[Serusers] prevent INVITE without REGISTERing

Miklos Tirpak miklos at iptel.org
Wed Jul 12 17:45:06 CEST 2006 

İlker Aktuna (Koç.net) wrote:
> 
> 
> 
> Thanks,
> 
> That configuration is accepted but now my "registered" client is denied 
> at both following lines:
> 
> if (!lookup_user("From")) {

check if the From HF is the same in the INVITE as the To HF in the 
REGISTER, and check the uri table in your database

> if ((!avp_equals_xl("$registered_host", "%si") || 
> !avp_equals_xl("$registered_port", "%sp"))) {
> 
> How can I print $registered_host to log ?

xlog("L_ERR", "registered_host = %$registered_host \n");

> I can print %si with xlog().

I guess
xlog("L_ERR", "src ip = %si \n");

Miklos

> 
> Thanks,
> ilker
> 
> 
> -----Original Message-----
> From: Miklos Tirpak [mailto:miklos at iptel.org]
> Sent: Wednesday, July 12, 2006 4:01 PM
> To: İlker Aktuna (Koç.net)
> Cc: serusers at iptel.org
> Subject: Re: [Serusers] prevent INVITE without REGISTERing
> 
> İlker Aktuna (Koç.net) wrote:
>  >
>  >
>  > Thanks Miklos,
>  >
>  > I think this is just what I'm looking for.
>  > But I get some errors for this line:
>  > if ((src_ip != @ruri.host) || (src_port != @ruri.port)) {
> 
> You can access src_ip and src_port via xl_lib:
> 
> $registered_host = @ruri.host;
> $registered_port = @ruri.port;
> 
> if ((!avp_equals_xl("$registered_host", "%si"))
> || (!avp_equals_xl("$registered_port", "%sp"))) {
> ...
> 
> Miklos
> 
>  >
>  >  0(30074) parse error (175,16-17): syntax error
>  >  0(30074) parse error (175,16-17): ip address or hostname expected
>  >  0(30074) parse error (175,16-17): bad command
>  >  0(30074) parse error (175,21-22): bad command
>  >  0(30074) parse error (175,21-22): bad command
>  >  0(30074) parse error (175,26-27): bad command
>  >  0(30074) parse error (175,26-27): bad command
>  >  0(30074) parse error (175,28-30): bad command
>  >  0(30074) parse error (175,31-32): bad command
>  >  0(30074) parse error (175,32-40): bad command
>  >  0(30074) parse error (175,41-43): bad command
>  >  0(30074) parse error (175,44-45): bad command
>  >  0(30074) parse error (175,49-50): bad command
>  >  0(30074) parse error (175,49-50): bad command
>  >  0(30074) parse error (175,54-55): bad command
>  >  0(30074) parse error (175,54-55): bad command
>  >  0(30074) parse error (175,55-56): bad command
>  >  0(30074) parse error (175,57-58): bad command
>  >
>  > Any idea why ?
>  >
>  > Thanks,
>  > ilker
>  >
>  > -----Original Message-----
>  > From: Miklos Tirpak [mailto:miklos at iptel.org]
>  > Sent: Wednesday, July 12, 2006 11:58 AM
>  > To: İlker Aktuna (Koç.net)
>  > Cc: serusers at iptel.org
>  > Subject: Re: [Serusers] prevent INVITE without REGISTERing
>  >
>  > Hi Ilker,
>  >
>  > just my first idea, not tested:
>  >
>  >
>  > 1. lookup the From HF
>  >
>  > if (!lookup_user("From")) {
>  >         # reject the INVITE
>  >         ...
>  > }
>  >
>  > 2. save original To UID and Request URI
>  >
>  > $orig_to_uid = $tu.uid;
>  > $orig_req_uri = @ruri;
>  >
>  > 3. set To UID -- registrar module will use this in the lookup
>  >
>  > $tu.uid = $fu.uid;
>  >
>  > 4. lookup >From HF and compare the source address of the INVITE with
>  > the source address of the REGISTER message
>  >
>  > if (lookup("location")) {
>  >         if ((src_ip != @ruri.host) || (src_port != @ruri.port)) {
>  >                 # reject the INVITE
>  >                 ...
>  >         }
>  >         # restore original To UID and Request URI
>  >         $tu.uid = $orig_to_uid;
>  >         attr2uri("$orig_req_uri");
>  > } else {
>  >         # reject the INVITE
>  >         ...
>  > }
>  >
>  > Note, that the above solution is a bit ugly, you can get into troubles
>  > when the user registers multiple contact addresses. It is better to
>  > disable branches (see append_branches parameter in registrar module),
>  > but you loose some functionality.
>  >
>  > Regards,
>  > Miklos
>  >
>  > İlker Aktuna (Koç.net) wrote:
>  >  >
>  >  > Hi everyone,
>  >  >
>  >  > I am still trying to find a solution to this problem. (but couldn't 
>  > > find  > yet)  > Victor was trying to help me but I think he's not
>  > able to reply these days.
>  >  >
>  >  > Is there any idea to achieve what I need.
>  >  >
>  >  > Thanks,
>  >  > ilker
>  >  >
>  >  >
>  > ----------------------------------------------------------------------
>  >  > --
>  >  > *From:* serusers-bounces at lists.iptel.org  >
>  > [mailto:serusers-bounces at lists.iptel.org] *On Behalf Of *İlker Aktuna 
>  > > (Koç.net)  > *Sent:* Tuesday, July 11, 2006 1:41 PM  > *To:* Victor
>  > Stanescu  > *Cc:* serusers at iptel.org  > *Subject:* RE: [Serusers]
>  > prevent INVITE without REGISTERing  >  > Hi,  >  > What if my proxy
>  > does not handle authenticating INVITE messages ?
>  >  >
>  >  > In that case I think the best way is to lookup location table for
>  > the  > source URI.
>  >  > If the source URI location matches the location in that table then
>  > we  > must permit INVITE message.
>  >  > How can I configure this ?
>  >  >
>  >  > Thanks,
>  >  > ilker
>  >  >
>  >  > -----Original Message-----
>  >  > From: serusers-bounces at lists.iptel.org  >
>  > [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Victor Stanescu 
>  > > Sent: Monday, July 10, 2006 1:49 PM  > Cc: serusers at iptel.org  >
>  > Subject: Re: [Serusers] prevent INVITE without REGISTERing  >  >
>  > Please read "domain" instead of "gtstelecom.ro":
>  >  > www_authorize("domain",
>  >  > "subscriber") and proxy_authorize("domain", "subscriber"),
>  > otherwise  > the code fragment will not be correct. I forgot to
>  > replace with a generic name.
>  >  >
>  >  > Victor Stanescu wrote:
>  >  >  > I think it is easier to force him to authenticate the INVITE. If
>  > he  > is  > able to authenticate the INVITE, why do you care if he is 
>  > > registered  > or not?
>  >  >  >
>  >  >  > if (method=="REGISTER") {
>  >  >  >     if(!src_ip=="other") {
>  >  >  >         if (!www_authorize("gtstelecom.ro", "subscriber")) {
>  >  >  >             www_challenge("domain", "0");
>  >  >  >             break;
>  >  >  >         };
>  >  >  >         save("location");
>  >  >  >         log("Replicating REGISTER\n");
>  >  >  >         t_replicate("other", "5060");
>  >  >  >     } else {
>  >  >  >         save("location");
>  >  >  >     };
>  >  >  >     break;
>  >  >  > } else {
>  >  >  >     # this is an INVITE
>  >  >  >     if (!proxy_authorize("gtstelecom.ro", "subscriber")) {
>  >  >  >         proxy_challenge("domain", "1");
>  >  >  >         break;
>  >  >  >     };
>  >  >  >     # route the call
>  >  >  >     ...
>  >  >  > };
>  >  >  >
>  >  >  > İlker Aktuna (Koç.net) wrote:
>  >  >  >>
>  >  >  >> Hi all,
>  >  >  >>
>  >  >  >> Is it possible to prevent any user calling without registering ?
>  >  > What  >> is the best way to do this ?
>  >  >  >> I guess I'll have to check if the source URI exists in location
>  > table.
>  >  >  >> What is the easiest way to do this ?
>  >  >  >>
>  >  >  >> If there is a more robust way to do it, please suggest...
>  >  >  >>
>  >  >  >> Thanks,
>  >  >  >> ilker
>  >  >  >>
>  >  >  >>
>  >  >
>  >  >
>  >  >
> 
> 
> 
> <http://387555.sigclick.mailinfo.com/sigclick/00090507/060D4E00/00010A4E/0113122382.jpg>
> _____________________________________________________________________________________________________________________________________________
> Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. 
> Eger bu e-posta mesaji size yanlislikla ulasmissa,  icerigini hic bir 
> sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen 
> e-posta mesajini kullaniciya hemen geri gonderiniz  ve  tum kopyalarini 
> mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi 
> bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.  
> Bu e-posta mesaji viruslere karsi anti-virus sistemleri tarafindan 
> taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma 
> sistemleri ile kontrol ediliyor olsa bile - virus icermedigini garanti 
> etmez ve meydana gelebilecek zararlardan dogacak hicbir sorumlulugu 
> kabul etmez.
> This message is intended solely for the use of the individual or entity 
> to whom it is addressed , and may contain confidential  information. If 
> you are not the intended recipient of this message or you receive this 
> mail in error, you should refrain from making any use of the contents 
> and from opening any attachment. In that case, please notify the sender 
> immediately and return the message to the sender, then, delete and 
> destroy all copies. This e-mail message, can not be copied, published or 
> sold for any reason. This e-mail message has been swept by anti-virus 
> systems for the presence of computer viruses. In doing so, however,  
> sender  cannot warrant that virus or other forms of data corruption may 
> not be present and do not take any responsibility in any occurrence.
> _____________________________________________________________________________________________________________________________________________

More information about the sr-users mailing list