Re: [Users] Unauthorized Calls - PLEASE HELP!

Thanks for the tips... I'll look at the sipwise config and probably do some tweeking to add more checks.

I am unfortunately stuck with UDP IP based authentication for the gateways right now. Are there any other checks I can do make this more secure?

- Daryl

On 3/28/07, klaus.mailinglists@pernau.at klaus.mailinglists@pernau.at wrote:

at first sight:

1. always use fix_nated_contact before save.
2. IP based authentication can be spoofed when using UDP, thus only use

with TCP 3. you have no checks in loose_route block. Take a look at the sipwise wizard and its security checks inside the loose_route block.

regards klaus

...

Hi Everyone,

I aparently have something in my openser.cfg that is allowing unauthorized calls to go through to our PSTN gateways. I have included my config below for review. I would appreciate any help understanding how this might be happening.

I am currently reviewing the CDRs from my PSTN gateways for clues as well. This is a pretty basic configuration with no NAT involved.

Regards, Daryl

route {

# -----------------------------------------------------------------
# Sanity Check Section
# -----------------------------------------------------------------
if (!mf_process_maxfwd_header("10")) {
    sl_send_reply("483", "Too Many Hops");
    exit;
};

if (msg:len > max_len) {
    sl_send_reply("513", "Message Overflow");
    exit;
};

if (method=="INVITE" || method=="ACK" || method=="BYE") {
    setflag(1);
};

if (method=="INVITE") {
    if (is_user_in("From","inactive")) {
        if (uri =~ "^sip:911@") {
            xlog("L_NOTICE", "[$Tf] R1: $ci -- Allowing 911

Emergency Call on Inactive User\n" ); } else { sl_send_reply("403", "Forbidden"); xlog("L_NOTICE", "[$Tf] R1: $ci -- User Inactive\n" ); return; }; }; };

# -----------------------------------------------------------------
# Record Route Section
# -----------------------------------------------------------------
if (method!="REGISTER") {
    record_route();
};

# -----------------------------------------------------------------
# Loose Route Section
# -----------------------------------------------------------------
if (loose_route()) {
        xlog( "L_NOTICE", "[$Tf] RR: $ci -- Loose Route $rm ($rd).\n"

); if (!t_relay()) { sl_reply_error(); }; return; };

# -----------------------------------------------------------------
# Call Type Processing Section
# -----------------------------------------------------------------
if (uri!=myself) {
    route(1);
    return;
};

if (method=="ACK") {
    route(1);
    return;
} else  if (method=="REGISTER") {
    route(2);
    return;
} else if (method=="INVITE") {
    route(3);
    return;
} else  if (method=="BYE" || method=="CANCEL") {
    t_relay();
    exit;
}

lookup("aliases");
if (uri!=myself) {
    route(1);
    return;
};

if (!lookup("location")) {
    sl_send_reply("404", "User Not Found");
    return;
};

route(1);

}

route[1] {

# -----------------------------------------------------------------
# Default Message Handler
# -----------------------------------------------------------------
t_on_reply("1");
t_on_failure("2");

if (!t_relay()) {
    sl_reply_error();
};

}

route[2] {

# -----------------------------------------------------------------
# REGISTER Message Handler
# -----------------------------------------------------------------
sl_send_reply("100", "Trying");

if (!www_authorize("","subscriber")) {
    www_challenge("","0");
    exit;
};
consume_credentials();

if (!save("location")) {
    sl_reply_error();
};

}

route[3] {

# -----------------------------------------------------------------
# INVITE Message Handler
# -----------------------------------------------------------------
# Trusted Provider IPs
if (!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x) {
    if (!proxy_authorize("","subscriber")) {
        proxy_challenge("","0");
        exit;
    };
    consume_credentials();
};
lookup("aliases");
if (uri!=myself) {
    route(1);
    return;
};

if (uri=~"[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")){
    sl_send_reply("479", "We do not forward to private IP addresses");
};

if ((uri =~ "^sip:0@")||            /* Operator Assistance */
    (uri =~ "^sip:911@")||          /* 911 Emergency */
    (uri =~ "^sip:411@")||          /* Directory Assistance */
    (uri =~ "^sip:1[0-9]{10}@")) {  /* Domestic PSTN */
    route(4);
    return;
};

if (uri=~"^sip:0111[0-9]*@") { # Kill calls to 011+1... (invalid

dialing) sl_send_reply("406", "Not Acceptable"); return; }

if (uri=~"^sip:011[0-9]*@") { # International PSTN
    if(!is_user_in("From","gateway1")) {
        strip(3); # Remove 011 for Gateway2
    }
    route(4);
    return;
};

if (!lookup("location")) {
    sl_send_reply("404", "User Not Found");
    return;
};

route(1);

}

route[4] {

# -----------------------------------------------------------------
# PSTN Handler
# -----------------------------------------------------------------
prefix("+"); # add "+" to Request URI
append_hf("P-Asserted-Identity:

"User"sip:+1$avp(s:rpid)@x.x.x.x\r\n"); uac_replace_from("$fn","sip:+$fU@$fd:5060");

if(is_user_in("From","gateway1")) {
    force_send_socket(x.x.x.x:5060);
    xlog("L_NOTICE", "[$Tf] Message sent via IP-1\n" );
} else {
    force_send_socket(x.x.x.x:5060);
    xlog("L_NOTICE", "[$Tf] Message sent via IP-2\n" );
};

ds_select_domain("1","0");
route(1);

}

onreply_route[1] {

   # we are checking here for a progressing return... ie a 180 Ringing

or # 183 session progress -- if this occurs we don't care from here on # about failures as a gateway is handling the call...

   if( status =~ "18[0-9]" ) {
           xlog( "L_INFO", "[$Tf] ORR: $ci -- SIP-$rs Reset

t_on_failure()\n"); t_on_failure("0"); } else { xlog( "L_INFO", "[$Tf] ORR: $ci -- $rs $rr\n" ); } }

failure_route[2] {

   # 408 -- timeout -- typically the end party has not answered
   # Since we cancel t_on_failure() on a provisional response we

should not be # getting a 408 timeout from a gateway at this stage.. it will just "fall through" # If fr_timer expires t_check_status("408") is true, although $rs is <null> if( t_check_status("408") ){ xlog( "L_NOTICE", "[$Tf] FR: $ci -- TIMEOUT for Gateway $rd\n" ); } else { xlog( "L_NOTICE", "[$Tf] FR: $ci -- $rs reason $rr\n" ); }

   # 403 -- Not a valid number, or possibly no permission to use the

gateway if( t_check_status("403") ){ xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Forbidden\n" ); return; }

   # 486 -- User Busy
   if( t_check_status("486") ){
           xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Destination

Busy\n" ); return; }

   # 487 -- Request Cancelled (usually in response to a CANCEL

transaction) if( t_check_status("487") ){ xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Request Cancelled\n" ); return; }

   # At this stage we try the next gateway, if no next gateway we

bail. if( ds_next_domain() ){ t_on_reply("1"); t_on_failure("2"); xlog( "L_NOTICE", "[$Tf] FR: $ci Next gateway $fU -> $tU via $rd\n" ); if( !t_relay() ){ xlog( "L_WARN", "[$Tf] FR: $ci -- ERROR - Can not t_relay()\n" ); return; } return; } else { xlog( "L_WARN", "[$Tf] FR: $ci No more gateways -> 503.\n" ); t_reply("503", "Service unavailable -- no more gateways" ); return; } }

---

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users