10 Apr
2006
10 Apr
'06
4:38 p.m.
Is there a way anyone can readily think of to check to see if someone using
our open proxy is calling through with a From header that attempts to fool the
recipient into thinking the call is validly from one of our users?
Scenario is this...
While looking at the logs this morning, I noticed someone was calling a
SIPPhone user through our proxy with a From: address that LOOKED like it was a
user of ours, but using a username that doesn't actually exist.
I'm wondering if there's anyway to check if someone is calling through us with
a From: address that looks like one of our users, but isn't.
N.
10 Apr
10 Apr
4:40 p.m.
check_from() ?
2006/4/10, sip <sip(a)arcdiv.com>om>:
Is there a way anyone can readily think of to check to
see if someone using
our open proxy is calling through with a From header that attempts to fool the
recipient into thinking the call is validly from one of our users?
Scenario is this...
While looking at the logs this morning, I noticed someone was calling a
SIPPhone user through our proxy with a From: address that LOOKED like it was a
user of ours, but using a username that doesn't actually exist.
I'm wondering if there's anyway to check if someone is calling through us with
a From: address that looks like one of our users, but isn't.
N.
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
5:25 p.m.
I was under the impression check_from gathered its data from credentials
(requiring a proxy authorize)...
Still, though, documentation on it being what it is (i.e. a line saying simply
"Check From username against URI table or digest credentials." ), how would I
use it to check if a user isn't in the URI table but is pretending to be?
Couch it in a Search?
Like:
if(search("^From:.*@my.domain.com"))
{
if(!check_from())
{
error and exit
};
};
?
N.
On Mon, 10 Apr 2006 16:40:58 +0200, samuel wrote
check_from() ?
2006/4/10, sip <sip(a)arcdiv.com>om>:
> Is there a way anyone can readily think of to check to see if someone using
> our open proxy is calling through with a From header that attempts to fool the
> recipient into thinking the call is validly from one of our users?
>
> Scenario is this...
>
> While looking at the logs this morning, I noticed someone was calling a
> SIPPhone user through our proxy with a From: address that LOOKED like it was a
> user of ours, but using a username that doesn't actually exist.
>
> I'm wondering if there's anyway to check if someone is calling through us
with
> a From: address that looks like one of our users, but isn't.
>
> N.
>
> _______________________________________________
> Serusers mailing list
> serusers(a)lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
7:53 p.m.
Okay... that clearly didn't work. As I expected, it requires me to do a proxy
authorize before doing the check_from in order to get the credentials. The
problem is, this is an open proxy, so I don't WANT people to have to authorize
before calling through. I just want some way of making sure they ARE a valid
user if they claim to be.
Am I going to have to do a search("^From:.*@my.domain.com")) and then
proxy_authorise and check from... essentially only authenticating users who
claim to be from my system?
I'll give it a shot. Seems kind of backward, though.
N.
On Mon, 10 Apr 2006 11:25:27 -0400, sip wrote
I was under the impression check_from gathered its
data from credentials
(requiring a proxy authorize)...
Still, though, documentation on it being what it is (i.e. a line
saying simply "Check From username against URI table or digest
credentials." ), how would I use it to check if a user isn't in the
URI table but is pretending to be? Couch it in a Search?
Like:
if(search("^From:.*@my.domain.com"))
{
if(!check_from())
{
error and exit
};
};
?
N.
On Mon, 10 Apr 2006 16:40:58 +0200, samuel wrote
> check_from() ?
> 2006/4/10, sip <sip(a)arcdiv.com>om>:
> > Is there a way anyone can readily think of to check to see if someone using
> > our open proxy is calling through with a From header that attempts to
fool the
> > recipient into thinking the call is validly
from one of our users?
> >
> > Scenario is this...
> >
> > While looking at the logs this morning, I noticed someone was calling a
> > SIPPhone user through our proxy with a From: address that LOOKED like it
was a
> > user of ours, but using a username that
doesn't actually exist.
> >
> > I'm wondering if there's anyway to check if someone is calling through
us with
> a From:
address that looks like one of our users, but isn't.
>
> N.
>
> _______________________________________________
> Serusers mailing list
> serusers(a)lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers 
7:59 p.m.
sip writes:
Am I going to have to do a
search("^From:.*@my.domain.com")) and then
proxy_authorise and check from... essentially only authenticating users who
claim to be from my system?
there is even a function to check if from host is local to your proxy.
I'll give it a shot. Seems kind of backward,
though.
another option is to use pki certificates that both UAs can verify, but
i haven't seen those implemented in UAs.
-- juha
8:21 p.m.
Well... my hack seems to work. I'll see if I managed to break anything,
though. It shouldn't affect reinvites or require using trusted tables as other
machines aren't going to claim they're local users.
The Snom phones will use PKI certs if you want. But I can't guarantee all our
users will want to buy one. ;)
I'm less interested in checking if the host is local to the proxy, though as,
again, we're an open proxy. I just want to avoid bob(a)ourdomain.com (a
non-existent user) using the ourdomain.com proxy to send calls through, having
it trace back to us and causing problems.
N.
On Mon, 10 Apr 2006 20:59:14 +0300, Juha Heinanen wrote
sip writes:
Am I going to have to do a
search("^From:.*@my.domain.com")) and then
proxy_authorise and check from... essentially only authenticating
users who >
claim to be from my system?
there is even a function to check if from host is local to your proxy.
I'll give it a shot. Seems kind of backward,
though.
another option is to use pki certificates that both UAs can verify, but
i haven't seen those implemented in UAs.
-- juha 
11:46 p.m.
I do not understand why you do not authenticate the users.
Using existinguser(a)ourdomain.com is at least as bad as
nonexistinguser(a)ourdomain.com.
You also have to check that some persons do not misuse existing accounts.
I would never allow any local user to use my SIP proxy without
authentication. (Of course incoming calls are allowed without
authentication).
Allowing outgoing calls without authentication (authentication implies
that only local users are allowed to use the proxy) is a bad thing (the
same like open mail relays.)
regards
klaus
On Mon, April 10, 2006 20:21, sip said:
Well... my hack seems to work. I'll see if I
managed to break anything,
though. It shouldn't affect reinvites or require using trusted tables as
other
machines aren't going to claim they're local users.
The Snom phones will use PKI certs if you want. But I can't guarantee all
our
users will want to buy one. ;)
I'm less interested in checking if the host is local to the proxy, though
as,
again, we're an open proxy. I just want to avoid bob(a)ourdomain.com (a
non-existent user) using the ourdomain.com proxy to send calls through,
having
it trace back to us and causing problems.
N.
On Mon, 10 Apr 2006 20:59:14 +0300, Juha Heinanen wrote
sip writes:
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
Am I going to have to do a
search("^From:.*@my.domain.com")) and then
proxy_authorise and check from... essentially only authenticating
users who >
claim to be from my system?
there is even a function to check if from host is local to your proxy.
I'll give it a shot. Seems kind of backward,
though.
another option is to use pki certificates that both UAs can verify, but
i haven't seen those implemented in UAs.
-- juha
11 Apr
11 Apr
12:57 a.m.
It was originally for use with some of our internal UAs which don't handle
authentication properly.... and I was simply too lazy to set up the
authentication with trust tables.
I know. Slackness coming back to bite me in the ass. But it's fixed now.
N.
On Mon, 10 Apr 2006 23:46:30 +0200 (CEST), Klaus Darilion wrote
I do not understand why you do not authenticate the
users.
Using existinguser(a)ourdomain.com is at least as bad as
nonexistinguser(a)ourdomain.com.
You also have to check that some persons do not misuse existing accounts.
I would never allow any local user to use my SIP proxy without
authentication. (Of course incoming calls are allowed without
authentication).
Allowing outgoing calls without authentication (authentication
implies that only local users are allowed to use the proxy) is a bad
thing (the same like open mail relays.)
regards
klaus
On Mon, April 10, 2006 20:21, sip said:
> Well... my hack seems to work. I'll see if I managed to break anything,
> though. It shouldn't affect reinvites or require using trusted tables as
> other
> machines aren't going to claim they're local users.
>
> The Snom phones will use PKI certs if you want. But I can't guarantee all
> our
> users will want to buy one. ;)
>
> I'm less interested in checking if the host is local to the proxy, though
> as,
> again, we're an open proxy. I just want to avoid bob(a)ourdomain.com (a
> non-existent user) using the ourdomain.com proxy to send calls through,
> having
> it trace back to us and causing problems.
>
> N.
>
> On Mon, 10 Apr 2006 20:59:14 +0300, Juha Heinanen wrote
>> sip writes:
>>
>> > Am I going to have to do a search("^From:.*@my.domain.com")) and
then
>> > proxy_authorise and check from... essentially only authenticating
>> users who > claim to be from my system?
>>
>> there is even a function to check if from host is local to your proxy.
>>
>> > I'll give it a shot. Seems kind of backward, though.
>>
>> another option is to use pki certificates that both UAs can verify, but
>> i haven't seen those implemented in UAs.
>>
>> -- juha
>
> _______________________________________________
> Serusers mailing list
> serusers(a)lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
6811
days inactive
6811
days old
7 comments
4 participants
participants (4)
-
jh@tutpro.com -
Klaus Darilion -
samuel -
sip