[Serusers] prevent INVITE without REGISTERing

Miklos Tirpak miklos at iptel.org
Wed Jul 12 10:57:51 CEST 2006 

Hi Ilker,

just my first idea, not tested:


1. lookup the From HF

if (!lookup_user("From")) {
	# reject the INVITE
	...
}

2. save original To UID and Request URI

$orig_to_uid = $tu.uid;
$orig_req_uri = @ruri;

3. set To UID -- registrar module will use this in the lookup

$tu.uid = $fu.uid;

4. lookup From HF and compare the source address of the INVITE with the 
source address of the REGISTER message

if (lookup("location")) {
	if ((src_ip != @ruri.host) || (src_port != @ruri.port)) {
		# reject the INVITE
		...
	}
	# restore original To UID and Request URI
	$tu.uid = $orig_to_uid;
	attr2uri("$orig_req_uri");
} else {
	# reject the INVITE
	...
}

Note, that the above solution is a bit ugly, you can get into troubles 
when the user registers multiple contact addresses. It is better to 
disable branches (see append_branches parameter in registrar module), 
but you loose some functionality.

Regards,
Miklos

İlker Aktuna (Koç.net) wrote:
> 
> Hi everyone,
>  
> I am still trying to find a solution to this problem. (but couldn't find 
> yet)
> Victor was trying to help me but I think he's not able to reply these days.
>  
> Is there any idea to achieve what I need.
>  
> Thanks,
> ilker
> 
> ------------------------------------------------------------------------
> *From:* serusers-bounces at lists.iptel.org 
> [mailto:serusers-bounces at lists.iptel.org] *On Behalf Of *İlker Aktuna 
> (Koç.net)
> *Sent:* Tuesday, July 11, 2006 1:41 PM
> *To:* Victor Stanescu
> *Cc:* serusers at iptel.org
> *Subject:* RE: [Serusers] prevent INVITE without REGISTERing
> 
> Hi,
> 
> What if my proxy does not handle authenticating INVITE messages ?
> 
> In that case I think the best way is to lookup location table for the 
> source URI.
> If the source URI location matches the location in that table then we 
> must permit INVITE message.
> How can I configure this ?
> 
> Thanks,
> ilker
> 
> -----Original Message-----
> From: serusers-bounces at lists.iptel.org 
> [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Victor Stanescu
> Sent: Monday, July 10, 2006 1:49 PM
> Cc: serusers at iptel.org
> Subject: Re: [Serusers] prevent INVITE without REGISTERing
> 
> Please read "domain" instead of "gtstelecom.ro": www_authorize("domain",
> "subscriber") and proxy_authorize("domain", "subscriber"), otherwise the 
> code fragment will not be correct. I forgot to replace with a generic name.
> 
> Victor Stanescu wrote:
>  > I think it is easier to force him to authenticate the INVITE. If he is
>  > able to authenticate the INVITE, why do you care if he is registered
>  > or not?
>  >
>  > if (method=="REGISTER") {
>  >     if(!src_ip=="other") {
>  >         if (!www_authorize("gtstelecom.ro", "subscriber")) {
>  >             www_challenge("domain", "0");
>  >             break;
>  >         };
>  >         save("location");
>  >         log("Replicating REGISTER\n");
>  >         t_replicate("other", "5060");
>  >     } else {
>  >         save("location");
>  >     };
>  >     break;
>  > } else {
>  >     # this is an INVITE
>  >     if (!proxy_authorize("gtstelecom.ro", "subscriber")) {
>  >         proxy_challenge("domain", "1");
>  >         break;
>  >     };
>  >     # route the call
>  >     ...
>  > };
>  >
>  > İlker Aktuna (Koç.net) wrote:
>  >>
>  >> Hi all,
>  >> 
>  >> Is it possible to prevent any user calling without registering ? What
>  >> is the best way to do this ?
>  >> I guess I'll have to check if the source URI exists in location table.
>  >> What is the easiest way to do this ?
>  >> 
>  >> If there is a more robust way to do it, please suggest...
>  >> 
>  >> Thanks,
>  >> ilker
>  >> 
>  >>
> 
> 
> 
> <http://387555.sigclick.mailinfo.com/sigclick/07090204/04064D07/0701054D/0364151131.jpg>
> _____________________________________________________________________________________________________________________________________________
> Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. 
> Eger bu e-posta mesaji size yanlislikla ulasmissa,  icerigini hic bir 
> sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen 
> e-posta mesajini kullaniciya hemen geri gonderiniz  ve  tum kopyalarini 
> mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi 
> bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.  
> Bu e-posta mesaji viruslere karsi anti-virus sistemleri tarafindan 
> taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma 
> sistemleri ile kontrol ediliyor olsa bile - virus icermedigini garanti 
> etmez ve meydana gelebilecek zararlardan dogacak hicbir sorumlulugu 
> kabul etmez.
> This message is intended solely for the use of the individual or entity 
> to whom it is addressed , and may contain confidential  information. If 
> you are not the intended recipient of this message or you receive this 
> mail in error, you should refrain from making any use of the contents 
> and from opening any attachment. In that case, please notify the sender 
> immediately and return the message to the sender, then, delete and 
> destroy all copies. This e-mail message, can not be copied, published or 
> sold for any reason. This e-mail message has been swept by anti-virus 
> systems for the presence of computer viruses. In doing so, however,  
> sender  cannot warrant that virus or other forms of data corruption may 
> not be present and do not take any responsibility in any occurrence.
> _____________________________________________________________________________________________________________________________________________
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Serusers mailing list
> Serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers

More information about the sr-users mailing list