17 Jan
2007
17 Jan
'07
5:49 p.m.
Hi,
I realized some one is able to make call and registered to my sip
proxy while he/she is not in the subscriber table.
I couldn't find his/her username in the subscriber table, but i was
able to see him/her in the location table. I am able to see he/she
made 10 calls from my sip proxy.
Anyone have an idea on what i have done wrong? I have included the
authentication part of code here.
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("x.x.x.x", "subscriber"))
{
www_challenge("x.x.x.x", "0");
exit;
};
consume_credentials();
save("location");
exit;
};
if (method=="INVITE") {
if (!proxy_authorize("","subscriber")) {
proxy_challenge("x.x.x.x","0");
exit;
}
consume_credentials();
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
--
Howard Tang
17 Jan
17 Jan
8:33 p.m.
Howard Tang wrote:
Hi,
I realized some one is able to make call and registered to my sip
proxy while he/she is not in the subscriber table.
I couldn't find his/her username in the subscriber table, but i was
able to see him/her in the location table. I am able to see he/she
made 10 calls from my sip proxy.
Anyone have an idea on what i have done wrong? I have included the
authentication part of code here.
Your config looks ok to me but it will allow someone with a valid digest
username/password combination to register *any* AOR SIP URI. One method
to avoid that is to use check_to() from the uri_db module.
Similarly you can use check_from() to make sure that endpoints use a SIP
From header that exists in the subscriber table.
SIP digest credentials are independent from the used SIP URIs allowing
e.g. third party registration. That means I could add a registration for
your AOR SIP URI. But obviously this also introduces a risk for misuse.
I've added check_to() and check_from() to your config.
- Christian
# -- uri_db params --
modparam("uri_db", "db_url",
"mysql://M4_DB_RWUSER:M4_DB_RWPWD@localhost/M4_DB_NAME")
modparam("uri_db", "subscriber_table", "subscriber")
modparam("uri_db", "use_uri_table", 0) # use subscriber table
modparam("uri_db", "use_domain", 0) # only check username (no multi
# domain support)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("x.x.x.x", "subscriber"))
{
www_challenge("x.x.x.x", "0");
exit;
};
if (!check_to()) {
sl_send_reply("401",
"Unauthorized");
exit;
}
consume_credentials();
save("location");
exit;
};
if (method=="INVITE") {
if (!proxy_authorize("","subscriber")) {
proxy_challenge("x.x.x.x","0");
exit;
}
if (!check_from()) {
sl_send_reply("403", "Use
From=ID");
exit;
}
consume_credentials();
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
8:41 p.m.
Hi Christian,
Thank you for point that out. I found that the person is one of my
users, but he put username in x-lite different from the auth username.
That is why i see a different number. and your solution fixed the
issue!
Thanks a lot.
Regards,
Howard
On 1/18/07, Christian Schlatter <cs(a)unc.edu> wrote:
Howard Tang wrote:
--
Howard Tang
ICQ : 259083
MSN : howard615(a)hotmail.com
Hi,
I realized some one is able to make call and registered to my sip
proxy while he/she is not in the subscriber table.
I couldn't find his/her username in the subscriber table, but i was
able to see him/her in the location table. I am able to see he/she
made 10 calls from my sip proxy.
Anyone have an idea on what i have done wrong? I have included the
authentication part of code here.
Your config looks ok to me but it will allow someone with a valid digest
username/password combination to register *any* AOR SIP URI. One method
to avoid that is to use check_to() from the uri_db module.
Similarly you can use check_from() to make sure that endpoints use a SIP
From header that exists in the subscriber table.
SIP digest credentials are independent from the used SIP URIs allowing
e.g. third party registration. That means I could add a registration for
your AOR SIP URI. But obviously this also introduces a risk for misuse.
I've added check_to() and check_from() to your config.
- Christian
# -- uri_db params --
modparam("uri_db", "db_url",
"mysql://M4_DB_RWUSER:M4_DB_RWPWD@localhost/M4_DB_NAME")
modparam("uri_db", "subscriber_table", "subscriber")
modparam("uri_db", "use_uri_table", 0) # use subscriber table
modparam("uri_db", "use_domain", 0) # only check username (no multi
# domain support)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("x.x.x.x", "subscriber"))
{
www_challenge("x.x.x.x", "0");
exit;
};
if (!check_to()) {
sl_send_reply("401",
"Unauthorized");
exit;
}
consume_credentials();
save("location");
exit;
};
if (method=="INVITE") {
if (!proxy_authorize("","subscriber")) {
proxy_challenge("x.x.x.x","0");
exit;
}
if (!check_from()) {
sl_send_reply("403", "Use
From=ID");
exit;
}
consume_credentials();
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
18 Jan
18 Jan
5:26 a.m.
Hi Howard,
also take note that registration and making calls are tw different
things. First of all, registration is not required for placing calls -
unregistered user may dial. Also even if you authenticate the
registrations, you should also authenticate the calls originated by your
users.
regards,
bogdan
Howard Tang wrote:
Hi Christian,
Thank you for point that out. I found that the person is one of my
users, but he put username in x-lite different from the auth username.
That is why i see a different number. and your solution fixed the
issue!
Thanks a lot.
Regards,
Howard
On 1/18/07, Christian Schlatter <cs(a)unc.edu> wrote:
Howard Tang wrote:
Hi,
I realized some one is able to make call and registered to my sip
proxy while he/she is not in the subscriber table.
I couldn't find his/her username in the subscriber table, but i was
able to see him/her in the location table. I am able to see he/she
made 10 calls from my sip proxy.
Anyone have an idea on what i have done wrong? I have included the
authentication part of code here.
Your config looks ok to me but it will allow someone with a valid digest
username/password combination to register *any* AOR SIP URI. One method
to avoid that is to use check_to() from the uri_db module.
Similarly you can use check_from() to make sure that endpoints use a SIP
From header that exists in the subscriber table.
SIP digest credentials are independent from the used SIP URIs allowing
e.g. third party registration. That means I could add a registration for
your AOR SIP URI. But obviously this also introduces a risk for misuse.
I've added check_to() and check_from() to your config.
- Christian
# -- uri_db params --
modparam("uri_db", "db_url",
"mysql://M4_DB_RWUSER:M4_DB_RWPWD@localhost/M4_DB_NAME")
modparam("uri_db", "subscriber_table", "subscriber")
modparam("uri_db", "use_uri_table", 0) # use subscriber table
modparam("uri_db", "use_domain", 0) # only check username (no multi
# domain support)
if (uri==myself) {
if (method=="REGISTER") {
# Uncomment this if you want to use digest
authentication
if (!www_authorize("x.x.x.x", "subscriber"))
{
www_challenge("x.x.x.x", "0");
exit;
};
if (!check_to()) {
sl_send_reply("401",
"Unauthorized");
exit;
}
consume_credentials();
save("location");
exit;
};
if (method=="INVITE") {
if (!proxy_authorize("","subscriber")) {
proxy_challenge("x.x.x.x","0");
exit;
}
if (!check_from()) {
sl_send_reply("403", "Use
From=ID");
exit;
}
consume_credentials();
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
};
5:45 a.m.
New subject: [Users] pseudo-variables in expressions
Hi list!
i think it should be useful to use pseudo-variables in if statement, like:
if ($fu=~"^sip:[0-9]{3}@") {
do_something();
};
is it possible?
maybe this should be a request for developers rather than for users...
regards,
Stefano
5:49 a.m.
New subject: [Users] pseudo-variables in expressions
Hello Stefano,
this is ongoing development and it will be in the next release.
By now, you ca use avp_check() where you can get same functionality with
the 're' operator:
http://www.openser.org/docs/modules/1.1.x/avpops.html#AEN384
Cheers,
Daniel
On 01/18/07 12:45, Stefano Capitanio wrote:
Hi list!
i think it should be useful to use pseudo-variables in if statement,
like:
if ($fu=~"^sip:[0-9]{3}@") {
do_something();
};
is it possible?
maybe this should be a request for developers rather than for users...
regards,
Stefano
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
6359
days inactive
6360
days old
5 comments
5 participants
participants (5)
-
Bogdan-Andrei Iancu -
Christian Schlatter -
Daniel-Constantin Mierla -
Howard Tang -
Stefano Capitanio