[Freeswitch-users] Combine non-auth and auth calls on same profile security consideration.

Mimiko vbvbrj at gmail.com
Thu Jan 5 15:57:55 MSK 2017


On 04.01.2017 19:07, Anthony Minessale wrote:
>     My questions are:
>
>     1) Does this type of combination affect security?
>     2) How to impose all registered phones to make authenticated calls
>     always? So they will not go first thru public context and then to
>     default?
>
>
> Its a lot to go through for the vanity of not having to type 5080 once
> in a config box, but that's just my opinion ;)
>
> You can use the set_user app to make unauthenticated calls get the same
> data as authenticated calls would have on a specified exten.

Anthony thank you for suggestion.

Taking this public dialplan:

<context name="public">
<extension name="unloop">
<condition field="${unroll_loops}" expression="^true$"/>
<condition field="${sip_looped_call}" expression="^true$">
<action application="deflect" data="${destination_number}"/>
</condition>
</extension>
<extension name="sip_nat_detected" continue="true">
<condition field="${sip_nat_detected}" expression="^true$">
<action application="set" inline="true" 
data="sip-force-contact=NDLB-connectile-dysfunction"/>
</condition>
<extension name="public_did">
<condition field="destination_number" expression="^([5-8]\d\d)$">
<action application="transfer" data="$1 XML default"/>
</condition>
</extension>
</extension>
<extension name="check_auth" continue="true">
<condition field="${sip_authorized}" expression="^true$" break="never">
<anti-action application="set" data="process_cdr=false"/>
<anti-action application="respond" data="407"/>
</condition>
</extension>
</context>

Where to put the set_user app? If I'll put it before "check_auth" 
extension like:

<action application="set_user" data="${caller_id_number}@${domain}"/>

Then any one calling from internet could set theirs caller_id_number to 
internal's one and act on behalf of some registered user to fraud.

Or may be first extension in public dialplan to put something which will 
check, based on caller_id_number, if there is a registered user and 
impose to make authenticate call, like:

<extension name="check_user_registered">
<condition field="${sofia_contact(${caller_id_number})}" 
expression="^error/" break="on-false">
<anti-action application="set" data="process_cdr=false"/>
<anti-action application="respond" data="407"/>
</condition>
</extension>

PS: Yes, its not to big to add :5080, but take callers that want to call 
from mobile via internet using a sip uri. Even myself forgets to add 
port number at the end. :)

-- 
Mimiko desu.



Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list