Hi folks!
I have setup my ser.cfg to request www_authentication on INVITE messages, well, I'm not sure if this is the best solution for allow ONLY registered users to make calls on my proxy.
Does anybody knows the right way to do this configuration?
Regards
do something like this (in ser.cfg):
if (method=="INVITE") { if (!lookup(location)) {
sl_send_reply(404,"Not authorized"); break;
} }
--- sendman sendman@gmail.com wrote:
Hi folks!
I have setup my ser.cfg to request www_authentication on INVITE messages, well, I'm not sure if this is the best solution for allow ONLY registered users to make calls on my proxy.
Does anybody knows the right way to do this configuration?
Regards
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
__________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail
Hi,
if (method=="INVITE") { if (!lookup(location)) {
sl_send_reply(404,"Not authorized"); break;} }
This one checks if the *called* party is registered at SER, not the *calling* party.
However, I don't see a sense in restricting outgoing calls only to registered users. You can authenticate the caller using proxy_authorize() anyway. If the user doesn't register, he just cannot be called.
Andy
Well, I have to check if *calling* are registered on my proxy, before to allow him to make any calls!
In my tests, if a setup on ata186 sipregon=0 so I can make calls, I have to block this...
On Wed, 01 Dec 2004 13:50:55 +0100, Andreas Granig a.granig@inode.at wrote:
Hi,
if (method=="INVITE") { if (!lookup(location)) {
sl_send_reply(404,"Not authorized"); break;} }
This one checks if the *called* party is registered at SER, not the *calling* party.
However, I don't see a sense in restricting outgoing calls only to registered users. You can authenticate the caller using proxy_authorize() anyway. If the user doesn't register, he just cannot be called.
Andy
sendman wrote:
Well, I have to check if *calling* are registered on my proxy, before to allow him to make any calls!
In my tests, if a setup on ata186 sipregon=0 so I can make calls, I have to block this...
But why do you want to force users to register?
The snippet
if(method=="INVITE" && !proxy_authorize("your.domain", "subscriber")) { proxy_challenge("your.domain", "0"); break; }
prevents unauthorized users from placing calls. The registration has nothing to do with authorization or something like that, it's just that SER knows whom to contact when someone calls the user via the proxy.
Andy
Hi there
Andreas Granig wrote:
Well, I have to check if *calling* are registered on my proxy, before to allow him to make any calls!
In my tests, if a setup on ata186 sipregon=0 so I can make calls, I have to block this...
But why do you want to force users to register?
perhaps because all calls must be payed, or to prevent non-registered (i.e. blocked) users to place calls to outside...
The snippet
if(method=="INVITE" && !proxy_authorize("your.domain", "subscriber")) { proxy_challenge("your.domain", "0"); break; }
prevents unauthorized users from placing calls.
but it would also prevent outside calls to registered (local) users to be placed, am I right?
The registration has nothing to do with authorization or something like that, it's just that SER knows whom to contact when someone calls the user via the proxy.
good clarification, thanks!
Cheers !3runo
Bruno Lopes F. Cabral wrote:
But why do you want to force users to register?
perhaps because all calls must be payed, or to prevent non-registered (i.e. blocked) users to place calls to outside...
If users have to proxy_authenticate() when calling, there's no problem with accounting.
Explicitely blocked users can be handled with groups, so you can differ between incoming-blocked and outgoing-blocked, e.a.:
# proxy_authenticate() here, then:
if(method == "INVITE") { if(!check_from()) { # spoofed From-URI, send 403 here break; }
if(is_user_in("credentials", "outblocked")) { # outgoing call attempt of blocked user, deflect to announcement # or send 403 here break; }
if(does_uri_exist() && is_user_in("Request-URI", "inblocked")) { # incoming call to local blocked user, see above break; } }
and use serctl for blocking users: "serctl acl grant <user> outblocked"
So still no need to register.
but it would also prevent outside calls to registered (local) users to be placed, am I right?
Only if the caller can't proxy_authenticate(). If there are for example PSTN gateways which don't authenticate, you've to create some kind of "trusted network", e.a.:
if(method == "INVITE") { if(!(src_ip==gw1.your.domain || src_ip==gw2.your.domain)) { if(!proxy_authenticate(...)) { # untrusted caller failed to authenticate proxy_challenge(...); break; } } else { # trusted sources don't have to authenticate } }
Hope this helps, Andy
Hi there
of course this helps, thanks :-)
are there RADIUS enable counterparts for check_from, is_user_in and does_uri_exist?
I couldn't find any. testing SER 0.8.14
Cheers !3runo
Andreas Granig wrote:
If users have to proxy_authenticate() when calling, there's no problem with accounting.
Explicitely blocked users can be handled with groups, so you can differ between incoming-blocked and outgoing-blocked, e.a.:
# proxy_authenticate() here, then:
if(method == "INVITE") { if(!check_from()) { # spoofed From-URI, send 403 here break; }
if(is_user_in("credentials", "outblocked")) { # outgoing call attempt of blocked user, deflect to announcement # or send 403 here break; } if(does_uri_exist() && is_user_in("Request-URI", "inblocked")) { # incoming call to local blocked user, see above break; }}
and use serctl for blocking users: "serctl acl grant <user> outblocked"
So still no need to register.
How can I check if caller user has valid credentials on my sip server?
I have to use www_authorize on INVITE message or in route to pstn segment ?
All calls on my server must be payed, so I have to check if the caller is valid on my realm, if I setup my ata186 to not do SIPregon and use a inexistent user, I can make a call.
On Wed, 01 Dec 2004 15:16:03 +0100, Andreas Granig a.granig@inode.at wrote:
Bruno Lopes F. Cabral wrote:
But why do you want to force users to register?
perhaps because all calls must be payed, or to prevent non-registered (i.e. blocked) users to place calls to outside...
If users have to proxy_authenticate() when calling, there's no problem with accounting.
Explicitely blocked users can be handled with groups, so you can differ between incoming-blocked and outgoing-blocked, e.a.:
# proxy_authenticate() here, then:
if(method == "INVITE") { if(!check_from()) { # spoofed From-URI, send 403 here break; }
if(is_user_in("credentials", "outblocked")) { # outgoing call attempt of blocked user, deflect to announcement # or send 403 here break; } if(does_uri_exist() && is_user_in("Request-URI", "inblocked")) { # incoming call to local blocked user, see above break; }}
and use serctl for blocking users: "serctl acl grant <user> outblocked"
So still no need to register.
but it would also prevent outside calls to registered (local) users to be placed, am I right?
Only if the caller can't proxy_authenticate(). If there are for example PSTN gateways which don't authenticate, you've to create some kind of "trusted network", e.a.:
if(method == "INVITE") { if(!(src_ip==gw1.your.domain || src_ip==gw2.your.domain)) { if(!proxy_authenticate(...)) { # untrusted caller failed to authenticate proxy_challenge(...); break; } } else { # trusted sources don't have to authenticate } }
Hope this helps, Andy
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
sendman wrote:
Hi folks!
I have setup my ser.cfg to request www_authentication on INVITE messages, well, I'm not sure if this is the best solution for allow ONLY registered users to make calls on my proxy.
Does anybody knows the right way to do this configuration?
This is the right way to make sure that only authenticated users make calls on your proxy. I'm guessing that you want to allow unauthenticated inbound calls unless you have a way to assign username/passwords to anyone who might want to call one of your registered users.
I do not think that there are adequate mechanisms implemented for interdomain authentication of callers. If you do want to authenticate callers who are not registered on your proxy (to prevent SIP spam) these two internet drafts might be of interest: http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txt
Hope this helps, Jamey
Well, what I really want is something like:
if (method=="INVITE") { # check if from_user 'caller' are successfully registered in my proxy if (!lookup('%from_user% in location table')) {
sl_send_reply(404,"Not authorized - You must bu registered to use this proxy"); break; } # accept call route(3); }
Well 'ALL CALLS' in my proxy, must to be authenticated...
I don't if this test must to be done on 'invite' or maybe in route(3) subroutine.
Regards.
On Wed, 01 Dec 2004 08:14:42 -0500, Jamey Hicks jamey.hicks@hp.com wrote:
sendman wrote:
Hi folks!
I have setup my ser.cfg to request www_authentication on INVITE messages, well, I'm not sure if this is the best solution for allow ONLY registered users to make calls on my proxy.
Does anybody knows the right way to do this configuration?
This is the right way to make sure that only authenticated users make calls on your proxy. I'm guessing that you want to allow unauthenticated inbound calls unless you have a way to assign username/passwords to anyone who might want to call one of your registered users.
I do not think that there are adequate mechanisms implemented for interdomain authentication of callers. If you do want to authenticate callers who are not registered on your proxy (to prevent SIP spam) these two internet drafts might be of interest: http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txt
Hope this helps, Jamey
You are only checking here if the user has SIP REGISTERED a UserAgent to your server, not if the user had a valid username/password. You should check with proxy_challenge (which generates a SIP/2.0 407 Proxy Authorization required message) and only if it is an outbound request (domain not served by your proxy, otherwise your users can't be called).
So your code would become something like:
# check if it's an outbound request for a domain not on this proxy if (method=="INVITE" && uri !=myself) {
#check to see if there are usercredentials (and if they are OK) If(!proxy_authorize("yourdomain", "subscriber")) { #no or wrong credentials, challenge the user Proxy_challenge("yourdomain","0"); Break; } # accept call and goto route 3 route(3); }
Kind regards,
E. Versaevel
Well, what I really want is something like:
if (method=="INVITE") { # check if from_user 'caller' are successfully registered in my proxy if (!lookup('%from_user% in location table')) {
sl_send_reply(404,"Not authorized - You must bu registered to use this proxy"); break; } # accept call route(3); }
Well 'ALL CALLS' in my proxy, must to be authenticated...
I don't if this test must to be done on 'invite' or maybe in route(3) subroutine.
Regards.
On Wed, 01 Dec 2004 08:14:42 -0500, Jamey Hicks jamey.hicks@hp.com wrote:
sendman wrote:
Hi folks!
I have setup my ser.cfg to request www_authentication on INVITE messages, well, I'm not sure if this is the best solution for allow ONLY registered users to make calls on my proxy.
Does anybody knows the right way to do this configuration?
This is the right way to make sure that only authenticated users make calls on your proxy. I'm guessing that you want to allow unauthenticated inbound calls unless you have a way to assign username/passwords to anyone who might want to call one of your registered users.
I do not think that there are adequate mechanisms implemented for interdomain authentication of callers. If you do want to authenticate callers who are not registered on your proxy (to prevent SIP spam) these two internet drafts might be of interest: http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt
http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txt
Hope this helps, Jamey
_______________________________________________ Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hi all,
The solution can be more simplified and strengthen like this:
if (method=="INVITE" && from_uri==myself) { #check to see if there are user credentials (and if they are OK) if(!proxy_authorize("yourdomain", "subscriber")) { #no or wrong credentials, challenge the user proxy_challenge("yourdomain","0"); break; } } # caller authenticated ......
Of course, you will authenticate only user pretending to belong to your domain. NOTE: from_uri works only in cvs head, otherwise you can use something like search("(F|From):.*@my_domain")
Best regards, Marian
E. Versaevel wrote:
You are only checking here if the user has SIP REGISTERED a UserAgent to your server, not if the user had a valid username/password. You should check with proxy_challenge (which generates a SIP/2.0 407 Proxy Authorization required message) and only if it is an outbound request (domain not served by your proxy, otherwise your users can't be called).
So your code would become something like:
# check if it's an outbound request for a domain not on this proxy if (method=="INVITE" && uri !=myself) {
#check to see if there are usercredentials (and if they are OK) If(!proxy_authorize("yourdomain", "subscriber")) { #no or wrong credentials, challenge the user Proxy_challenge("yourdomain","0"); Break; } # accept call and goto route 3 route(3); }
Kind regards,
E. Versaevel
Well, what I really want is something like:
if (method=="INVITE") { # check if from_user 'caller' are successfully registered in my proxy if (!lookup('%from_user% in location table')) {
sl_send_reply(404,"Not authorized - You must bu registered to usethis proxy"); break; } # accept call route(3); }
Well 'ALL CALLS' in my proxy, must to be authenticated...
I don't if this test must to be done on 'invite' or maybe in route(3) subroutine.
Regards.
On Wed, 01 Dec 2004 08:14:42 -0500, Jamey Hicks jamey.hicks@hp.com wrote:
sendman wrote:
Hi folks!
I have setup my ser.cfg to request www_authentication on INVITE messages, well, I'm not sure if this is the best solution for allow ONLY registered users to make calls on my proxy.
Does anybody knows the right way to do this configuration?
This is the right way to make sure that only authenticated users make calls on your proxy. I'm guessing that you want to allow unauthenticated inbound calls unless you have a way to assign username/passwords to anyone who might want to call one of your registered users.
I do not think that there are adequate mechanisms implemented for interdomain authentication of callers. If you do want to authenticate callers who are not registered on your proxy (to prevent SIP spam) these two internet drafts might be of interest: http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt
http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txt
Hope this helps, Jamey
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
well Now I'm getting segfault when I use proxy_authorize on scripts!
If I comment the proxy_authorize line everything works fine, but when I comment out get segfault !
2(5662) ERROR: fifo_server fgets failed: Illegal seek 2(5662) INFO: signal 15 received 1(5661) INFO: signal 15 received
This is the part on my script I comment: if(!proxy_authorize("mydomain", "subscriber")) { #no or wrong credentials, challenge the user proxy_challenge("mydomain","0"); break; - Hide quoted text - }
On Wed, 1 Dec 2004 14:45:14 +0100, E. Versaevel erik@infopact.nl wrote:
You are only checking here if the user has SIP REGISTERED a UserAgent to your server, not if the user had a valid username/password. You should check with proxy_challenge (which generates a SIP/2.0 407 Proxy Authorization required message) and only if it is an outbound request (domain not served by your proxy, otherwise your users can't be called).
So your code would become something like:
# check if it's an outbound request for a domain not on this proxy if (method=="INVITE" && uri !=myself) {
#check to see if there are usercredentials (and if they are OK) If(!proxy_authorize("yourdomain", "subscriber")) { #no or wrong credentials, challenge the user Proxy_challenge("yourdomain","0"); Break; }# accept call and goto route 3 route(3); }
Kind regards,
E. Versaevel
Well, what I really want is something like:
if (method=="INVITE") { # check if from_user 'caller' are successfully registered in my proxy if (!lookup('%from_user% in location table')) {
sl_send_reply(404,"Not authorized - You must bu registered to usethis proxy"); break; } # accept call route(3); }
Well 'ALL CALLS' in my proxy, must to be authenticated...
I don't if this test must to be done on 'invite' or maybe in route(3) subroutine.
Regards.
On Wed, 01 Dec 2004 08:14:42 -0500, Jamey Hicks jamey.hicks@hp.com wrote:
sendman wrote:
Hi folks!
I have setup my ser.cfg to request www_authentication on INVITE messages, well, I'm not sure if this is the best solution for allow ONLY registered users to make calls on my proxy.
Does anybody knows the right way to do this configuration?
This is the right way to make sure that only authenticated users make calls on your proxy. I'm guessing that you want to allow unauthenticated inbound calls unless you have a way to assign username/passwords to anyone who might want to call one of your registered users.
I do not think that there are adequate mechanisms implemented for interdomain authentication of callers. If you do want to authenticate callers who are not registered on your proxy (to prevent SIP spam) these two internet drafts might be of interest: http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt
http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txt
Hope this helps, Jamey
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Did you change mydomain to your own realm? And have you correctly setup the auth_db module?
-----Oorspronkelijk bericht----- Van: sendman [mailto:sendman@gmail.com] Verzonden: woensdag 1 december 2004 19:14 Aan: E. Versaevel CC: Jamey Hicks; serusers@lists.iptel.org Onderwerp: Re: [Serusers] Accept invite only for registered users
well Now I'm getting segfault when I use proxy_authorize on scripts!
If I comment the proxy_authorize line everything works fine, but when I comment out get segfault !
2(5662) ERROR: fifo_server fgets failed: Illegal seek 2(5662) INFO: signal 15 received 1(5661) INFO: signal 15 received
This is the part on my script I comment: if(!proxy_authorize("mydomain", "subscriber")) { #no or wrong credentials, challenge the user proxy_challenge("mydomain","0"); break; - Hide quoted text - }
On Wed, 1 Dec 2004 14:45:14 +0100, E. Versaevel erik@infopact.nl wrote:
You are only checking here if the user has SIP REGISTERED a UserAgent to your server, not if the user had a valid username/password. You should check with proxy_challenge (which generates a SIP/2.0 407 Proxy Authorization required message) and only if it is an outbound request (domain not served by your proxy, otherwise your users can't be called).
So your code would become something like:
# check if it's an outbound request for a domain not on this proxy if (method=="INVITE" && uri !=myself) {
#check to see if there are usercredentials (and if they are OK) If(!proxy_authorize("yourdomain", "subscriber")) { #no or wrong credentials, challenge the user Proxy_challenge("yourdomain","0"); Break; }# accept call and goto route 3 route(3); }
Kind regards,
E. Versaevel
Well, what I really want is something like:
if (method=="INVITE") { # check if from_user 'caller' are successfully registered in my proxy if (!lookup('%from_user% in location table')) {
sl_send_reply(404,"Not authorized - You must bu registered to usethis proxy"); break; } # accept call route(3); }
Well 'ALL CALLS' in my proxy, must to be authenticated...
I don't if this test must to be done on 'invite' or maybe in route(3) subroutine.
Regards.
On Wed, 01 Dec 2004 08:14:42 -0500, Jamey Hicks jamey.hicks@hp.com
wrote:
sendman wrote:
Hi folks!
I have setup my ser.cfg to request www_authentication on INVITE messages, well, I'm not sure if this is the best solution for allow ONLY registered users to make calls on my proxy.
Does anybody knows the right way to do this configuration?
This is the right way to make sure that only authenticated users make calls on your proxy. I'm guessing that you want to allow unauthenticated inbound calls unless you have a way to assign username/passwords to anyone who might want to call one of your registered users.
I do not think that there are adequate mechanisms implemented for interdomain authentication of callers. If you do want to authenticate callers who are not registered on your proxy (to prevent SIP spam) these two internet drafts might be of interest: http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt
http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txt
Hope this helps, Jamey
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Sure! I was... And eveyrhing is fine with auth_db module!
On Thu, 2 Dec 2004 09:25:12 +0100, E. Versaevel erik@infopact.nl wrote:
Did you change mydomain to your own realm? And have you correctly setup the auth_db module?
-----Oorspronkelijk bericht----- Van: sendman [mailto:sendman@gmail.com] Verzonden: woensdag 1 december 2004 19:14 Aan: E. Versaevel CC: Jamey Hicks; serusers@lists.iptel.org Onderwerp: Re: [Serusers] Accept invite only for registered users
well Now I'm getting segfault when I use proxy_authorize on scripts!
If I comment the proxy_authorize line everything works fine, but when I comment out get segfault !
2(5662) ERROR: fifo_server fgets failed: Illegal seek 2(5662) INFO: signal 15 received 1(5661) INFO: signal 15 received
This is the part on my script I comment: if(!proxy_authorize("mydomain", "subscriber")) { #no or wrong credentials, challenge the user proxy_challenge("mydomain","0"); break;
- Hide quoted text - }
On Wed, 1 Dec 2004 14:45:14 +0100, E. Versaevel erik@infopact.nl wrote:
You are only checking here if the user has SIP REGISTERED a UserAgent to your server, not if the user had a valid username/password. You should check with proxy_challenge (which generates a SIP/2.0 407 Proxy Authorization required message) and only if it is an outbound request (domain not served by your proxy, otherwise your users can't be called).
So your code would become something like:
# check if it's an outbound request for a domain not on this proxy if (method=="INVITE" && uri !=myself) {
#check to see if there are usercredentials (and if they are OK) If(!proxy_authorize("yourdomain", "subscriber")) { #no or wrong credentials, challenge the user Proxy_challenge("yourdomain","0"); Break; }# accept call and goto route 3 route(3); }
Kind regards,
E. Versaevel
Well, what I really want is something like:
if (method=="INVITE") { # check if from_user 'caller' are successfully registered in my proxy if (!lookup('%from_user% in location table')) {
sl_send_reply(404,"Not authorized - You must bu registered to usethis proxy"); break; } # accept call route(3); }
Well 'ALL CALLS' in my proxy, must to be authenticated...
I don't if this test must to be done on 'invite' or maybe in route(3) subroutine.
Regards.
On Wed, 01 Dec 2004 08:14:42 -0500, Jamey Hicks jamey.hicks@hp.com
wrote:
sendman wrote:
Hi folks!
I have setup my ser.cfg to request www_authentication on INVITE messages, well, I'm not sure if this is the best solution for allow ONLY registered users to make calls on my proxy.
Does anybody knows the right way to do this configuration?
This is the right way to make sure that only authenticated users make calls on your proxy. I'm guessing that you want to allow unauthenticated inbound calls unless you have a way to assign username/passwords to anyone who might want to call one of your registered users.
I do not think that there are adequate mechanisms implemented for interdomain authentication of callers. If you do want to authenticate callers who are not registered on your proxy (to prevent SIP spam) these two internet drafts might be of interest: http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt
http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txt
Hope this helps, Jamey
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Andreas Granig -
Bruno Lopes F. Cabral -
DDX66 -
E. Versaevel -
Jamey Hicks -
Marian Dumitru -
sendman