Thanks for the tips... I'll look at the sipwise config and probably do some tweeking to add more checks.
I am unfortunately stuck with UDP IP based authentication for the gateways right now. Are there any other checks I can do make this more secure?
- Daryl
On 3/28/07, klaus.mailinglists@pernau.at klaus.mailinglists@pernau.at wrote:
at first sight:
- always use fix_nated_contact before save.
- IP based authentication can be spoofed when using UDP, thus only use
with TCP 3. you have no checks in loose_route block. Take a look at the sipwise wizard and its security checks inside the loose_route block.
regards klaus
Hi Everyone,
I aparently have something in my openser.cfg that is allowing unauthorized calls to go through to our PSTN gateways. I have included my config below for review. I would appreciate any help understanding how this might be happening.
I am currently reviewing the CDRs from my PSTN gateways for clues as well. This is a pretty basic configuration with no NAT involved.
Regards, Daryl
route {
# ----------------------------------------------------------------- # Sanity Check Section # ----------------------------------------------------------------- if (!mf_process_maxfwd_header("10")) { sl_send_reply("483", "Too Many Hops"); exit; }; if (msg:len > max_len) { sl_send_reply("513", "Message Overflow"); exit; }; if (method=="INVITE" || method=="ACK" || method=="BYE") { setflag(1); }; if (method=="INVITE") { if (is_user_in("From","inactive")) { if (uri =~ "^sip:911@") { xlog("L_NOTICE", "[$Tf] R1: $ci -- Allowing 911
Emergency Call on Inactive User\n" ); } else { sl_send_reply("403", "Forbidden"); xlog("L_NOTICE", "[$Tf] R1: $ci -- User Inactive\n" ); return; }; }; };
# ----------------------------------------------------------------- # Record Route Section # ----------------------------------------------------------------- if (method!="REGISTER") { record_route(); }; # ----------------------------------------------------------------- # Loose Route Section # ----------------------------------------------------------------- if (loose_route()) { xlog( "L_NOTICE", "[$Tf] RR: $ci -- Loose Route $rm ($rd).\n"
); if (!t_relay()) { sl_reply_error(); }; return; };
# ----------------------------------------------------------------- # Call Type Processing Section # ----------------------------------------------------------------- if (uri!=myself) { route(1); return; }; if (method=="ACK") { route(1); return; } else if (method=="REGISTER") { route(2); return; } else if (method=="INVITE") { route(3); return; } else if (method=="BYE" || method=="CANCEL") { t_relay(); exit; } lookup("aliases"); if (uri!=myself) { route(1); return; }; if (!lookup("location")) { sl_send_reply("404", "User Not Found"); return; }; route(1);
}
route[1] {
# ----------------------------------------------------------------- # Default Message Handler # ----------------------------------------------------------------- t_on_reply("1"); t_on_failure("2"); if (!t_relay()) { sl_reply_error(); };
}
route[2] {
# ----------------------------------------------------------------- # REGISTER Message Handler # ----------------------------------------------------------------- sl_send_reply("100", "Trying"); if (!www_authorize("","subscriber")) { www_challenge("","0"); exit; }; consume_credentials(); if (!save("location")) { sl_reply_error(); };
}
route[3] {
# ----------------------------------------------------------------- # INVITE Message Handler # ----------------------------------------------------------------- # Trusted Provider IPs if (!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x) { if (!proxy_authorize("","subscriber")) { proxy_challenge("","0"); exit; }; consume_credentials(); }; lookup("aliases"); if (uri!=myself) { route(1); return; }; if (uri=~"[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")){ sl_send_reply("479", "We do not forward to private IP addresses"); }; if ((uri =~ "^sip:0@")|| /* Operator Assistance */ (uri =~ "^sip:911@")|| /* 911 Emergency */ (uri =~ "^sip:411@")|| /* Directory Assistance */ (uri =~ "^sip:1[0-9]{10}@")) { /* Domestic PSTN */ route(4); return; }; if (uri=~"^sip:0111[0-9]*@") { # Kill calls to 011+1... (invalid
dialing) sl_send_reply("406", "Not Acceptable"); return; }
if (uri=~"^sip:011[0-9]*@") { # International PSTN if(!is_user_in("From","gateway1")) { strip(3); # Remove 011 for Gateway2 } route(4); return; }; if (!lookup("location")) { sl_send_reply("404", "User Not Found"); return; }; route(1);
}
route[4] {
# ----------------------------------------------------------------- # PSTN Handler # ----------------------------------------------------------------- prefix("+"); # add "+" to Request URI append_hf("P-Asserted-Identity:
"User"sip:+1$avp(s:rpid)@x.x.x.x\r\n"); uac_replace_from("$fn","sip:+$fU@$fd:5060");
if(is_user_in("From","gateway1")) { force_send_socket(x.x.x.x:5060); xlog("L_NOTICE", "[$Tf] Message sent via IP-1\n" ); } else { force_send_socket(x.x.x.x:5060); xlog("L_NOTICE", "[$Tf] Message sent via IP-2\n" ); }; ds_select_domain("1","0"); route(1);
}
onreply_route[1] {
# we are checking here for a progressing return... ie a 180 Ringing
or # 183 session progress -- if this occurs we don't care from here on # about failures as a gateway is handling the call...
if( status =~ "18[0-9]" ) { xlog( "L_INFO", "[$Tf] ORR: $ci -- SIP-$rs Reset
t_on_failure()\n"); t_on_failure("0"); } else { xlog( "L_INFO", "[$Tf] ORR: $ci -- $rs $rr\n" ); } }
failure_route[2] {
# 408 -- timeout -- typically the end party has not answered # Since we cancel t_on_failure() on a provisional response we
should not be # getting a 408 timeout from a gateway at this stage.. it will just "fall through" # If fr_timer expires t_check_status("408") is true, although $rs is <null> if( t_check_status("408") ){ xlog( "L_NOTICE", "[$Tf] FR: $ci -- TIMEOUT for Gateway $rd\n" ); } else { xlog( "L_NOTICE", "[$Tf] FR: $ci -- $rs reason $rr\n" ); }
# 403 -- Not a valid number, or possibly no permission to use the
gateway if( t_check_status("403") ){ xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Forbidden\n" ); return; }
# 486 -- User Busy if( t_check_status("486") ){ xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Destination
Busy\n" ); return; }
# 487 -- Request Cancelled (usually in response to a CANCEL
transaction) if( t_check_status("487") ){ xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Request Cancelled\n" ); return; }
# At this stage we try the next gateway, if no next gateway we
bail. if( ds_next_domain() ){ t_on_reply("1"); t_on_failure("2"); xlog( "L_NOTICE", "[$Tf] FR: $ci Next gateway $fU -> $tU via $rd\n" ); if( !t_relay() ){ xlog( "L_WARN", "[$Tf] FR: $ci -- ERROR - Can not t_relay()\n" ); return; } return; } else { xlog( "L_WARN", "[$Tf] FR: $ci No more gateways -> 503.\n" ); t_reply("503", "Service unavailable -- no more gateways" ); return; } }
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users