[OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

Jeferson Prevedello jprevedello at terra.com.br
Mon Aug 27 02:15:01 CEST 2007


Hello DanB,

Thanks!

As DanB´s suggestion, I tried to implement a mechanism that only allowed 
authenticated members make calls, but my configuration didn´t function.

This is my first project with openser, therefore I do not have much 
experience. If someone know how to help me to implement this verification, I 
will be very thankful.

Below, my openser.cfg file:

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x


# ----------- global configuration parameters ------------------------

debug=3
fork=yes
log_stderror=no
log_facility=LOG_LOCAL7

# hostname matching an alias will satisfy the condition uri==myself".
alias=xxx.xxx.xxx.xxx
listen=udp:xxx.xxx.xxx.xxx:5060

# check_via - Turn on or off Via host checking when forwarding replies.
# Default is no. arcane. looks for discrepancy between name and
# ip address when forwarding replies.
check_via=yes

# syn_branch - Shall the server use stateful synonym branches? It is
# faster but not reboot-safe. Default is yes.
syn_branch=yes

# dns - Uses dns to check if it is necessary to add a "received=" field
# to a via. Default is no.
# rev_dns - Same as dns but use reverse DNS.
dns=no
rev_dns=no
port=5060
children=4

# memlog - Debugging level for final memory statistics report. Default
# is L_DBG -- memory statistics are dumped only if debug is set high.
 memlog=3

# sip_warning - Should replies include extensive warnings? By default
# yes, it is good for trouble-shooting.
sip_warning=yes

# fifo - FIFO special file pathname
fifo="/tmp/openser_fifo"

# reply_to_via - A hint to reply modules whether they should send reply
# to IP advertised in Via. Turned off by default, which means that
# replies are sent to IP address from which requests came.
 reply_to_via=no

# mhomed -- enable calculation of outbound interface; useful on
# multihomed servers.
mhomed=0

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database
loadmodule "/usr/lib/openser/modules/mysql.so"
loadmodule "/usr/lib/openser/modules/sl.so"
loadmodule "/usr/lib/openser/modules/tm.so"
loadmodule "/usr/lib/openser/modules/rr.so"
loadmodule "/usr/lib/openser/modules/maxfwd.so"
loadmodule "/usr/lib/openser/modules/usrloc.so"
loadmodule "/usr/lib/openser/modules/registrar.so"
loadmodule "/usr/lib/openser/modules/textops.so"
loadmodule "/usr/lib/openser/modules/nathelper.so"
loadmodule "/usr/lib/openser/modules/acc.so"
loadmodule "/usr/lib/openser/modules/xlog.so"

# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/lib/openser/modules/auth.so"
loadmodule "/usr/lib/openser/modules/auth_db.so"

# ----------------- setting module-specific parameters ---------------

# ------------- usrloc parameters

# 2 enables write-back to persistent mysql storage for speed
# disable=0, write-through=1
modparam("usrloc", "db_mode", 0)

# minimize write back window - default is 60 seconds
modparam("usrloc", "timer_interval", 30)

# ------------- auth parameters

# Uncomment if you are using auth module
modparam("auth_db", "calculate_ha1", yes)

# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
modparam("auth_db", "password_column", "password")

# ------------- rr parameters

# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)

# ------------- !! Nathelper

modparam("registrar", "nat_flag", 6)
modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
modparam("nathelper", "ping_nated_only", 1)   # Ping only clients behind NAT
modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")   # 
Nathelper with RTPproxy

# ------------- tm parameters

modparam("tm", "fr_timer", 12)
modparam("tm", "fr_inv_timer", 24)

# -------------  acc parameters

modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser")
modparam("acc", "db_flag", 2)
modparam("acc", "db_missed_flag", 2)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
modparam("acc", "log_level", 2)   # Set log_level to 2

# Allow no more than 1 contacts per AOR
modparam("registrar", "max_contacts", 3)

# -------------------------  request routing logic -------------------

# main routing logic

route{

 if (!mf_process_maxfwd_header("10"))
        {
  sl_send_reply("483","Too Many Hops");
  exit;
 };

 if (msg:len >=  2048 )
 {
  sl_send_reply("513", "Message too big");
  exit;
 };

 # < Acconting >
        if (method=="INVITE")
 {
                log(1, "Generate call - START\n");
                setflag(1); /* set for accounting (the same value as in 
log_flag!) */
    setflag(2);
        };

        if (method=="BYE")
 {
                log (1, "Hung-up \n");
                setflag(1);
        };

        if (method=="CANCEL")
 {
                log (1, "Lost call \n");
                setflag(1);
 }

 if (!method=="REGISTER")
  record_route();

 if (nat_uac_test("3"))
 {
                # Allow RR-ed requests, as these may indicate that
                # a NAT-enabled proxy takes care of it; unless it is
                # a REGISTER

                if (method == "REGISTER" || ! search("^Record-Route:"))
  {
                    log(1,"LOG: Someone trying to register from private IP, 
rewriting\n");

                    # This will work only for user agents that support 
symmetric
                    # communication. We tested quite many of them and 
majority is
                    # smart enough to be symmetric. In some phones it takes 
a configuration
                    # option. With Cisco 7960, it is called NAT_Enable=Yes, 
with kphone it is
                    # called "symmetric media" and "symmetric signalling".

                    fix_nated_contact(); # Rewrite contact with source IP of 
signalling
                    force_rport();       # Add rport parameter to topmost 
Via
                    setflag(6);          # Mark as NATed
                };
        };
 # subsequent messages withing a dialog should take the
 # path determined by record-routing

 if (loose_route())
 {
    # mark routing logic in request
    append_hf("P-hint: rr-enforced\r\n");
    route(1);
 };

 if (!uri==myself)
 {
    # mark routing logic in request
    append_hf("P-hint: outbound\r\n");
    route(1);
 };

 # if the request is for other domain use UsrLoc
 # (in case, it does not work, use the following command
 # with proper names and addresses in it)
 if (uri==myself)
 {

  if (method=="REGISTER")
  {
     # Uncomment this if you want to use digest authentication
     if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber"))
      {
        www_challenge("xxx.xxx.xxx.xxx", "0");
        return;
                   };
                      save("location");
        return;
                };

                lookup("aliases");
                if (!uri==myself)
  {
                   append_hf("P-hint: outbound alias\r\n");
                   route(1);
     return;
                };

  # Router Cisco if not sip branche
         log(1,"LOG: testando se destino-sip e' 418x ...\n");

  if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
       ! ( uri =~ "^sip:4397"))
  {
               log(1,"LOG: destino-sip not is 418x .\n");
               route(2);

               log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
     rewritehostport("yyy.yyy.yyy.yyy:5060");
               log(1,"LOG: t_relay...\n");
               t_relay();

               log(1,"LOG: break...\n");
        return;
         }
            log(1,"LOG: destino-sip  418x, continue .\n");

  # native SIP destinations are handled using our USRLOC DB
  if (!lookup("location"))
  {
               sl_send_reply("404", "Not Found");
        return;
         };
 };
        append_hf("P-hint: usrloc applied\r\n");
        route(1);
}

#######################################

route[1]
{
        # !! Nathelper
        if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" && 
!search("^Route:"))
 {
            sl_send_reply("479", "We don't forward to private IP 
addresses");
     return;
        };

        # if client or server know to be behind a NAT, enable relay
        if (isflagset(6))
 {
            force_rtp_proxy();
     t_on_reply("1");
            append_hf("P-Behind-NAT: Yes\r\n");
        };

     if (!t_relay())
 {
            sl_reply_error();
     return;
     };
}
 # !! Nathelper
    onreply_route[1]
{
     # NATed transaction ?
     if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
  {
            fix_nated_contact();
            force_rtp_proxy();
      }
  else if (nat_uac_test("1"))
  {
            fix_nated_contact();
         };
}

#######################################

route[2] {

  ### Dial Plan for gateway VoIP ###

  # Sao Paulo 11
  if ( uri =~ "^sip:9911.*" )
   {
   log(1,"LOG: destination is 9911x, change prefix...");
   strip(4);
   prefix("011");
   return;
   }

  # Error (Number inexistent)
  sl_reply_error();

}

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

Regards
Jeferson





----- Original Message ----- 
From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
To: "Jeferson Prevedello" <jprevedello at terra.com.br>
Cc: <users at openser.org>
Sent: Saturday, August 25, 2007 3:06 PM
Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]


> Hello Jeferson,
>
> it all depends on your openser.cfg.
> If you put in there that all the INVITE-s should be authenticated, your
> users will not be able anymore to call without having a valid user and
> password for your server. Note that by default openser will not do any
> check for you, in order to keep the flexibility of be used in
> different environment setups.
>
> Cheers,
> DanB
>
> On 8/25/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
>>
>>
>> Hello,
>>
>> I implemented an environment using to openser + mysql. The enviroment
>> functions perfectly, however I perceived that users (branches) not
>> registered in mysql are generating called.
>>
>> I installed the X-lite softphone in my computer trying to reproduce the
>> situation.

>> In the properties of configuration of the X-lite, "field Password" I type
>> "trash" as password (wrong password).
>>
>> The display of X-lite showed the following message: "Registration error: 
>> 401
>> - Unauthorized".
>>
>> In the contacts drawer I add a contact (double click on the new contact),
>> and the call was generate without restriction (very bad).
>>
>> Some idea of as I solve this problem?
>>
>> Thanks
>>
>> Regards
>> Jeferson
>>
>> _______________________________________________
>> Users mailing list
>> Users at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>>
>>
> 





More information about the sr-users mailing list