Fwd: Re: [Serusers] Blocking calls from unregistered users
Pavol Segec
pavol.segec at kis.fri.utc.sk
Thu Sep 1 08:48:41 CEST 2005
Hi,
The code means, that if an user is establishing a call (UA generate INVITE
message) and the user is not already registered on your.domain register server,
the user will be challenged to authenticate itself before the call is
progressed, and only authentication of users from your.domain will be
authorized (accepted).
Personally I think that good practise is to put some code into ser.cfg where
REGISTER message is handled, which allow to register (and make a call) only
users, which have account on your.domain register (orproxy with register
features) server, for example:
sl_send_reply("100","Trying");
if (!www_authorize("your.domain", "subscriber")) {
www_challenge("your.domain", "0");
break;
};
# only registered users are allowed
# do not register someone else
if(!check_to()){
log(1,"LOG: unregistered user registration attempt\n");
sl_send_reply("401","Unauthorized");
sl_send_reply("403","Only registered users are allowed");
break;
};
# save the registration process results
if (!save("location")){
sl_reply_error();
};
BR
pavol
Citát Ryan Pagquil <rpagquil at philonline.com>:
> Hi,
> I'm currently subscribed to iptel.org. Well iptel.org's proxy doesn't
> allow unregistered users to call to anybody, I already tried it. Does
> having my domain specified in the proxy_authorize section means that
> only users from my domain will be asked to register first before they
> can place a call? I think I already tried this.. but I'll still test. =)
>
> Thanks,
> Ryan
>
> Pavol Segec wrote:
>
> >Hi,
> >
> >If I understand well, you just need to put authorization challenge into your
> >ser.cfg file where INVITE messages are handled, as follows:
> >
> >if(!proxy_authorize("your.domain","subscriber")){
> > proxy_challenge("your.domain","0");
> > sl_send_reply("403","Forbidden");
> > break;
> > };
> >
> >pavol
> >
> >CitĂĄt Dave <ddx66 at yahoo.com>:
> >
> >
> >
> >>You can't as far as I know. You must use a USer Agent
> >>that does not allow a user to make a calls unless the
> >>UA is registered.
> >>
> >>--- rpagquil at philonline.com wrote:
> >>
> >>
> >>---------------------------------
> >>Hi, I'm setting up ser so that unregistered users
> >>can't make any calls to anybody. I have configured to
> >>allow all other domains to make a call to my local
> >>users. But when my local user that is unregistered it
> >>can still make calls to other local users. How would I
> >>do to block him totally? here is my ser.cfg: debug=3
> >>fork=yes log_stderror=yes listen=202.84.24.107
> >>port=5060 children=4 dns=no rev_dns=no
> >>fifo="/tmp/ser_fifo"
> >>fifo_db_url="mysql://ser:heslo@localhost/ser"
> >>alias=sip.philonline.com #load module part
> >>loadmodule "/usr/local/lib/ser/modules/mysql.so"
> >>loadmodule "/usr/local/lib/ser/modules/domain.so"
> >>loadmodule "/usr/local/lib/ser/modules/sl.so"
> >>loadmodule "/usr/local/lib/ser/modules/tm.so"
> >>loadmodule "/usr/local/lib/ser/modules/rr.so"
> >>loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
> >>loadmodule "/usr/local/lib/ser/modules/usrloc.so"
> >>loadmodule "/usr/local/lib/ser/modules/registrar.so"
> >>loadmodule "/usr/local/lib/ser/modules/auth.so"
> >>loadmodule "/usr/local/lib/ser/modules/auth_db.so"
> >>loadmodule "/usr/local/lib/ser/modules/uri.so"
> >>loadmodule "/usr/local/lib/ser/modules/uri_db.so"
> >>loadmodule "/usr/local/lib/ser/modules/mediaproxy.so"
> >>loadmodule "/usr/local/lib/ser/modules/nathelper.so"
> >>loadmodule "/usr/local/lib/ser/modules/textops.so"
> >>loadmodule "/usr/local/lib/ser/modules/acc.so"
> >>loadmodule "/usr/local/lib/ser/modules/permissions.so"
> >> #module parameter setup modparam("rr",
> >>"enable_full_lr", 1)
> >>modparam("auth_db|uri_db|usrloc|domain|permissions",
> >>"db_url", "mysql://ser:heslo@localhost/ser")
> >>modparam("auth_db", "calculate_ha1", 1)
> >>modparam("auth_db", "password_column", "password")
> >>modparam("usrloc", "db_mode", 2)
> >>modparam("nathelper", "rtpproxy_disable", 1)
> >>modparam("nathelper", "natping_interval", 0)
> >>modparam("mediaproxy", "natping_interval", 30)
> >>modparam("mediaproxy", "mediaproxy_socket",
> >>"/var/run/mediaproxy.sock") modparam("mediaproxy",
> >>"sip_asymmetrics", "/usr/local/etc/ser/sip-clients")
> >>modparam("mediaproxy", "rtp_asymmetrics",
> >>"/usr/local/etc/ser/rtp-clients")
> >>modparam("registrar", "nat_flag", 6) modparam("acc",
> >>"log_level", 2) modparam("acc", "log_fmt",
> >>"cdfimorstup") modparam("acc", "report_ack", 1)
> >>#modparam("acc", "failed_transactions", 1)
> >>modparam("acc", "log_flag", 1) #modparam("acc",
> >>"report_cancels", 1) modparam("acc", "db_flag", 1)
> >>modparam("acc", "db_missed_flag", 3) modparam("acc",
> >>"db_url", "mysql://ser:heslo@localhost/ser")
> >>modparam("uri_db", "uri_table", "uri")
> >>modparam("uri_db", "uri_user_column", "username")
> >>modparam("uri_db", "uri_domain_column", "domain")
> >>modparam("domain", "db_mode", 1) modparam("domain",
> >>"domain_table", "domain") modparam("domain",
> >>"domain_col", "domain") modparam("permissions",
> >>"default_allow_file",
> >>"/usr/local/etc/ser/allow.permissions")
> >>modparam("permissions", "default_deny_file",
> >>"/usr/local/etc/ser/deny.permissions") #our routing
> >>logic route { if
> >>(!mf_process_maxfwd_header("10")) {
> >>sl_send_reply("483", "Too many hops");
> >>break; }; if (msg:len > max_len) {
> >> sl_send_reply("513", "Message overflow");
> >> break; }; ###record
> >>route#### if (method=="INVITE" &&
> >>client_nat_test("3")) {
> >>record_route_preset("202.84.24.107:5060;nat=yes");
> >> } else if (method!="REGISTER") {
> >>record_route(); }; ###call tear down
> >>section### if (method=="BYE" ||
> >>method=="CANCEL") {
> >>end_media_session(); }; ###accounting###
> >> if ((!has_totag() && (method=="INVITE" ||
> >>method=="ACK")) || (method=="BYE")) {
> >>setflag(1); }; ###loose route### if
> >>(loose_route()) { if (has_totag() &&
> >>(method=="INVITE" || method=="ACK")) {
> >> if (client_nat_test("3") ||
> >>search("^Route:.*;nat=yes")) {
> >> setflag(6);
> >>use_media_proxy(); };
> >> }; route(1);
> >>break; }; ###call type processing###
> >>if (uri!=myself) { route(1);
> >> break; }; if (uri==myself) {
> >> if (method=="CANCEL") {
> >> route(3); break;
> >> } else if (method=="INVITE") {
> >> route(3); break;
> >> } else if (method=="REGISTER") {
> >> route(2);
> >> break; };
> >>lookup("aliases"); if (uri!=myself) {
> >> route(1);
> >> break; }; if
> >>(!lookup("location")) {
> >>sl_send_reply("404", "User not found");
> >> break; }; };
> >>route(1); } ##Default message handler## route[1] {
> >> t_on_reply("1"); if (!t_relay()) {
> >> if (method=="INVITE" || method=="ACK") {
> >> end_media_session();
> >> }; sl_reply_error(); }; }
> >> ##Register message handler## route[2] {
> >>sl_send_reply("100", "Trying"); if
> >>(!search("^Contact:\ +\*") && client_nat_test("7")) {
> >> setflag(6);
> >>fix_nated_register(); force_rport();
> >> }; if
> >>(!www_authorize("sip.philonline.com","subscriber")) {
> >>
> >>www_challenge("sip.philonline.com","0");
> >> break; }; if (!check_to()) {
> >> sl_send_reply("401", "You are Unauthorized");
> >> break; };
> >>consume_credentials(); if (!save("location"))
> >>{ sl_reply_error(); }; }
> >>##INVITE message Handler## route[3] {
> >>if (client_nat_test("3")) {
> >>setflag(7); force_rport();
> >> fix_nated_contact(); }; if
> >>(!search("To: .*@sip.philonline.com")) { if
> >>(!proxy_authorize("","subscriber")) {
> >>proxy_challenge("", "0"); break;
> >> }; if (!check_from() && method=="INVITE")
> >>{ sl_send_reply("403", "User
> >>From=ID"); break; };
> >>}; lookup("aliases"); if
> >>(uri!=myself) { route(1);
> >> break; }; if (!lookup("location"))
> >>{ sl_send_reply("404", "User not
> >>found"); break; }; if
> >>(method=="CANCEL") { route(1);
> >> break; };
> >>consume_credentials(); if (isflagset(6) ||
> >>isflagset(7)) { use_media_proxy();
> >> }; route(1); } onreply_route[1] {
> >> if (isflagset(6) || isflagset(7) &&
> >>(status=~"(180)|(183)|2[0-9][0-9]")) {
> >> if (!search("^Content-Length:\ +0")) {
> >> use_media_proxy(); };
> >>}; if (client_nat_test("1")) {
> >> fix_nated_contact(); }; } Thanks,
> >>--ryanRyan PagquilInfodyne Inc.
> >>(www.philonline.com)Tel. (632)-6870715>
> >>_______________________________________________
> >>
> >>
> >>>Serusers mailing list
> >>>serusers at lists.iptel.org
> >>>http://lists.iptel.org/mailman/listinfo/serusers
> >>>
> >>>
> >>>
> >>
> >>
> >>____________________________________________________
> >>Start your day with Yahoo! - make it your home page
> >>http://www.yahoo.com/r/hs
> >>
> >>
> >>_______________________________________________
> >>Serusers mailing list
> >>serusers at lists.iptel.org
> >>http://lists.iptel.org/mailman/listinfo/serusers
> >>
> >>
> >>
> >
> >
> >_______________________________________________
> >Serusers mailing list
> >serusers at lists.iptel.org
> >http://lists.iptel.org/mailman/listinfo/serusers
> >
> >
> >
> >
>
>
> --
> Ryan Pagquil
> Infodyne Inc. - PhilOnline.com
> 3603 Antel Global Corporate Center
> DoĂąa Julia Vargas Ave.
> Ortigas Center Pasig City
> Tel: 687-0715
> Web: www.philonline.com
>
>
----- Koniec preposlanej správy -----
More information about the sr-users
mailing list