Hi,
I realized some one is able to make call and registered to my sip proxy while he/she is not in the subscriber table.
I couldn't find his/her username in the subscriber table, but i was able to see him/her in the location table. I am able to see he/she made 10 calls from my sip proxy.
Anyone have an idea on what i have done wrong? I have included the authentication part of code here.
if (uri==myself) { if (method=="REGISTER") { # Uncomment this if you want to use digest authentication if (!www_authorize("x.x.x.x", "subscriber")) { www_challenge("x.x.x.x", "0"); exit; }; consume_credentials(); save("location"); exit; };
if (method=="INVITE") { if (!proxy_authorize("","subscriber")) { proxy_challenge("x.x.x.x","0"); exit; } consume_credentials(); };
lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); };
Howard Tang wrote:
Hi,
I realized some one is able to make call and registered to my sip proxy while he/she is not in the subscriber table.
I couldn't find his/her username in the subscriber table, but i was able to see him/her in the location table. I am able to see he/she made 10 calls from my sip proxy.
Anyone have an idea on what i have done wrong? I have included the authentication part of code here.
Your config looks ok to me but it will allow someone with a valid digest username/password combination to register *any* AOR SIP URI. One method to avoid that is to use check_to() from the uri_db module.
Similarly you can use check_from() to make sure that endpoints use a SIP From header that exists in the subscriber table.
SIP digest credentials are independent from the used SIP URIs allowing e.g. third party registration. That means I could add a registration for your AOR SIP URI. But obviously this also introduces a risk for misuse.
I've added check_to() and check_from() to your config.
- Christian
# -- uri_db params -- modparam("uri_db", "db_url", "mysql://M4_DB_RWUSER:M4_DB_RWPWD@localhost/M4_DB_NAME") modparam("uri_db", "subscriber_table", "subscriber") modparam("uri_db", "use_uri_table", 0) # use subscriber table modparam("uri_db", "use_domain", 0) # only check username (no multi # domain support)
if (uri==myself) { if (method=="REGISTER") { # Uncomment this if you want to use digestauthentication if (!www_authorize("x.x.x.x", "subscriber")) { www_challenge("x.x.x.x", "0"); exit; };
if (!check_to()) { sl_send_reply("401", "Unauthorized"); exit; }
consume_credentials(); save("location"); exit; }; if (method=="INVITE") { if (!proxy_authorize("","subscriber")) { proxy_challenge("x.x.x.x","0"); exit; }
if (!check_from()) { sl_send_reply("403", "Use From=ID"); exit; }
consume_credentials(); }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); };
Hi Christian,
Thank you for point that out. I found that the person is one of my users, but he put username in x-lite different from the auth username. That is why i see a different number. and your solution fixed the issue!
Thanks a lot.
Regards, Howard
On 1/18/07, Christian Schlatter cs@unc.edu wrote:
Howard Tang wrote:
Hi,
I realized some one is able to make call and registered to my sip proxy while he/she is not in the subscriber table.
I couldn't find his/her username in the subscriber table, but i was able to see him/her in the location table. I am able to see he/she made 10 calls from my sip proxy.
Anyone have an idea on what i have done wrong? I have included the authentication part of code here.
Your config looks ok to me but it will allow someone with a valid digest username/password combination to register *any* AOR SIP URI. One method to avoid that is to use check_to() from the uri_db module.
Similarly you can use check_from() to make sure that endpoints use a SIP From header that exists in the subscriber table.
SIP digest credentials are independent from the used SIP URIs allowing e.g. third party registration. That means I could add a registration for your AOR SIP URI. But obviously this also introduces a risk for misuse.
I've added check_to() and check_from() to your config.
- Christian
# -- uri_db params -- modparam("uri_db", "db_url", "mysql://M4_DB_RWUSER:M4_DB_RWPWD@localhost/M4_DB_NAME") modparam("uri_db", "subscriber_table", "subscriber") modparam("uri_db", "use_uri_table", 0) # use subscriber table modparam("uri_db", "use_domain", 0) # only check username (no multi # domain support)
if (uri==myself) { if (method=="REGISTER") { # Uncomment this if you want to use digestauthentication if (!www_authorize("x.x.x.x", "subscriber")) { www_challenge("x.x.x.x", "0"); exit; };
if (!check_to()) { sl_send_reply("401", "Unauthorized"); exit; }consume_credentials(); save("location"); exit; }; if (method=="INVITE") { if (!proxy_authorize("","subscriber")) { proxy_challenge("x.x.x.x","0"); exit; }if (!check_from()) { sl_send_reply("403", "Use From=ID"); exit; }consume_credentials(); }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); };
Hi Howard,
also take note that registration and making calls are tw different things. First of all, registration is not required for placing calls - unregistered user may dial. Also even if you authenticate the registrations, you should also authenticate the calls originated by your users.
regards, bogdan
Howard Tang wrote:
Hi Christian,
Thank you for point that out. I found that the person is one of my users, but he put username in x-lite different from the auth username. That is why i see a different number. and your solution fixed the issue!
Thanks a lot.
Regards, Howard
On 1/18/07, Christian Schlatter cs@unc.edu wrote:
Howard Tang wrote:
Hi,
I realized some one is able to make call and registered to my sip proxy while he/she is not in the subscriber table.
I couldn't find his/her username in the subscriber table, but i was able to see him/her in the location table. I am able to see he/she made 10 calls from my sip proxy.
Anyone have an idea on what i have done wrong? I have included the authentication part of code here.
Your config looks ok to me but it will allow someone with a valid digest username/password combination to register *any* AOR SIP URI. One method to avoid that is to use check_to() from the uri_db module.
Similarly you can use check_from() to make sure that endpoints use a SIP From header that exists in the subscriber table.
SIP digest credentials are independent from the used SIP URIs allowing e.g. third party registration. That means I could add a registration for your AOR SIP URI. But obviously this also introduces a risk for misuse.
I've added check_to() and check_from() to your config.
- Christian
# -- uri_db params -- modparam("uri_db", "db_url", "mysql://M4_DB_RWUSER:M4_DB_RWPWD@localhost/M4_DB_NAME") modparam("uri_db", "subscriber_table", "subscriber") modparam("uri_db", "use_uri_table", 0) # use subscriber table modparam("uri_db", "use_domain", 0) # only check username (no multi # domain support)
if (uri==myself) { if (method=="REGISTER") { # Uncomment this if you want to use digestauthentication if (!www_authorize("x.x.x.x", "subscriber")) { www_challenge("x.x.x.x", "0"); exit; };
if (!check_to()) { sl_send_reply("401", "Unauthorized"); exit; }consume_credentials(); save("location"); exit; }; if (method=="INVITE") { if (!proxy_authorize("","subscriber")) { proxy_challenge("x.x.x.x","0"); exit; }if (!check_from()) { sl_send_reply("403", "Use From=ID"); exit; }consume_credentials(); }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); };
Hi list!
i think it should be useful to use pseudo-variables in if statement, like: if ($fu=~"^sip:[0-9]{3}@") { do_something(); };
is it possible? maybe this should be a request for developers rather than for users...
regards, Stefano
Hello Stefano,
this is ongoing development and it will be in the next release.
By now, you ca use avp_check() where you can get same functionality with the 're' operator: http://www.openser.org/docs/modules/1.1.x/avpops.html#AEN384
Cheers, Daniel
On 01/18/07 12:45, Stefano Capitanio wrote:
Hi list!
i think it should be useful to use pseudo-variables in if statement, like: if ($fu=~"^sip:[0-9]{3}@") { do_something(); };
is it possible? maybe this should be a request for developers rather than for users...
regards, Stefano
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-
Bogdan-Andrei Iancu -
Christian Schlatter -
Daniel-Constantin Mierla -
Howard Tang -
Stefano Capitanio