On Wed, 28 Jul 2004, Bogdan-Andrei IANCU wrote:
zolia@z1sys.com wrote:
hello,
is it possible to do source ip authentication besides normal www_authorize() for every user account?. This, as i understand, should prevent from intercepting credentials and later faking sip message to bypass www_authorization ?
this doesn't work. for each authentication challenge, ser generates an noun that is kept into memory for a short period of time. So, this kind of exploit is very limited - only if somebody trys in real time to do it and in very narrow time window.
yes probably, is would work only in real time, ie. to write some small proxy, which rewrites authorization header putting in in parallel sniffed encrypted password. Its a bit harder..
IP checking doesn't help you - they can be also spoof. Plus, against what address you check when the user register for the first time? or if
What do you mean by "first time"? If there are only one IP from which UA requests MUST originate, then it should be possible to check it.
the user use multiple client in the same time?
This would not be possible in our scenario.
Antanas
bogdan
Or maybe there are some other counter measures against such fraud?
Does src_ip comes directly from ip layer? If so, i could probably use this to check with some external database (ie. ser subscriber)?
Antanas NTT
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers