[Serusers] prevent INVITE without REGISTERing
Miklos Tirpak
miklos at iptel.org
Wed Jul 12 10:57:51 CEST 2006
Hi Ilker,
just my first idea, not tested:
1. lookup the From HF
if (!lookup_user("From")) {
# reject the INVITE
...
}
2. save original To UID and Request URI
$orig_to_uid = $tu.uid;
$orig_req_uri = @ruri;
3. set To UID -- registrar module will use this in the lookup
$tu.uid = $fu.uid;
4. lookup From HF and compare the source address of the INVITE with the
source address of the REGISTER message
if (lookup("location")) {
if ((src_ip != @ruri.host) || (src_port != @ruri.port)) {
# reject the INVITE
...
}
# restore original To UID and Request URI
$tu.uid = $orig_to_uid;
attr2uri("$orig_req_uri");
} else {
# reject the INVITE
...
}
Note, that the above solution is a bit ugly, you can get into troubles
when the user registers multiple contact addresses. It is better to
disable branches (see append_branches parameter in registrar module),
but you loose some functionality.
Regards,
Miklos
İlker Aktuna (Koç.net) wrote:
>
> Hi everyone,
>
> I am still trying to find a solution to this problem. (but couldn't find
> yet)
> Victor was trying to help me but I think he's not able to reply these days.
>
> Is there any idea to achieve what I need.
>
> Thanks,
> ilker
>
> ------------------------------------------------------------------------
> *From:* serusers-bounces at lists.iptel.org
> [mailto:serusers-bounces at lists.iptel.org] *On Behalf Of *İlker Aktuna
> (Koç.net)
> *Sent:* Tuesday, July 11, 2006 1:41 PM
> *To:* Victor Stanescu
> *Cc:* serusers at iptel.org
> *Subject:* RE: [Serusers] prevent INVITE without REGISTERing
>
> Hi,
>
> What if my proxy does not handle authenticating INVITE messages ?
>
> In that case I think the best way is to lookup location table for the
> source URI.
> If the source URI location matches the location in that table then we
> must permit INVITE message.
> How can I configure this ?
>
> Thanks,
> ilker
>
> -----Original Message-----
> From: serusers-bounces at lists.iptel.org
> [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Victor Stanescu
> Sent: Monday, July 10, 2006 1:49 PM
> Cc: serusers at iptel.org
> Subject: Re: [Serusers] prevent INVITE without REGISTERing
>
> Please read "domain" instead of "gtstelecom.ro": www_authorize("domain",
> "subscriber") and proxy_authorize("domain", "subscriber"), otherwise the
> code fragment will not be correct. I forgot to replace with a generic name.
>
> Victor Stanescu wrote:
> > I think it is easier to force him to authenticate the INVITE. If he is
> > able to authenticate the INVITE, why do you care if he is registered
> > or not?
> >
> > if (method=="REGISTER") {
> > if(!src_ip=="other") {
> > if (!www_authorize("gtstelecom.ro", "subscriber")) {
> > www_challenge("domain", "0");
> > break;
> > };
> > save("location");
> > log("Replicating REGISTER\n");
> > t_replicate("other", "5060");
> > } else {
> > save("location");
> > };
> > break;
> > } else {
> > # this is an INVITE
> > if (!proxy_authorize("gtstelecom.ro", "subscriber")) {
> > proxy_challenge("domain", "1");
> > break;
> > };
> > # route the call
> > ...
> > };
> >
> > İlker Aktuna (Koç.net) wrote:
> >>
> >> Hi all,
> >>
> >> Is it possible to prevent any user calling without registering ? What
> >> is the best way to do this ?
> >> I guess I'll have to check if the source URI exists in location table.
> >> What is the easiest way to do this ?
> >>
> >> If there is a more robust way to do it, please suggest...
> >>
> >> Thanks,
> >> ilker
> >>
> >>
>
>
>
> <http://387555.sigclick.mailinfo.com/sigclick/07090204/04064D07/0701054D/0364151131.jpg>
> _____________________________________________________________________________________________________________________________________________
> Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir.
> Eger bu e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir
> sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen
> e-posta mesajini kullaniciya hemen geri gonderiniz ve tum kopyalarini
> mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi
> bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.
> Bu e-posta mesaji viruslere karsi anti-virus sistemleri tarafindan
> taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma
> sistemleri ile kontrol ediliyor olsa bile - virus icermedigini garanti
> etmez ve meydana gelebilecek zararlardan dogacak hicbir sorumlulugu
> kabul etmez.
> This message is intended solely for the use of the individual or entity
> to whom it is addressed , and may contain confidential information. If
> you are not the intended recipient of this message or you receive this
> mail in error, you should refrain from making any use of the contents
> and from opening any attachment. In that case, please notify the sender
> immediately and return the message to the sender, then, delete and
> destroy all copies. This e-mail message, can not be copied, published or
> sold for any reason. This e-mail message has been swept by anti-virus
> systems for the presence of computer viruses. In doing so, however,
> sender cannot warrant that virus or other forms of data corruption may
> not be present and do not take any responsibility in any occurrence.
> _____________________________________________________________________________________________________________________________________________
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Serusers mailing list
> Serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
More information about the sr-users
mailing list