205]

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:567]: grep_sock_info(): checking if port 5060 (advertise 0) matches port 5060

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:564]: grep_sock_info(): checking if host==us: 13==9 && [ MY_PUB_IP_ADDRESS ] == [127.0.0.1]

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <core> [core/socket_info.c:567]: grep_sock_info(): checking if port 8088 (advertise 0) matches port 5060

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: <script>: == TRACE. AUTH. Returning.

As you can see all tests failed to catch this INVITE request and Kamailio continued processing it. And I'm now wondering what would be the best way to identify such packet.

Thanks.

_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - April 16-18, 2018, Berlin - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com