[OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
Jeferson Prevedello
jprevedello at terra.com.br
Mon Aug 27 02:15:01 CEST 2007
Hello DanB,
Thanks!
As DanB´s suggestion, I tried to implement a mechanism that only allowed
authenticated members make calls, but my configuration didn´t function.
This is my first project with openser, therefore I do not have much
experience. If someone know how to help me to implement this verification, I
will be very thankful.
Below, my openser.cfg file:
-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
# ----------- global configuration parameters ------------------------
debug=3
fork=yes
log_stderror=no
log_facility=LOG_LOCAL7
# hostname matching an alias will satisfy the condition uri==myself".
alias=xxx.xxx.xxx.xxx
listen=udp:xxx.xxx.xxx.xxx:5060
# check_via - Turn on or off Via host checking when forwarding replies.
# Default is no. arcane. looks for discrepancy between name and
# ip address when forwarding replies.
check_via=yes
# syn_branch - Shall the server use stateful synonym branches? It is
# faster but not reboot-safe. Default is yes.
syn_branch=yes
# dns - Uses dns to check if it is necessary to add a "received=" field
# to a via. Default is no.
# rev_dns - Same as dns but use reverse DNS.
dns=no
rev_dns=no
port=5060
children=4
# memlog - Debugging level for final memory statistics report. Default
# is L_DBG -- memory statistics are dumped only if debug is set high.
memlog=3
# sip_warning - Should replies include extensive warnings? By default
# yes, it is good for trouble-shooting.
sip_warning=yes
# fifo - FIFO special file pathname
fifo="/tmp/openser_fifo"
# reply_to_via - A hint to reply modules whether they should send reply
# to IP advertised in Via. Turned off by default, which means that
# replies are sent to IP address from which requests came.
reply_to_via=no
# mhomed -- enable calculation of outbound interface; useful on
# multihomed servers.
mhomed=0
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/lib/openser/modules/mysql.so"
loadmodule "/usr/lib/openser/modules/sl.so"
loadmodule "/usr/lib/openser/modules/tm.so"
loadmodule "/usr/lib/openser/modules/rr.so"
loadmodule "/usr/lib/openser/modules/maxfwd.so"
loadmodule "/usr/lib/openser/modules/usrloc.so"
loadmodule "/usr/lib/openser/modules/registrar.so"
loadmodule "/usr/lib/openser/modules/textops.so"
loadmodule "/usr/lib/openser/modules/nathelper.so"
loadmodule "/usr/lib/openser/modules/acc.so"
loadmodule "/usr/lib/openser/modules/xlog.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/lib/openser/modules/auth.so"
loadmodule "/usr/lib/openser/modules/auth_db.so"
# ----------------- setting module-specific parameters ---------------
# ------------- usrloc parameters
# 2 enables write-back to persistent mysql storage for speed
# disable=0, write-through=1
modparam("usrloc", "db_mode", 0)
# minimize write back window - default is 60 seconds
modparam("usrloc", "timer_interval", 30)
# ------------- auth parameters
# Uncomment if you are using auth module
modparam("auth_db", "calculate_ha1", yes)
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
modparam("auth_db", "password_column", "password")
# ------------- rr parameters
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------- !! Nathelper
modparam("registrar", "nat_flag", 6)
modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") #
Nathelper with RTPproxy
# ------------- tm parameters
modparam("tm", "fr_timer", 12)
modparam("tm", "fr_inv_timer", 24)
# ------------- acc parameters
modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser")
modparam("acc", "db_flag", 2)
modparam("acc", "db_missed_flag", 2)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
modparam("acc", "log_level", 2) # Set log_level to 2
# Allow no more than 1 contacts per AOR
modparam("registrar", "max_contacts", 3)
# ------------------------- request routing logic -------------------
# main routing logic
route{
if (!mf_process_maxfwd_header("10"))
{
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 )
{
sl_send_reply("513", "Message too big");
exit;
};
# < Acconting >
if (method=="INVITE")
{
log(1, "Generate call - START\n");
setflag(1); /* set for accounting (the same value as in
log_flag!) */
setflag(2);
};
if (method=="BYE")
{
log (1, "Hung-up \n");
setflag(1);
};
if (method=="CANCEL")
{
log (1, "Lost call \n");
setflag(1);
}
if (!method=="REGISTER")
record_route();
if (nat_uac_test("3"))
{
# Allow RR-ed requests, as these may indicate that
# a NAT-enabled proxy takes care of it; unless it is
# a REGISTER
if (method == "REGISTER" || ! search("^Record-Route:"))
{
log(1,"LOG: Someone trying to register from private IP,
rewriting\n");
# This will work only for user agents that support
symmetric
# communication. We tested quite many of them and
majority is
# smart enough to be symmetric. In some phones it takes
a configuration
# option. With Cisco 7960, it is called NAT_Enable=Yes,
with kphone it is
# called "symmetric media" and "symmetric signalling".
fix_nated_contact(); # Rewrite contact with source IP of
signalling
force_rport(); # Add rport parameter to topmost
Via
setflag(6); # Mark as NATed
};
};
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route())
{
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself)
{
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself)
{
if (method=="REGISTER")
{
# Uncomment this if you want to use digest authentication
if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber"))
{
www_challenge("xxx.xxx.xxx.xxx", "0");
return;
};
save("location");
return;
};
lookup("aliases");
if (!uri==myself)
{
append_hf("P-hint: outbound alias\r\n");
route(1);
return;
};
# Router Cisco if not sip branche
log(1,"LOG: testando se destino-sip e' 418x ...\n");
if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
! ( uri =~ "^sip:4397"))
{
log(1,"LOG: destino-sip not is 418x .\n");
route(2);
log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
rewritehostport("yyy.yyy.yyy.yyy:5060");
log(1,"LOG: t_relay...\n");
t_relay();
log(1,"LOG: break...\n");
return;
}
log(1,"LOG: destino-sip 418x, continue .\n");
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location"))
{
sl_send_reply("404", "Not Found");
return;
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
#######################################
route[1]
{
# !! Nathelper
if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" &&
!search("^Route:"))
{
sl_send_reply("479", "We don't forward to private IP
addresses");
return;
};
# if client or server know to be behind a NAT, enable relay
if (isflagset(6))
{
force_rtp_proxy();
t_on_reply("1");
append_hf("P-Behind-NAT: Yes\r\n");
};
if (!t_relay())
{
sl_reply_error();
return;
};
}
# !! Nathelper
onreply_route[1]
{
# NATed transaction ?
if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
{
fix_nated_contact();
force_rtp_proxy();
}
else if (nat_uac_test("1"))
{
fix_nated_contact();
};
}
#######################################
route[2] {
### Dial Plan for gateway VoIP ###
# Sao Paulo 11
if ( uri =~ "^sip:9911.*" )
{
log(1,"LOG: destination is 9911x, change prefix...");
strip(4);
prefix("011");
return;
}
# Error (Number inexistent)
sl_reply_error();
}
-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
Regards
Jeferson
----- Original Message -----
From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
To: "Jeferson Prevedello" <jprevedello at terra.com.br>
Cc: <users at openser.org>
Sent: Saturday, August 25, 2007 3:06 PM
Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
> Hello Jeferson,
>
> it all depends on your openser.cfg.
> If you put in there that all the INVITE-s should be authenticated, your
> users will not be able anymore to call without having a valid user and
> password for your server. Note that by default openser will not do any
> check for you, in order to keep the flexibility of be used in
> different environment setups.
>
> Cheers,
> DanB
>
> On 8/25/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
>>
>>
>> Hello,
>>
>> I implemented an environment using to openser + mysql. The enviroment
>> functions perfectly, however I perceived that users (branches) not
>> registered in mysql are generating called.
>>
>> I installed the X-lite softphone in my computer trying to reproduce the
>> situation.
>> In the properties of configuration of the X-lite, "field Password" I type
>> "trash" as password (wrong password).
>>
>> The display of X-lite showed the following message: "Registration error:
>> 401
>> - Unauthorized".
>>
>> In the contacts drawer I add a contact (double click on the new contact),
>> and the call was generate without restriction (very bad).
>>
>> Some idea of as I solve this problem?
>>
>> Thanks
>>
>> Regards
>> Jeferson
>>
>> _______________________________________________
>> Users mailing list
>> Users at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>>
>>
>
More information about the sr-users
mailing list