[OpenSER-Users] Security hole in REGISTER's Contact using domain
    Neill Wilkinson 
    neill.wilkinson at btinternet.com
       
    Fri Dec 14 11:21:09 CET 2007
    
    
  
Curve ball suggestion:
Surely just authenticate all register requests with www-challenge. Hide your
gateway and SER behind a firewall so your Gateway cannot be seen from the
outside work (from a SIP Signalling perspective), and for PSTN calls from
authenticated users do a rewritehost and forward to send the INVITEs on to
the PSTN gateway?
Neill....;o)
-----Original Message-----
From: users-bounces at lists.openser.org
[mailto:users-bounces at lists.openser.org] On Behalf Of Juha Heinanen
Sent: 14 December 2007 10:05
To: Iñaki Baz Castillo
Cc: users at lists.openser.org
Subject: Re: [OpenSER-Users] Security hole in REGISTER's Contact using
domain
Iñaki Baz Castillo writes:
 > > 1) buy pstn gws that accept no hostnames (just its own ip address) in
 > >   the hostpart of r-uri.  example, cisco ios with later software
 > >   releases.
 > 
 > So really isn't there solution just in OpenSer-Registrar side??
this is registrar solution.  you use parmissions module and don;t accept
registrations where ip address in hostpart of contact belongs to your
gws.
 > > 2) forget the hostpart check all together and instead check the
 > >    userpart, where you have put something special that the gw then
 > >    removes.
 > 
 > So you mean for example:
 > 
 > register.deny:
 > --------------------
 >   ALL : "^sip:.*secret_word_.*@"
 > ----------------------
 > 
 > And later, in any call to PSTN OpenSer should add:
 > 
 >   $ru = "secret_word_" + $ru;
you can use lcr module to add the prefix.
 > so the uri arriving to the gw becomes:
 > 
 >   sip:secret_word_01666555444 at gw_ip_or_hostname
 > 
 > And the gw should just allow calls from OpenSer with urri username
beginning 
 > with  "secret_word_" and it should strip it.
that is correct, but the prefix does not need to be secret, just
something that doesn't normally appear in userparts.
 > Is this what you mean? anyway, a little complex, isn't it?  XDD
why do you think it is complex?  one row in register.deny and one strip
at the gateway.
-- juha
_______________________________________________
Users mailing list
Users at lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
    
    
More information about the Users
mailing list