[Serusers] prevent INVITE without REGISTERing
Miklos Tirpak
miklos at iptel.org
Wed Jul 12 17:45:06 CEST 2006
İlker Aktuna (Koç.net) wrote:
>
>
>
> Thanks,
>
> That configuration is accepted but now my "registered" client is denied
> at both following lines:
>
> if (!lookup_user("From")) {
check if the From HF is the same in the INVITE as the To HF in the
REGISTER, and check the uri table in your database
> if ((!avp_equals_xl("$registered_host", "%si") ||
> !avp_equals_xl("$registered_port", "%sp"))) {
>
> How can I print $registered_host to log ?
xlog("L_ERR", "registered_host = %$registered_host \n");
> I can print %si with xlog().
I guess
xlog("L_ERR", "src ip = %si \n");
Miklos
>
> Thanks,
> ilker
>
>
> -----Original Message-----
> From: Miklos Tirpak [mailto:miklos at iptel.org]
> Sent: Wednesday, July 12, 2006 4:01 PM
> To: İlker Aktuna (Koç.net)
> Cc: serusers at iptel.org
> Subject: Re: [Serusers] prevent INVITE without REGISTERing
>
> İlker Aktuna (Koç.net) wrote:
> >
> >
> > Thanks Miklos,
> >
> > I think this is just what I'm looking for.
> > But I get some errors for this line:
> > if ((src_ip != @ruri.host) || (src_port != @ruri.port)) {
>
> You can access src_ip and src_port via xl_lib:
>
> $registered_host = @ruri.host;
> $registered_port = @ruri.port;
>
> if ((!avp_equals_xl("$registered_host", "%si"))
> || (!avp_equals_xl("$registered_port", "%sp"))) {
> ...
>
> Miklos
>
> >
> > 0(30074) parse error (175,16-17): syntax error
> > 0(30074) parse error (175,16-17): ip address or hostname expected
> > 0(30074) parse error (175,16-17): bad command
> > 0(30074) parse error (175,21-22): bad command
> > 0(30074) parse error (175,21-22): bad command
> > 0(30074) parse error (175,26-27): bad command
> > 0(30074) parse error (175,26-27): bad command
> > 0(30074) parse error (175,28-30): bad command
> > 0(30074) parse error (175,31-32): bad command
> > 0(30074) parse error (175,32-40): bad command
> > 0(30074) parse error (175,41-43): bad command
> > 0(30074) parse error (175,44-45): bad command
> > 0(30074) parse error (175,49-50): bad command
> > 0(30074) parse error (175,49-50): bad command
> > 0(30074) parse error (175,54-55): bad command
> > 0(30074) parse error (175,54-55): bad command
> > 0(30074) parse error (175,55-56): bad command
> > 0(30074) parse error (175,57-58): bad command
> >
> > Any idea why ?
> >
> > Thanks,
> > ilker
> >
> > -----Original Message-----
> > From: Miklos Tirpak [mailto:miklos at iptel.org]
> > Sent: Wednesday, July 12, 2006 11:58 AM
> > To: İlker Aktuna (Koç.net)
> > Cc: serusers at iptel.org
> > Subject: Re: [Serusers] prevent INVITE without REGISTERing
> >
> > Hi Ilker,
> >
> > just my first idea, not tested:
> >
> >
> > 1. lookup the From HF
> >
> > if (!lookup_user("From")) {
> > # reject the INVITE
> > ...
> > }
> >
> > 2. save original To UID and Request URI
> >
> > $orig_to_uid = $tu.uid;
> > $orig_req_uri = @ruri;
> >
> > 3. set To UID -- registrar module will use this in the lookup
> >
> > $tu.uid = $fu.uid;
> >
> > 4. lookup >From HF and compare the source address of the INVITE with
> > the source address of the REGISTER message
> >
> > if (lookup("location")) {
> > if ((src_ip != @ruri.host) || (src_port != @ruri.port)) {
> > # reject the INVITE
> > ...
> > }
> > # restore original To UID and Request URI
> > $tu.uid = $orig_to_uid;
> > attr2uri("$orig_req_uri");
> > } else {
> > # reject the INVITE
> > ...
> > }
> >
> > Note, that the above solution is a bit ugly, you can get into troubles
> > when the user registers multiple contact addresses. It is better to
> > disable branches (see append_branches parameter in registrar module),
> > but you loose some functionality.
> >
> > Regards,
> > Miklos
> >
> > İlker Aktuna (Koç.net) wrote:
> > >
> > > Hi everyone,
> > >
> > > I am still trying to find a solution to this problem. (but couldn't
> > > find > yet) > Victor was trying to help me but I think he's not
> > able to reply these days.
> > >
> > > Is there any idea to achieve what I need.
> > >
> > > Thanks,
> > > ilker
> > >
> > >
> > ----------------------------------------------------------------------
> > > --
> > > *From:* serusers-bounces at lists.iptel.org >
> > [mailto:serusers-bounces at lists.iptel.org] *On Behalf Of *İlker Aktuna
> > > (Koç.net) > *Sent:* Tuesday, July 11, 2006 1:41 PM > *To:* Victor
> > Stanescu > *Cc:* serusers at iptel.org > *Subject:* RE: [Serusers]
> > prevent INVITE without REGISTERing > > Hi, > > What if my proxy
> > does not handle authenticating INVITE messages ?
> > >
> > > In that case I think the best way is to lookup location table for
> > the > source URI.
> > > If the source URI location matches the location in that table then
> > we > must permit INVITE message.
> > > How can I configure this ?
> > >
> > > Thanks,
> > > ilker
> > >
> > > -----Original Message-----
> > > From: serusers-bounces at lists.iptel.org >
> > [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Victor Stanescu
> > > Sent: Monday, July 10, 2006 1:49 PM > Cc: serusers at iptel.org >
> > Subject: Re: [Serusers] prevent INVITE without REGISTERing > >
> > Please read "domain" instead of "gtstelecom.ro":
> > > www_authorize("domain",
> > > "subscriber") and proxy_authorize("domain", "subscriber"),
> > otherwise > the code fragment will not be correct. I forgot to
> > replace with a generic name.
> > >
> > > Victor Stanescu wrote:
> > > > I think it is easier to force him to authenticate the INVITE. If
> > he > is > able to authenticate the INVITE, why do you care if he is
> > > registered > or not?
> > > >
> > > > if (method=="REGISTER") {
> > > > if(!src_ip=="other") {
> > > > if (!www_authorize("gtstelecom.ro", "subscriber")) {
> > > > www_challenge("domain", "0");
> > > > break;
> > > > };
> > > > save("location");
> > > > log("Replicating REGISTER\n");
> > > > t_replicate("other", "5060");
> > > > } else {
> > > > save("location");
> > > > };
> > > > break;
> > > > } else {
> > > > # this is an INVITE
> > > > if (!proxy_authorize("gtstelecom.ro", "subscriber")) {
> > > > proxy_challenge("domain", "1");
> > > > break;
> > > > };
> > > > # route the call
> > > > ...
> > > > };
> > > >
> > > > İlker Aktuna (Koç.net) wrote:
> > > >>
> > > >> Hi all,
> > > >>
> > > >> Is it possible to prevent any user calling without registering ?
> > > What >> is the best way to do this ?
> > > >> I guess I'll have to check if the source URI exists in location
> > table.
> > > >> What is the easiest way to do this ?
> > > >>
> > > >> If there is a more robust way to do it, please suggest...
> > > >>
> > > >> Thanks,
> > > >> ilker
> > > >>
> > > >>
> > >
> > >
> > >
>
>
>
> <http://387555.sigclick.mailinfo.com/sigclick/00090507/060D4E00/00010A4E/0113122382.jpg>
> _____________________________________________________________________________________________________________________________________________
> Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir.
> Eger bu e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir
> sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen
> e-posta mesajini kullaniciya hemen geri gonderiniz ve tum kopyalarini
> mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi
> bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.
> Bu e-posta mesaji viruslere karsi anti-virus sistemleri tarafindan
> taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma
> sistemleri ile kontrol ediliyor olsa bile - virus icermedigini garanti
> etmez ve meydana gelebilecek zararlardan dogacak hicbir sorumlulugu
> kabul etmez.
> This message is intended solely for the use of the individual or entity
> to whom it is addressed , and may contain confidential information. If
> you are not the intended recipient of this message or you receive this
> mail in error, you should refrain from making any use of the contents
> and from opening any attachment. In that case, please notify the sender
> immediately and return the message to the sender, then, delete and
> destroy all copies. This e-mail message, can not be copied, published or
> sold for any reason. This e-mail message has been swept by anti-virus
> systems for the presence of computer viruses. In doing so, however,
> sender cannot warrant that virus or other forms of data corruption may
> not be present and do not take any responsibility in any occurrence.
> _____________________________________________________________________________________________________________________________________________
More information about the sr-users
mailing list