[OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

Jeferson Prevedello jprevedello at terra.com.br
Mon Aug 27 17:26:42 CEST 2007


Hello DanB,


More a problem ! :-(

I apply the following configuration in my openser.cfg:

        if (method=="INVITE")
        {
                if (!proxy_authorize("", "subscriber"))
                {
                  proxy_challenge("","0");
                  exit;
                }
        };

I perceived that with the configuration above 'only' registered users can 
generate called, however I not receive more called originated through of 
PSTN
or of any branch of PBX. I believe these calls are deny because the source 
(PSTN - Branches) not are registering in the openser server.

Is possible to apply the configuration above only for calls 'originated' 
from openser ?

Thanks !

Regards
Jeferson


----- Original Message ----- 
From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
To: "Jeferson Prevedello" <jprevedello at terra.com.br>
Cc: <users at openser.org>
Sent: Monday, August 27, 2007 8:35 AM
Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]


Hello Jeferson,

Your configuration looks a bit messy, if I were OpenSER I would also
refuse it. :).

I would suggest taking a more standard configuration (u can find many
examples on this location:
http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/)
and use 1.2 branch of software for start, and experiment with it into
some lab environment.
It is a bit difficult as a beginner to start directly experimenting on
a production configuration, perhaps written by somebody else without
understanding it. You will end up having big issues when
troubleshooting in production environment.

The tip I gave you would be really easy to implement it with a block
of few lines, eg:

if (is_method("INVITE")){
            if (!proxy_authorize("", "subscriber)) {
                          proxy_challenge("","0");
                                      exit;

            } else if (!check_from()) {
                          sl_send_reply("403", "Use From=ID");
                          exit;
            };
};

Documentation for you to understand those lines here:
http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192

Usually, there is a loot of documentation and howtos in openser wiki,
so I would suggest you having a glance on some titles which look close
to your needs as a beginner.

http://www.openser.org/dokuwiki/doku.php

Cheers,
DanB

On 8/27/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
> Hello DanB,
>
> Thanks!
>
> As DanB´s suggestion, I tried to implement a mechanism that only allowed
> authenticated members make calls, but my configuration didn´t function.
>
> This is my first project with openser, therefore I do not have much
> experience. If someone know how to help me to implement this verification, 
> I
> will be very thankful.
>
> Below, my openser.cfg file:
>
> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
>
>
> # ----------- global configuration parameters ------------------------
>
> debug=3
> fork=yes
> log_stderror=no
> log_facility=LOG_LOCAL7
>
> # hostname matching an alias will satisfy the condition uri==myself".
> alias=xxx.xxx.xxx.xxx
> listen=udp:xxx.xxx.xxx.xxx:5060
>
> # check_via - Turn on or off Via host checking when forwarding replies.
> # Default is no. arcane. looks for discrepancy between name and
> # ip address when forwarding replies.
> check_via=yes
>
> # syn_branch - Shall the server use stateful synonym branches? It is
> # faster but not reboot-safe. Default is yes.
> syn_branch=yes
>
> # dns - Uses dns to check if it is necessary to add a "received=" field
> # to a via. Default is no.
> # rev_dns - Same as dns but use reverse DNS.
> dns=no
> rev_dns=no
> port=5060
> children=4
>
> # memlog - Debugging level for final memory statistics report. Default
> # is L_DBG -- memory statistics are dumped only if debug is set high.
>  memlog=3
>
> # sip_warning - Should replies include extensive warnings? By default
> # yes, it is good for trouble-shooting.
> sip_warning=yes
>
> # fifo - FIFO special file pathname
> fifo="/tmp/openser_fifo"
>
> # reply_to_via - A hint to reply modules whether they should send reply
> # to IP advertised in Via. Turned off by default, which means that
> # replies are sent to IP address from which requests came.
>  reply_to_via=no
>
> # mhomed -- enable calculation of outbound interface; useful on
> # multihomed servers.
> mhomed=0
>
> # ------------------ module loading ----------------------------------
>
> # Uncomment this if you want to use SQL database
> loadmodule "/usr/lib/openser/modules/mysql.so"
> loadmodule "/usr/lib/openser/modules/sl.so"
> loadmodule "/usr/lib/openser/modules/tm.so"
> loadmodule "/usr/lib/openser/modules/rr.so"
> loadmodule "/usr/lib/openser/modules/maxfwd.so"
> loadmodule "/usr/lib/openser/modules/usrloc.so"
> loadmodule "/usr/lib/openser/modules/registrar.so"
> loadmodule "/usr/lib/openser/modules/textops.so"
> loadmodule "/usr/lib/openser/modules/nathelper.so"
> loadmodule "/usr/lib/openser/modules/acc.so"
> loadmodule "/usr/lib/openser/modules/xlog.so"
>
> # Uncomment this if you want digest authentication
> # mysql.so must be loaded !
> loadmodule "/usr/lib/openser/modules/auth.so"
> loadmodule "/usr/lib/openser/modules/auth_db.so"
>
> # ----------------- setting module-specific parameters ---------------
>
> # ------------- usrloc parameters
>
> # 2 enables write-back to persistent mysql storage for speed
> # disable=0, write-through=1
> modparam("usrloc", "db_mode", 0)
>
> # minimize write back window - default is 60 seconds
> modparam("usrloc", "timer_interval", 30)
>
> # ------------- auth parameters
>
> # Uncomment if you are using auth module
> modparam("auth_db", "calculate_ha1", yes)
>
> # If you set "calculate_ha1" parameter to yes (which true in this config),
> # uncomment also the following parameter)
> modparam("auth_db", "password_column", "password")
>
> # ------------- rr parameters
>
> # add value to ;lr param to make some broken UAs happy
> modparam("rr", "enable_full_lr", 1)
>
> # ------------- !! Nathelper
>
> modparam("registrar", "nat_flag", 6)
> modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
> modparam("nathelper", "ping_nated_only", 1)   # Ping only clients behind 
> NAT
> modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")   #
> Nathelper with RTPproxy
>
> # ------------- tm parameters
>
> modparam("tm", "fr_timer", 12)
> modparam("tm", "fr_inv_timer", 24)
>
> # -------------  acc parameters
>
> modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser")
> modparam("acc", "db_flag", 2)
> modparam("acc", "db_missed_flag", 2)
> modparam("acc", "log_flag", 1)
> modparam("acc", "log_missed_flag", 2)
> modparam("acc", "log_level", 2)   # Set log_level to 2
>
> # Allow no more than 1 contacts per AOR
> modparam("registrar", "max_contacts", 3)
>
> # -------------------------  request routing logic -------------------
>
> # main routing logic
>
> route{
>
>  if (!mf_process_maxfwd_header("10"))
>         {
>   sl_send_reply("483","Too Many Hops");
>   exit;
>  };
>
>  if (msg:len >=  2048 )
>  {
>   sl_send_reply("513", "Message too big");
>   exit;
>  };
>
>  # < Acconting >
>         if (method=="INVITE")
>  {
>                 log(1, "Generate call - START\n");
>                 setflag(1); /* set for accounting (the same value as in
> log_flag!) */
>     setflag(2);
>         };
>
>         if (method=="BYE")
>  {
>                 log (1, "Hung-up \n");
>                 setflag(1);
>         };
>
>         if (method=="CANCEL")
>  {
>                 log (1, "Lost call \n");
>                 setflag(1);
>  }
>
>  if (!method=="REGISTER")
>   record_route();
>
>  if (nat_uac_test("3"))
>  {
>                 # Allow RR-ed requests, as these may indicate that
>                 # a NAT-enabled proxy takes care of it; unless it is
>                 # a REGISTER
>
>                 if (method == "REGISTER" || ! search("^Record-Route:"))
>   {
>                     log(1,"LOG: Someone trying to register from private 
> IP,
> rewriting\n");
>
>                     # This will work only for user agents that support
> symmetric
>                     # communication. We tested quite many of them and
> majority is
>                     # smart enough to be symmetric. In some phones it 
> takes
> a configuration
>                     # option. With Cisco 7960, it is called 
> NAT_Enable=Yes,
> with kphone it is
>                     # called "symmetric media" and "symmetric signalling".
>
>                     fix_nated_contact(); # Rewrite contact with source IP 
> of
> signalling
>                     force_rport();       # Add rport parameter to topmost
> Via
>                     setflag(6);          # Mark as NATed
>                 };
>         };
>  # subsequent messages withing a dialog should take the
>  # path determined by record-routing
>
>  if (loose_route())
>  {
>     # mark routing logic in request
>     append_hf("P-hint: rr-enforced\r\n");
>     route(1);
>  };
>
>  if (!uri==myself)
>  {
>     # mark routing logic in request
>     append_hf("P-hint: outbound\r\n");
>     route(1);
>  };
>
>  # if the request is for other domain use UsrLoc
>  # (in case, it does not work, use the following command
>  # with proper names and addresses in it)
>  if (uri==myself)
>  {
>
>   if (method=="REGISTER")
>   {
>      # Uncomment this if you want to use digest authentication
>      if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber"))
>       {
>         www_challenge("xxx.xxx.xxx.xxx", "0");
>         return;
>                    };
>                       save("location");
>         return;
>                 };
>
>                 lookup("aliases");
>                 if (!uri==myself)
>   {
>                    append_hf("P-hint: outbound alias\r\n");
>                    route(1);
>      return;
>                 };
>
>   # Router Cisco if not sip branche
>          log(1,"LOG: testando se destino-sip e' 418x ...\n");
>
>   if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
>        ! ( uri =~ "^sip:4397"))
>   {
>                log(1,"LOG: destino-sip not is 418x .\n");
>                route(2);
>
>                log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
>      rewritehostport("yyy.yyy.yyy.yyy:5060");
>                log(1,"LOG: t_relay...\n");
>                t_relay();
>
>                log(1,"LOG: break...\n");
>         return;
>          }
>             log(1,"LOG: destino-sip  418x, continue .\n");
>
>   # native SIP destinations are handled using our USRLOC DB
>   if (!lookup("location"))
>   {
>                sl_send_reply("404", "Not Found");
>         return;
>          };
>  };
>         append_hf("P-hint: usrloc applied\r\n");
>         route(1);
> }
>
> #######################################
>
> route[1]
> {
>         # !! Nathelper
>         if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" &&
> !search("^Route:"))
>  {
>             sl_send_reply("479", "We don't forward to private IP
> addresses");
>      return;
>         };
>
>         # if client or server know to be behind a NAT, enable relay
>         if (isflagset(6))
>  {
>             force_rtp_proxy();
>      t_on_reply("1");
>             append_hf("P-Behind-NAT: Yes\r\n");
>         };
>
>      if (!t_relay())
>  {
>             sl_reply_error();
>      return;
>      };
> }
>  # !! Nathelper
>     onreply_route[1]
> {
>      # NATed transaction ?
>      if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
>   {
>             fix_nated_contact();
>             force_rtp_proxy();
>       }
>   else if (nat_uac_test("1"))
>   {
>             fix_nated_contact();
>          };
> }
>
> #######################################
>
> route[2] {
>
>   ### Dial Plan for gateway VoIP ###
>
>   # Sao Paulo 11
>   if ( uri =~ "^sip:9911.*" )
>    {
>    log(1,"LOG: destination is 9911x, change prefix...");
>    strip(4);
>    prefix("011");
>    return;
>    }
>
>   # Error (Number inexistent)
>   sl_reply_error();
>
> }
>
> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
>
> Regards
> Jeferson
>
>
>
>
>
> ----- Original Message -----
> From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
> To: "Jeferson Prevedello" <jprevedello at terra.com.br>
> Cc: <users at openser.org>
> Sent: Saturday, August 25, 2007 3:06 PM
> Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
>
>
> > Hello Jeferson,
> >
> > it all depends on your openser.cfg.
> > If you put in there that all the INVITE-s should be authenticated, your
> > users will not be able anymore to call without having a valid user and
> > password for your server. Note that by default openser will not do any
> > check for you, in order to keep the flexibility of be used in
> > different environment setups.
> >
> > Cheers,
> > DanB
> >
> > On 8/25/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
> >>
> >>
> >> Hello,
> >>
> >> I implemented an environment using to openser + mysql. The enviroment
> >> functions perfectly, however I perceived that users (branches) not
> >> registered in mysql are generating called.
> >>
> >> I installed the X-lite softphone in my computer trying to reproduce the
> >> situation.
>
> >> In the properties of configuration of the X-lite, "field Password" I 
> >> type
> >> "trash" as password (wrong password).
> >>
> >> The display of X-lite showed the following message: "Registration 
> >> error:
> >> 401
> >> - Unauthorized".
> >>
> >> In the contacts drawer I add a contact (double click on the new 
> >> contact),
> >> and the call was generate without restriction (very bad).
> >>
> >> Some idea of as I solve this problem?
> >>
> >> Thanks
> >>
> >> Regards
> >> Jeferson
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at openser.org
> >> http://openser.org/cgi-bin/mailman/listinfo/users
> >>
> >>
> >
>
>


_______________________________________________
Users mailing list
Users at openser.org
http://openser.org/cgi-bin/mailman/listinfo/users





More information about the sr-users mailing list