freeswitch authentication

3
votes

I am new to freeswitch world, I have been hacked somebody used my gateway and initialize a call from an unregistered user without any authentication , as i gues (after i test it by my self) , if i send an UDP invite packet to the freeswitch server using nc command in linux as the following: 

$ nc -u x.x.x.x 5060 < invite

invite file contain the following : 
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP x.x.x.x:5060
Max-Forwards: 70
To: Bob <sip:[email protected]>
From: Alice <sip:[email protected]>;tag=1928301774
Call-ID: [email protected]
CSeq: 314159 INVITE
Contact: <sip:[email protected]>
Content-Type: application/sdp
Content-Length: 142

v=0
o=ibc 1090098764 894503441 IN IP4 192.168.1.33
s=-
c=IN IP4 192.0.2.200
t=0 0
m=audio 33445 RTP/AVP 98 97 8 0 3 101
a=rtpmap:98 speex/16000
a=rtpmap:97 speex/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=zrtp

i found the following :
the user 101 is unregistred user and have no authintication header in the packet , even that the freeswitch allow the call through my gateway .

so is there any way to authinticate the caller username and password before originate the call through the gateway?

4
networkingsipvoipfreeswitch

4 Answers

3
votes

My first guess would be checking sofia.conf.xml look for 

<param name="accept-blind-auth" value="true"/>

Here you have more details on sip authentication in FS: http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files#Auth

2
votes

In a vanilla (default example) config freeswitch have two SIP profiles. First, named internal, listening on port 5060 and there authentication of packets is required. Second SIP profile, named external, listening on port 5060 and there authentication is not required to do call throw it. Security of external profile must be provided by your dialplan. If it`s not, then hacker can talk to freeswitch with INVITE, which command to make freeswitch call throw your gateway and bridge it with initial call.

2
votes

i agree with @borik-bobrujskov , just expanding the same answer.

In sip_profiles/external.xml add the following options

<param name="auth-calls" value="true"/>
<param name="accept-blind-auth" value="false"/>
<param name="log-auth-failures" value="true"/>
<param name="auth-all-packets" value="true"/>

this will ensure that a proxy auth challenge like below is send back for every incoming sip request 

SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP x.x.x.x:5060;branch=z9hG4bK4d5f.11c7cfacce4d26c8fd1b01339c08b1dc.0
From: "1001"<sip:[email protected];transport=TCP>;tag=18aa565e
To: <sip:[email protected]:5080;pstn_inbound=;ignore_userinfo=>;tag=eX6m9Ktp48aaF
Call-ID: ZwRgsMB3luEHyKaM2vL9eQ..
CSeq: 1 INVITE
User-Agent: FreeSWITCH-mod_sofia/1.9.0-742-8f1b7e0~64bit
Accept: application/sdp
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, refer
Proxy-Authenticate: Digest realm="x.x.x.x", nonce="e797bde2-c7b5-47a7-ae95-931af57c9774", algorithm=MD5, qop="auth"
Content-Length: 0

It is not upto the UA to, reconstruct another INVITE ( with CSeq-2) with proxy Authorisation header containing digest , username , realm , nonce etc to resent to freeswitch server to authenticate and proceed with call

Proxy-Authorization: Digest username="aaa", realm="x.x.x.x", nonce="e797bde2-c7b5-47a7-ae95-931af57c9774", uri="sip:[email protected]:5080;pstn_inbound=;ignore_userinfo=", qop=auth, nc=00000001, cnonce="4060286812", response="cae451f24bbbcefeb7d01c13b070026a", algorithm=MD5
0
votes

if you use "param name="accept-blind-auth" value="true"" will gives you blind authentication.

without password authentication.