[Users] Unauthorized Calls - PLEASE HELP!
Jonas Appel
jonas.appel at 1und1.de
Fri Mar 30 16:18:23 CEST 2007
Hi Daryl,
maybe you should add some checks to the route 1 (for INVITEs that don't
match "uri==myself"). I don't know your exact setup, but it could be possible
that sending an INVITE to your proxy with "INVITE <number>@<your pstn
gateway>" is directly t_relayed to your pstn gw.
Regards,
Jonas
Am Mittwoch 28 März 2007 schrieb Daryl Sanders:
> Hi Everyone,
>
> I aparently have something in my openser.cfg that is allowing
> unauthorized calls to go through to our PSTN gateways. I have included
> my config below for review. I would appreciate any help understanding
> how this might be happening.
>
> I am currently reviewing the CDRs from my PSTN gateways for clues as well.
> This is a pretty basic configuration with no NAT involved.
>
> Regards,
> Daryl
>
>
>
> route {
>
> # -----------------------------------------------------------------
> # Sanity Check Section
> # -----------------------------------------------------------------
> if (!mf_process_maxfwd_header("10")) {
> sl_send_reply("483", "Too Many Hops");
> exit;
> };
>
> if (msg:len > max_len) {
> sl_send_reply("513", "Message Overflow");
> exit;
> };
>
> if (method=="INVITE" || method=="ACK" || method=="BYE") {
> setflag(1);
> };
>
> if (method=="INVITE") {
> if (is_user_in("From","inactive")) {
> if (uri =~ "^sip:911@") {
> xlog("L_NOTICE", "[$Tf] R1: $ci -- Allowing 911
> Emergency Call on Inactive User\n" );
> } else {
> sl_send_reply("403", "Forbidden");
> xlog("L_NOTICE", "[$Tf] R1: $ci -- User Inactive\n" );
> return;
> };
> };
> };
>
> # -----------------------------------------------------------------
> # Record Route Section
> # -----------------------------------------------------------------
> if (method!="REGISTER") {
> record_route();
> };
>
> # -----------------------------------------------------------------
> # Loose Route Section
> # -----------------------------------------------------------------
> if (loose_route()) {
> xlog( "L_NOTICE", "[$Tf] RR: $ci -- Loose Route $rm ($rd).\n"
> ); if (!t_relay()) {
> sl_reply_error();
> };
> return;
> };
>
> # -----------------------------------------------------------------
> # Call Type Processing Section
> # -----------------------------------------------------------------
> if (uri!=myself) {
> route(1);
> return;
> };
>
> if (method=="ACK") {
> route(1);
> return;
> } else if (method=="REGISTER") {
> route(2);
> return;
> } else if (method=="INVITE") {
> route(3);
> return;
> } else if (method=="BYE" || method=="CANCEL") {
> t_relay();
> exit;
> }
>
> lookup("aliases");
> if (uri!=myself) {
> route(1);
> return;
> };
>
> if (!lookup("location")) {
> sl_send_reply("404", "User Not Found");
> return;
> };
>
> route(1);
> }
>
> route[1] {
>
> # -----------------------------------------------------------------
> # Default Message Handler
> # -----------------------------------------------------------------
> t_on_reply("1");
> t_on_failure("2");
>
> if (!t_relay()) {
> sl_reply_error();
> };
> }
>
> route[2] {
>
> # -----------------------------------------------------------------
> # REGISTER Message Handler
> # -----------------------------------------------------------------
> sl_send_reply("100", "Trying");
>
> if (!www_authorize("","subscriber")) {
> www_challenge("","0");
> exit;
> };
> consume_credentials();
>
> if (!save("location")) {
> sl_reply_error();
> };
> }
>
> route[3] {
>
> # -----------------------------------------------------------------
> # INVITE Message Handler
> # -----------------------------------------------------------------
> # Trusted Provider IPs
> if (!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x) {
> if (!proxy_authorize("","subscriber")) {
> proxy_challenge("","0");
> exit;
> };
> consume_credentials();
> };
> lookup("aliases");
> if (uri!=myself) {
> route(1);
> return;
> };
>
> if (uri=~"[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")){
> sl_send_reply("479", "We do not forward to private IP addresses");
> };
>
> if ((uri =~ "^sip:0@")|| /* Operator Assistance */
> (uri =~ "^sip:911@")|| /* 911 Emergency */
> (uri =~ "^sip:411@")|| /* Directory Assistance */
> (uri =~ "^sip:1[0-9]{10}@")) { /* Domestic PSTN */
> route(4);
> return;
> };
>
> if (uri=~"^sip:0111[0-9]*@") { # Kill calls to 011+1... (invalid
> dialing) sl_send_reply("406", "Not Acceptable");
> return;
> }
>
> if (uri=~"^sip:011[0-9]*@") { # International PSTN
> if(!is_user_in("From","gateway1")) {
> strip(3); # Remove 011 for Gateway2
> }
> route(4);
> return;
> };
>
> if (!lookup("location")) {
> sl_send_reply("404", "User Not Found");
> return;
> };
>
> route(1);
> }
>
> route[4] {
>
> # -----------------------------------------------------------------
> # PSTN Handler
> # -----------------------------------------------------------------
> prefix("+"); # add "+" to Request URI
> append_hf("P-Asserted-Identity:
> \"User\"<sip:+1$avp(s:rpid)@x.x.x.x>\r\n");
> uac_replace_from("$fn","sip:+$fU@$fd:5060");
>
> if(is_user_in("From","gateway1")) {
> force_send_socket(x.x.x.x:5060);
> xlog("L_NOTICE", "[$Tf] Message sent via IP-1\n" );
> } else {
> force_send_socket(x.x.x.x:5060);
> xlog("L_NOTICE", "[$Tf] Message sent via IP-2\n" );
> };
>
> ds_select_domain("1","0");
> route(1);
> }
>
> onreply_route[1] {
>
> # we are checking here for a progressing return... ie a 180 Ringing
> or # 183 session progress -- if this occurs we don't care from here on #
> about failures as a gateway is handling the call...
>
> if( status =~ "18[0-9]" ) {
> xlog( "L_INFO", "[$Tf] ORR: $ci -- SIP-$rs Reset
> t_on_failure()\n");
> t_on_failure("0");
> } else {
> xlog( "L_INFO", "[$Tf] ORR: $ci -- $rs $rr\n" );
> }
> }
>
> failure_route[2] {
>
> # 408 -- timeout -- typically the end party has not answered
> # Since we cancel t_on_failure() on a provisional response we
> should not be
> # getting a 408 timeout from a gateway at this stage.. it will
> just "fall through"
> # If fr_timer expires t_check_status("408") is true, although
> $rs is <null>
> if( t_check_status("408") ){
> xlog( "L_NOTICE", "[$Tf] FR: $ci -- TIMEOUT for Gateway
> $rd\n" ); } else {
> xlog( "L_NOTICE", "[$Tf] FR: $ci -- $rs reason $rr\n" );
> }
>
> # 403 -- Not a valid number, or possibly no permission to use the
> gateway if( t_check_status("403") ){
> xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Forbidden\n" );
> return;
> }
>
> # 486 -- User Busy
> if( t_check_status("486") ){
> xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Destination
> Busy\n" ); return;
> }
>
> # 487 -- Request Cancelled (usually in response to a CANCEL
> transaction) if( t_check_status("487") ){
> xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Request
> Cancelled\n" );
> return;
> }
>
> # At this stage we try the next gateway, if no next gateway we bail.
> if( ds_next_domain() ){
> t_on_reply("1");
> t_on_failure("2");
> xlog( "L_NOTICE", "[$Tf] FR: $ci Next gateway $fU ->
> $tU via $rd\n" );
> if( !t_relay() ){
> xlog( "L_WARN", "[$Tf] FR: $ci -- ERROR - Can
> not t_relay()\n" );
> return;
> }
> return;
> } else {
> xlog( "L_WARN", "[$Tf] FR: $ci No more gateways -> 503.\n"
> ); t_reply("503", "Service unavailable -- no more gateways" ); return;
> }
> }
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
More information about the sr-users
mailing list