Re: [SR-Users] Default AUTH route potential issue?

2018-04-11 Thread Daniel-Constantin Mierla 
Hello,

route[AUTH] allows calls from non-local users (from other sip servers)
to local users. The R-URI has the public IP address, so it is considered
to be for a local user.

If you do not want to allow non-local users to call your users, just do
auth_check() for all non-trusted traffic.

Cheers,
Daniel


On 11.04.18 17:15, Володимир Іванець wrote:
> Hello all!
>
> I'm using Kamailio 5.1.0 on my testing machine. Configuration includes
> slightly modified AUTH route
> from 
> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
>
> route[AUTH] {
>   xlog("L_DBG", "== TRACE. AUTH\n");
>
>   # if caller is not local subscriber, then check if it calls
>   # a local destination, otherwise deny, not an open relay here
>   if (from_uri!=myself && uri!=myself) {
>     xlog("L_DBG", "== TRACE. AUTH. Not relaying. Exiting.\n");
>     sl_send_reply("403","Not relaying");
>     exit;
>   }
>
>   if(isflagset(TRUSTEDIP)) {
>     xlog("== TRACE. AUTH. TRUSTEDIP. Returning.\n");
>     return;
>   }
>
>   if (is_method("REGISTER") || from_uri==myself) {
>     xlog("L_DBG", "== TRACE. AUTH. Method REGISTER\n");
>     # authenticate requests
>     if (!auth_check("$fd", "sipusers", "1")) {
>       auth_challenge("$fd", "0");
>       xlog("L_DBG", "== TRACE. AUTH. Exiting.\n");
>       exit;
>     }
>     # user authenticated - remove auth header
>     if(!is_method("REGISTER|PUBLISH")) {
>       xlog("L_DBG", "== TRACE. AUTH. Method is not
> REGISTER|PUBLISH\n");
>       consume_credentials();
>     }
>   }
>
>   xlog("L_DBG", "== TRACE. AUTH. Returning.\n");
>   return;
> }
>
> I opened port UDP/5060 to everyone today and started receiving some
> SIP requests. Most INVITEs were stopped by *auth_challenge* but then I
> received this one:
>
> 2018/04/11 16:32:44.385689 38.91.106.211:5069
>  -> 172.16.30.205:5060
>
> INVITE sip:100@MY_PUB_IP_ADDRESS SIP/2.0
> v: SIP/2.0/UDP 38.91.106.211:5060;branch=z9hG4bK-929181129;rport
> Content-Length: 0
> f: "pbx" 
> >;tag=3535306165633930313363340131373533363938373235
> i: 757925348661465531074812
> m: sip:100@38.91.106.211:5069 
> Accept: application/sdp
> CSeq: 1 INVITE
> t: "pbx">
> Max-Forwards: 70
>
> ... and it came through AUTH route. Below are two fragments of
> Kamailio log:
>
> Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG:
>

[SR-Users] Default AUTH route potential issue?

2018-04-11 Thread Володимир Іванець 
Hello all!

I'm using Kamailio 5.1.0 on my testing machine. Configuration includes
slightly modified AUTH route from
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb

route[AUTH] {
  xlog("L_DBG", "== TRACE. AUTH\n");

  # if caller is not local subscriber, then check if it calls
  # a local destination, otherwise deny, not an open relay here
  if (from_uri!=myself && uri!=myself) {
xlog("L_DBG", "== TRACE. AUTH. Not relaying. Exiting.\n");
sl_send_reply("403","Not relaying");
exit;
  }

  if(isflagset(TRUSTEDIP)) {
xlog("== TRACE. AUTH. TRUSTEDIP. Returning.\n");
return;
  }

  if (is_method("REGISTER") || from_uri==myself) {
xlog("L_DBG", "== TRACE. AUTH. Method REGISTER\n");
# authenticate requests
if (!auth_check("$fd", "sipusers", "1")) {
  auth_challenge("$fd", "0");
  xlog("L_DBG", "== TRACE. AUTH. Exiting.\n");
  exit;
}
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH")) {
  xlog("L_DBG", "== TRACE. AUTH. Method is not REGISTER|PUBLISH\n");
  consume_credentials();
}
  }

  xlog("L_DBG", "== TRACE. AUTH. Returning.\n");
  return;
}

I opened port UDP/5060 to everyone today and started receiving some SIP
requests. Most INVITEs were stopped by *auth_challenge* but then I received
this one:

2018/04/11 16:32:44.385689 38.91.106.211:5069 -> 172.16.30.205:5060

INVITE sip:100@MY_PUB_IP_ADDRESS SIP/2.0
v: SIP/2.0/UDP 38.91.106.211:5060;branch=z9hG4bK-929181129;rport
Content-Length: 0
f: "pbx";tag=3535306165633930313363340131373533363938373235
i: 757925348661465531074812
m: sip:100@38.91.106.211:5069
Accept: application/sdp
CSeq: 1 INVITE
t: "pbx"
Max-Forwards: 70

... and it came through AUTH route. Below are two fragments of Kamailio log:

Apr 11 16:32:44 kamailio-dev /usr/sbin/kamailio[31373]: DEBUG: