Someone else has an idea ? I think about how to implement this kind of filtering with functions included in SER 0.9.6, but I still in trouble.
Thanks.
Le jeudi 13 novembre 2008 à 16:44 +0100, inge a écrit :
Hi Alexandre,
Great workaround !!
Maybe I can use it with Redhat if the module is compiled with x86 architecture ?
What about the "flag" field in table description ?
Regards,
A. LEMOINE
Le mercredi 12 novembre 2008 à 20:59 +0300, Alexandre Snarskii a écrit :
On Wed, Nov 12, 2008 at 12:59:35PM +0100, inge wrote:
Hi all,
I look for a workaround to use a white list in addition of authentification proces, based on User-Agent (ie. for example : deny "Asterisk IPBX" permit "Cisco IPhone...")
There is (unofficial) check_ua module added as a patch in FreeBSD port, which works exactly as 'additional UA check'.
Setup is not too complicated: you must create and populate some table in your database. In my example, DB is postgresql, exact create/populate commands is the next:
CREATE TABLE check_ua ( rexx VARCHAR(256) NOT NULL UNIQUE, flag INTEGER NOT NULL DEFAULT(0) ); -- main goal is to disallow user-agents with invalid symbols: INSERT INTO check_ua VALUES('^[0-9A-Za-z/.() _-]{1,64}$',1); -- in your case it should be something like INSERT INTO check_ua VALUES('^Cisco IP Phone.*',1);
Then, add to global configuration:
loadmodule "/usr/local/lib/ser/modules/check_ua.so" modparam("check_ua", "db_url", "postgres://<username>:<password>@<host>/<db>") modparam("check_ua", "db_table", "check_ua")
and somewhere in route section:
if(!check_ua()) { xlog("L_ERR","Invalid UA DENIED: %fu, %is, %ua\n"); sl_send_reply("403", "Forbidden (Invalid UA)"); break; };Voila. Until your Asterisk users will not find correct User-Agent they must use in their sip.conf - it will work... :) In my case - protection against bad symbols - it works even with asterisk... :)
PS: not sure is that module can be found somewhere outside FreeBSD port, at least my google skills is not enough to ... However, both authors (Valentin Nechayev and Maxim Sobolev) read this list.
Serusers mailing list Serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers