Brekeke Forum Index » Brekeke SIP Server Forum

Post new topic   Reply to topic
Ondo Sip has security problem
Author Message
soylo
Brekeke Talented


Joined: 30 Mar 2005
Posts: 59

PostPosted: Sat Oct 02, 2010 7:58 am    Post subject: Ondo Sip has security problem Reply with quote

1. Brekeke Product Name and version:
2.4.6.7

2. Java version:
1.5.0_12
3. OS type and the version:
windows 2003
4. UA (phone), gateway or other hardware/software involved:

5. Select your network pattern from http://www.brekeke-sip.com/bbs/network/networkpatterns.html :

number 9

6. Your problem:
Our Ondo SIP server has enabled REGISTER and INVITE Authentication and use Radiuscat to manage users account.

REGISTER=ON
INVITE=ON
Auth-user=user in "To:" (Register) YES
Auth-user=user in "From:" YES

The calls go to VoIP Gateway.

Problems
1. Hacker could REGISTER an invalid user without be registered in database of RadiusCat v1.5.5, all this after intensive flood attack.

2. Hacker could send calls using that invalid user

this is the dialplan
----------------------
Matching
$request=^INVITE
To=sip:([0-9]+)@

Deploy:
$session=com.sample.radius.proxy.RadiusAcct
$continue=true
-----------------------
Matching:
$request=^INVITE
To=sip:(519.{8})@

Deploy:
To=sip:%1@200.37.81.71
&net.sip.timeout.inviting=20000

Note:The Public IP is changed intensionality

Questions
1. ¿How to setup the ondo SIP to get more Trust or more secure?

2. Which is the dialplan to setup only users registered can do calls?
Back to top
View user's profile
hope
Brekeke Master Guru


Joined: 15 Jan 2008
Posts: 862

PostPosted: Mon Oct 04, 2010 1:10 pm    Post subject: Reply with quote

have you set authentication parameters in sv.properties file as in http://www.brekeke.com/support/radiuscat/support_radiuscat.php

if remove radius setting and use default authentication in brekeke, does it work?
1. ¿How to setup the ondo SIP to get more Trust or more secure?
at sip server/configuration/system, there is "Address Filtering".
you can define allowed or blocked ip address

2. Which is the dialplan to setup only users registered can do calls?
add the following in dial plan matching pattern
it will check if sender is registered.

$registeredsender = true
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Brekeke Forum Index » Brekeke SIP Server Forum All times are GMT - 7 Hours
Page 1 of 1