Is there a way anyone can readily think of to check to see if someone using our open proxy is calling through with a From header that attempts to fool the recipient into thinking the call is validly from one of our users?
Scenario is this...
While looking at the logs this morning, I noticed someone was calling a SIPPhone user through our proxy with a From: address that LOOKED like it was a user of ours, but using a username that doesn't actually exist.
I'm wondering if there's anyway to check if someone is calling through us with a From: address that looks like one of our users, but isn't.
N.
check_from() ? 2006/4/10, sip sip@arcdiv.com:
Is there a way anyone can readily think of to check to see if someone using our open proxy is calling through with a From header that attempts to fool the recipient into thinking the call is validly from one of our users?
Scenario is this...
While looking at the logs this morning, I noticed someone was calling a SIPPhone user through our proxy with a From: address that LOOKED like it was a user of ours, but using a username that doesn't actually exist.
I'm wondering if there's anyway to check if someone is calling through us with a From: address that looks like one of our users, but isn't.
N.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
I was under the impression check_from gathered its data from credentials (requiring a proxy authorize)...
Still, though, documentation on it being what it is (i.e. a line saying simply "Check From username against URI table or digest credentials." ), how would I use it to check if a user isn't in the URI table but is pretending to be? Couch it in a Search?
Like:
if(search("^From:.*@my.domain.com")) { if(!check_from()) { error and exit }; };
?
N.
On Mon, 10 Apr 2006 16:40:58 +0200, samuel wrote
check_from() ? 2006/4/10, sip sip@arcdiv.com:
Is there a way anyone can readily think of to check to see if someone using our open proxy is calling through with a From header that attempts to fool the recipient into thinking the call is validly from one of our users?
Scenario is this...
While looking at the logs this morning, I noticed someone was calling a SIPPhone user through our proxy with a From: address that LOOKED like it was a user of ours, but using a username that doesn't actually exist.
I'm wondering if there's anyway to check if someone is calling through us with a From: address that looks like one of our users, but isn't.
N.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Okay... that clearly didn't work. As I expected, it requires me to do a proxy authorize before doing the check_from in order to get the credentials. The problem is, this is an open proxy, so I don't WANT people to have to authorize before calling through. I just want some way of making sure they ARE a valid user if they claim to be.
Am I going to have to do a search("^From:.*@my.domain.com")) and then proxy_authorise and check from... essentially only authenticating users who claim to be from my system?
I'll give it a shot. Seems kind of backward, though.
N.
On Mon, 10 Apr 2006 11:25:27 -0400, sip wrote
I was under the impression check_from gathered its data from credentials (requiring a proxy authorize)...
Still, though, documentation on it being what it is (i.e. a line saying simply "Check From username against URI table or digest credentials." ), how would I use it to check if a user isn't in the URI table but is pretending to be? Couch it in a Search?
Like:
if(search("^From:.*@my.domain.com")) { if(!check_from()) { error and exit }; };
?
N.
On Mon, 10 Apr 2006 16:40:58 +0200, samuel wrote
check_from() ? 2006/4/10, sip sip@arcdiv.com:
Is there a way anyone can readily think of to check to see if someone using our open proxy is calling through with a From header that attempts to
fool the
recipient into thinking the call is validly from one of our users?
Scenario is this...
While looking at the logs this morning, I noticed someone was calling a SIPPhone user through our proxy with a From: address that LOOKED like it
was a
user of ours, but using a username that doesn't actually exist.
I'm wondering if there's anyway to check if someone is calling through
us with
a From: address that looks like one of our users, but isn't.
N.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
sip writes:
Am I going to have to do a search("^From:.*@my.domain.com")) and then proxy_authorise and check from... essentially only authenticating users who claim to be from my system?
there is even a function to check if from host is local to your proxy.
I'll give it a shot. Seems kind of backward, though.
another option is to use pki certificates that both UAs can verify, but i haven't seen those implemented in UAs.
-- juha
Well... my hack seems to work. I'll see if I managed to break anything, though. It shouldn't affect reinvites or require using trusted tables as other machines aren't going to claim they're local users.
The Snom phones will use PKI certs if you want. But I can't guarantee all our users will want to buy one. ;)
I'm less interested in checking if the host is local to the proxy, though as, again, we're an open proxy. I just want to avoid bob@ourdomain.com (a non-existent user) using the ourdomain.com proxy to send calls through, having it trace back to us and causing problems.
N.
On Mon, 10 Apr 2006 20:59:14 +0300, Juha Heinanen wrote
sip writes:
Am I going to have to do a search("^From:.*@my.domain.com")) and then proxy_authorise and check from... essentially only authenticating
users who > claim to be from my system?
there is even a function to check if from host is local to your proxy.
I'll give it a shot. Seems kind of backward, though.
another option is to use pki certificates that both UAs can verify, but i haven't seen those implemented in UAs.
-- juha
I do not understand why you do not authenticate the users.
Using existinguser@ourdomain.com is at least as bad as nonexistinguser@ourdomain.com.
You also have to check that some persons do not misuse existing accounts.
I would never allow any local user to use my SIP proxy without authentication. (Of course incoming calls are allowed without authentication).
Allowing outgoing calls without authentication (authentication implies that only local users are allowed to use the proxy) is a bad thing (the same like open mail relays.)
regards klaus
On Mon, April 10, 2006 20:21, sip said:
Well... my hack seems to work. I'll see if I managed to break anything, though. It shouldn't affect reinvites or require using trusted tables as other machines aren't going to claim they're local users.
The Snom phones will use PKI certs if you want. But I can't guarantee all our users will want to buy one. ;)
I'm less interested in checking if the host is local to the proxy, though as, again, we're an open proxy. I just want to avoid bob@ourdomain.com (a non-existent user) using the ourdomain.com proxy to send calls through, having it trace back to us and causing problems.
N.
On Mon, 10 Apr 2006 20:59:14 +0300, Juha Heinanen wrote
sip writes:
Am I going to have to do a search("^From:.*@my.domain.com")) and then proxy_authorise and check from... essentially only authenticating
users who > claim to be from my system?
there is even a function to check if from host is local to your proxy.
I'll give it a shot. Seems kind of backward, though.
another option is to use pki certificates that both UAs can verify, but i haven't seen those implemented in UAs.
-- juha
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
It was originally for use with some of our internal UAs which don't handle authentication properly.... and I was simply too lazy to set up the authentication with trust tables.
I know. Slackness coming back to bite me in the ass. But it's fixed now.
N.
On Mon, 10 Apr 2006 23:46:30 +0200 (CEST), Klaus Darilion wrote
I do not understand why you do not authenticate the users.
Using existinguser@ourdomain.com is at least as bad as nonexistinguser@ourdomain.com.
You also have to check that some persons do not misuse existing accounts.
I would never allow any local user to use my SIP proxy without authentication. (Of course incoming calls are allowed without authentication).
Allowing outgoing calls without authentication (authentication implies that only local users are allowed to use the proxy) is a bad thing (the same like open mail relays.)
regards klaus
On Mon, April 10, 2006 20:21, sip said:
Well... my hack seems to work. I'll see if I managed to break anything, though. It shouldn't affect reinvites or require using trusted tables as other machines aren't going to claim they're local users.
The Snom phones will use PKI certs if you want. But I can't guarantee all our users will want to buy one. ;)
I'm less interested in checking if the host is local to the proxy, though as, again, we're an open proxy. I just want to avoid bob@ourdomain.com (a non-existent user) using the ourdomain.com proxy to send calls through, having it trace back to us and causing problems.
N.
On Mon, 10 Apr 2006 20:59:14 +0300, Juha Heinanen wrote
sip writes:
Am I going to have to do a search("^From:.*@my.domain.com")) and then proxy_authorise and check from... essentially only authenticating
users who > claim to be from my system?
there is even a function to check if from host is local to your proxy.
I'll give it a shot. Seems kind of backward, though.
another option is to use pki certificates that both UAs can verify, but i haven't seen those implemented in UAs.
-- juha
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
jh@tutpro.com -
Klaus Darilion -
samuel -
sip