[OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
Dan-Cristian Bogos
dan.bogos at gmail.com
Mon Aug 27 13:35:51 CEST 2007
Hello Jeferson,
Your configuration looks a bit messy, if I were OpenSER I would also
refuse it. :).
I would suggest taking a more standard configuration (u can find many
examples on this location:
http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/)
and use 1.2 branch of software for start, and experiment with it into
some lab environment.
It is a bit difficult as a beginner to start directly experimenting on
a production configuration, perhaps written by somebody else without
understanding it. You will end up having big issues when
troubleshooting in production environment.
The tip I gave you would be really easy to implement it with a block
of few lines, eg:
if (is_method("INVITE")){
if (!proxy_authorize("", "subscriber)) {
proxy_challenge("","0");
exit;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
exit;
};
};
Documentation for you to understand those lines here:
http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192
Usually, there is a loot of documentation and howtos in openser wiki,
so I would suggest you having a glance on some titles which look close
to your needs as a beginner.
http://www.openser.org/dokuwiki/doku.php
Cheers,
DanB
On 8/27/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
> Hello DanB,
>
> Thanks!
>
> As DanB´s suggestion, I tried to implement a mechanism that only allowed
> authenticated members make calls, but my configuration didn´t function.
>
> This is my first project with openser, therefore I do not have much
> experience. If someone know how to help me to implement this verification, I
> will be very thankful.
>
> Below, my openser.cfg file:
>
> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
>
>
> # ----------- global configuration parameters ------------------------
>
> debug=3
> fork=yes
> log_stderror=no
> log_facility=LOG_LOCAL7
>
> # hostname matching an alias will satisfy the condition uri==myself".
> alias=xxx.xxx.xxx.xxx
> listen=udp:xxx.xxx.xxx.xxx:5060
>
> # check_via - Turn on or off Via host checking when forwarding replies.
> # Default is no. arcane. looks for discrepancy between name and
> # ip address when forwarding replies.
> check_via=yes
>
> # syn_branch - Shall the server use stateful synonym branches? It is
> # faster but not reboot-safe. Default is yes.
> syn_branch=yes
>
> # dns - Uses dns to check if it is necessary to add a "received=" field
> # to a via. Default is no.
> # rev_dns - Same as dns but use reverse DNS.
> dns=no
> rev_dns=no
> port=5060
> children=4
>
> # memlog - Debugging level for final memory statistics report. Default
> # is L_DBG -- memory statistics are dumped only if debug is set high.
> memlog=3
>
> # sip_warning - Should replies include extensive warnings? By default
> # yes, it is good for trouble-shooting.
> sip_warning=yes
>
> # fifo - FIFO special file pathname
> fifo="/tmp/openser_fifo"
>
> # reply_to_via - A hint to reply modules whether they should send reply
> # to IP advertised in Via. Turned off by default, which means that
> # replies are sent to IP address from which requests came.
> reply_to_via=no
>
> # mhomed -- enable calculation of outbound interface; useful on
> # multihomed servers.
> mhomed=0
>
> # ------------------ module loading ----------------------------------
>
> # Uncomment this if you want to use SQL database
> loadmodule "/usr/lib/openser/modules/mysql.so"
> loadmodule "/usr/lib/openser/modules/sl.so"
> loadmodule "/usr/lib/openser/modules/tm.so"
> loadmodule "/usr/lib/openser/modules/rr.so"
> loadmodule "/usr/lib/openser/modules/maxfwd.so"
> loadmodule "/usr/lib/openser/modules/usrloc.so"
> loadmodule "/usr/lib/openser/modules/registrar.so"
> loadmodule "/usr/lib/openser/modules/textops.so"
> loadmodule "/usr/lib/openser/modules/nathelper.so"
> loadmodule "/usr/lib/openser/modules/acc.so"
> loadmodule "/usr/lib/openser/modules/xlog.so"
>
> # Uncomment this if you want digest authentication
> # mysql.so must be loaded !
> loadmodule "/usr/lib/openser/modules/auth.so"
> loadmodule "/usr/lib/openser/modules/auth_db.so"
>
> # ----------------- setting module-specific parameters ---------------
>
> # ------------- usrloc parameters
>
> # 2 enables write-back to persistent mysql storage for speed
> # disable=0, write-through=1
> modparam("usrloc", "db_mode", 0)
>
> # minimize write back window - default is 60 seconds
> modparam("usrloc", "timer_interval", 30)
>
> # ------------- auth parameters
>
> # Uncomment if you are using auth module
> modparam("auth_db", "calculate_ha1", yes)
>
> # If you set "calculate_ha1" parameter to yes (which true in this config),
> # uncomment also the following parameter)
> modparam("auth_db", "password_column", "password")
>
> # ------------- rr parameters
>
> # add value to ;lr param to make some broken UAs happy
> modparam("rr", "enable_full_lr", 1)
>
> # ------------- !! Nathelper
>
> modparam("registrar", "nat_flag", 6)
> modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
> modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
> modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") #
> Nathelper with RTPproxy
>
> # ------------- tm parameters
>
> modparam("tm", "fr_timer", 12)
> modparam("tm", "fr_inv_timer", 24)
>
> # ------------- acc parameters
>
> modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser")
> modparam("acc", "db_flag", 2)
> modparam("acc", "db_missed_flag", 2)
> modparam("acc", "log_flag", 1)
> modparam("acc", "log_missed_flag", 2)
> modparam("acc", "log_level", 2) # Set log_level to 2
>
> # Allow no more than 1 contacts per AOR
> modparam("registrar", "max_contacts", 3)
>
> # ------------------------- request routing logic -------------------
>
> # main routing logic
>
> route{
>
> if (!mf_process_maxfwd_header("10"))
> {
> sl_send_reply("483","Too Many Hops");
> exit;
> };
>
> if (msg:len >= 2048 )
> {
> sl_send_reply("513", "Message too big");
> exit;
> };
>
> # < Acconting >
> if (method=="INVITE")
> {
> log(1, "Generate call - START\n");
> setflag(1); /* set for accounting (the same value as in
> log_flag!) */
> setflag(2);
> };
>
> if (method=="BYE")
> {
> log (1, "Hung-up \n");
> setflag(1);
> };
>
> if (method=="CANCEL")
> {
> log (1, "Lost call \n");
> setflag(1);
> }
>
> if (!method=="REGISTER")
> record_route();
>
> if (nat_uac_test("3"))
> {
> # Allow RR-ed requests, as these may indicate that
> # a NAT-enabled proxy takes care of it; unless it is
> # a REGISTER
>
> if (method == "REGISTER" || ! search("^Record-Route:"))
> {
> log(1,"LOG: Someone trying to register from private IP,
> rewriting\n");
>
> # This will work only for user agents that support
> symmetric
> # communication. We tested quite many of them and
> majority is
> # smart enough to be symmetric. In some phones it takes
> a configuration
> # option. With Cisco 7960, it is called NAT_Enable=Yes,
> with kphone it is
> # called "symmetric media" and "symmetric signalling".
>
> fix_nated_contact(); # Rewrite contact with source IP of
> signalling
> force_rport(); # Add rport parameter to topmost
> Via
> setflag(6); # Mark as NATed
> };
> };
> # subsequent messages withing a dialog should take the
> # path determined by record-routing
>
> if (loose_route())
> {
> # mark routing logic in request
> append_hf("P-hint: rr-enforced\r\n");
> route(1);
> };
>
> if (!uri==myself)
> {
> # mark routing logic in request
> append_hf("P-hint: outbound\r\n");
> route(1);
> };
>
> # if the request is for other domain use UsrLoc
> # (in case, it does not work, use the following command
> # with proper names and addresses in it)
> if (uri==myself)
> {
>
> if (method=="REGISTER")
> {
> # Uncomment this if you want to use digest authentication
> if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber"))
> {
> www_challenge("xxx.xxx.xxx.xxx", "0");
> return;
> };
> save("location");
> return;
> };
>
> lookup("aliases");
> if (!uri==myself)
> {
> append_hf("P-hint: outbound alias\r\n");
> route(1);
> return;
> };
>
> # Router Cisco if not sip branche
> log(1,"LOG: testando se destino-sip e' 418x ...\n");
>
> if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
> ! ( uri =~ "^sip:4397"))
> {
> log(1,"LOG: destino-sip not is 418x .\n");
> route(2);
>
> log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
> rewritehostport("yyy.yyy.yyy.yyy:5060");
> log(1,"LOG: t_relay...\n");
> t_relay();
>
> log(1,"LOG: break...\n");
> return;
> }
> log(1,"LOG: destino-sip 418x, continue .\n");
>
> # native SIP destinations are handled using our USRLOC DB
> if (!lookup("location"))
> {
> sl_send_reply("404", "Not Found");
> return;
> };
> };
> append_hf("P-hint: usrloc applied\r\n");
> route(1);
> }
>
> #######################################
>
> route[1]
> {
> # !! Nathelper
> if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" &&
> !search("^Route:"))
> {
> sl_send_reply("479", "We don't forward to private IP
> addresses");
> return;
> };
>
> # if client or server know to be behind a NAT, enable relay
> if (isflagset(6))
> {
> force_rtp_proxy();
> t_on_reply("1");
> append_hf("P-Behind-NAT: Yes\r\n");
> };
>
> if (!t_relay())
> {
> sl_reply_error();
> return;
> };
> }
> # !! Nathelper
> onreply_route[1]
> {
> # NATed transaction ?
> if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
> {
> fix_nated_contact();
> force_rtp_proxy();
> }
> else if (nat_uac_test("1"))
> {
> fix_nated_contact();
> };
> }
>
> #######################################
>
> route[2] {
>
> ### Dial Plan for gateway VoIP ###
>
> # Sao Paulo 11
> if ( uri =~ "^sip:9911.*" )
> {
> log(1,"LOG: destination is 9911x, change prefix...");
> strip(4);
> prefix("011");
> return;
> }
>
> # Error (Number inexistent)
> sl_reply_error();
>
> }
>
> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
>
> Regards
> Jeferson
>
>
>
>
>
> ----- Original Message -----
> From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
> To: "Jeferson Prevedello" <jprevedello at terra.com.br>
> Cc: <users at openser.org>
> Sent: Saturday, August 25, 2007 3:06 PM
> Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
>
>
> > Hello Jeferson,
> >
> > it all depends on your openser.cfg.
> > If you put in there that all the INVITE-s should be authenticated, your
> > users will not be able anymore to call without having a valid user and
> > password for your server. Note that by default openser will not do any
> > check for you, in order to keep the flexibility of be used in
> > different environment setups.
> >
> > Cheers,
> > DanB
> >
> > On 8/25/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
> >>
> >>
> >> Hello,
> >>
> >> I implemented an environment using to openser + mysql. The enviroment
> >> functions perfectly, however I perceived that users (branches) not
> >> registered in mysql are generating called.
> >>
> >> I installed the X-lite softphone in my computer trying to reproduce the
> >> situation.
>
> >> In the properties of configuration of the X-lite, "field Password" I type
> >> "trash" as password (wrong password).
> >>
> >> The display of X-lite showed the following message: "Registration error:
> >> 401
> >> - Unauthorized".
> >>
> >> In the contacts drawer I add a contact (double click on the new contact),
> >> and the call was generate without restriction (very bad).
> >>
> >> Some idea of as I solve this problem?
> >>
> >> Thanks
> >>
> >> Regards
> >> Jeferson
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at openser.org
> >> http://openser.org/cgi-bin/mailman/listinfo/users
> >>
> >>
> >
>
>
More information about the Users
mailing list