[OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
Jeferson Prevedello
jprevedello at terra.com.br
Mon Aug 27 16:00:38 CEST 2007
Hi Norm,
Thanks !! :o)
The sipwise.com and openser.org web sites are excellent references.
Regards,
Jeferson
----- Original Message -----
From: "Norman Brandinger" <norm at goes.com>
To: "Jeferson Prevedello" <jprevedello at terra.com.br>
Cc: <users at openser.org>
Sent: Monday, August 27, 2007 9:00 AM
Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
> Hi Jeferson,
>
> I agree with Dan's suggestion about finding a standard configuration to
> learn from.
> In addition, there is a web site: sipwise.com simplifies the process of
> building a configuration file.
>
> Below is a little code that you might consider executing when an INVITE
> request comes in.
> The documentation on the openser.org web site can use used to learn
> exactly what the functions used below do.
>
> if (!proxy_authorize("", "subscriber")) {
> xlog ("L_INFO", "Proxy Authorization requested\n");
> proxy_challenge("", "0");
> exit;
> }
>
> #--------------------------------------------------------------------
> # Check From username against digest credentials.
> #--------------------------------------------------------------------
> if (!check_from()) {
> xlog("L_ERR", "Unauthorized: check_from() failed\n");
> sl_send_reply("401", "Unauthorized");
> exit;
> }
>
> Regards,
> Norm
>
>
> Dan-Cristian Bogos wrote:
>> Hello Jeferson,
>>
>> Your configuration looks a bit messy, if I were OpenSER I would also
>> refuse it. :).
>>
>> I would suggest taking a more standard configuration (u can find many
>> examples on this location:
>> http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/)
>> and use 1.2 branch of software for start, and experiment with it into
>> some lab environment.
>> It is a bit difficult as a beginner to start directly experimenting on
>> a production configuration, perhaps written by somebody else without
>> understanding it. You will end up having big issues when
>> troubleshooting in production environment.
>>
>> The tip I gave you would be really easy to implement it with a block
>> of few lines, eg:
>>
>> if (is_method("INVITE")){
>> if (!proxy_authorize("", "subscriber)) {
>> proxy_challenge("","0");
>> exit;
>>
>> } else if (!check_from()) {
>> sl_send_reply("403", "Use From=ID");
>> exit;
>> };
>> };
>>
>> Documentation for you to understand those lines here:
>> http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192
>>
>> Usually, there is a loot of documentation and howtos in openser wiki,
>> so I would suggest you having a glance on some titles which look close
>> to your needs as a beginner.
>>
>> http://www.openser.org/dokuwiki/doku.php
>>
>> Cheers,
>> DanB
>>
>> On 8/27/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
>>
>>> Hello DanB,
>>>
>>> Thanks!
>>>
>>> As DanB´s suggestion, I tried to implement a mechanism that only allowed
>>> authenticated members make calls, but my configuration didn´t function.
>>>
>>> This is my first project with openser, therefore I do not have much
>>> experience. If someone know how to help me to implement this
>>> verification, I
>>> will be very thankful.
>>>
>>> Below, my openser.cfg file:
>>>
>>> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
>>>
>>>
>>> # ----------- global configuration parameters ------------------------
>>>
>>> debug=3
>>> fork=yes
>>> log_stderror=no
>>> log_facility=LOG_LOCAL7
>>>
>>> # hostname matching an alias will satisfy the condition uri==myself".
>>> alias=xxx.xxx.xxx.xxx
>>> listen=udp:xxx.xxx.xxx.xxx:5060
>>>
>>> # check_via - Turn on or off Via host checking when forwarding replies.
>>> # Default is no. arcane. looks for discrepancy between name and
>>> # ip address when forwarding replies.
>>> check_via=yes
>>>
>>> # syn_branch - Shall the server use stateful synonym branches? It is
>>> # faster but not reboot-safe. Default is yes.
>>> syn_branch=yes
>>>
>>> # dns - Uses dns to check if it is necessary to add a "received=" field
>>> # to a via. Default is no.
>>> # rev_dns - Same as dns but use reverse DNS.
>>> dns=no
>>> rev_dns=no
>>> port=5060
>>> children=4
>>>
>>> # memlog - Debugging level for final memory statistics report. Default
>>> # is L_DBG -- memory statistics are dumped only if debug is set high.
>>> memlog=3
>>>
>>> # sip_warning - Should replies include extensive warnings? By default
>>> # yes, it is good for trouble-shooting.
>>> sip_warning=yes
>>>
>>> # fifo - FIFO special file pathname
>>> fifo="/tmp/openser_fifo"
>>>
>>> # reply_to_via - A hint to reply modules whether they should send reply
>>> # to IP advertised in Via. Turned off by default, which means that
>>> # replies are sent to IP address from which requests came.
>>> reply_to_via=no
>>>
>>> # mhomed -- enable calculation of outbound interface; useful on
>>> # multihomed servers.
>>> mhomed=0
>>>
>>> # ------------------ module loading ----------------------------------
>>>
>>> # Uncomment this if you want to use SQL database
>>> loadmodule "/usr/lib/openser/modules/mysql.so"
>>> loadmodule "/usr/lib/openser/modules/sl.so"
>>> loadmodule "/usr/lib/openser/modules/tm.so"
>>> loadmodule "/usr/lib/openser/modules/rr.so"
>>> loadmodule "/usr/lib/openser/modules/maxfwd.so"
>>> loadmodule "/usr/lib/openser/modules/usrloc.so"
>>> loadmodule "/usr/lib/openser/modules/registrar.so"
>>> loadmodule "/usr/lib/openser/modules/textops.so"
>>> loadmodule "/usr/lib/openser/modules/nathelper.so"
>>> loadmodule "/usr/lib/openser/modules/acc.so"
>>> loadmodule "/usr/lib/openser/modules/xlog.so"
>>>
>>> # Uncomment this if you want digest authentication
>>> # mysql.so must be loaded !
>>> loadmodule "/usr/lib/openser/modules/auth.so"
>>> loadmodule "/usr/lib/openser/modules/auth_db.so"
>>>
>>> # ----------------- setting module-specific parameters ---------------
>>>
>>> # ------------- usrloc parameters
>>>
>>> # 2 enables write-back to persistent mysql storage for speed
>>> # disable=0, write-through=1
>>> modparam("usrloc", "db_mode", 0)
>>>
>>> # minimize write back window - default is 60 seconds
>>> modparam("usrloc", "timer_interval", 30)
>>>
>>> # ------------- auth parameters
>>>
>>> # Uncomment if you are using auth module
>>> modparam("auth_db", "calculate_ha1", yes)
>>>
>>> # If you set "calculate_ha1" parameter to yes (which true in this
>>> config),
>>> # uncomment also the following parameter)
>>> modparam("auth_db", "password_column", "password")
>>>
>>> # ------------- rr parameters
>>>
>>> # add value to ;lr param to make some broken UAs happy
>>> modparam("rr", "enable_full_lr", 1)
>>>
>>> # ------------- !! Nathelper
>>>
>>> modparam("registrar", "nat_flag", 6)
>>> modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
>>> modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind
>>> NAT
>>> modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")
>>> #
>>> Nathelper with RTPproxy
>>>
>>> # ------------- tm parameters
>>>
>>> modparam("tm", "fr_timer", 12)
>>> modparam("tm", "fr_inv_timer", 24)
>>>
>>> # ------------- acc parameters
>>>
>>> modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser")
>>> modparam("acc", "db_flag", 2)
>>> modparam("acc", "db_missed_flag", 2)
>>> modparam("acc", "log_flag", 1)
>>> modparam("acc", "log_missed_flag", 2)
>>> modparam("acc", "log_level", 2) # Set log_level to 2
>>>
>>> # Allow no more than 1 contacts per AOR
>>> modparam("registrar", "max_contacts", 3)
>>>
>>> # ------------------------- request routing logic -------------------
>>>
>>> # main routing logic
>>>
>>> route{
>>>
>>> if (!mf_process_maxfwd_header("10"))
>>> {
>>> sl_send_reply("483","Too Many Hops");
>>> exit;
>>> };
>>>
>>> if (msg:len >= 2048 )
>>> {
>>> sl_send_reply("513", "Message too big");
>>> exit;
>>> };
>>>
>>> # < Acconting >
>>> if (method=="INVITE")
>>> {
>>> log(1, "Generate call - START\n");
>>> setflag(1); /* set for accounting (the same value as in
>>> log_flag!) */
>>> setflag(2);
>>> };
>>>
>>> if (method=="BYE")
>>> {
>>> log (1, "Hung-up \n");
>>> setflag(1);
>>> };
>>>
>>> if (method=="CANCEL")
>>> {
>>> log (1, "Lost call \n");
>>> setflag(1);
>>> }
>>>
>>> if (!method=="REGISTER")
>>> record_route();
>>>
>>> if (nat_uac_test("3"))
>>> {
>>> # Allow RR-ed requests, as these may indicate that
>>> # a NAT-enabled proxy takes care of it; unless it is
>>> # a REGISTER
>>>
>>> if (method == "REGISTER" || ! search("^Record-Route:"))
>>> {
>>> log(1,"LOG: Someone trying to register from private
>>> IP,
>>> rewriting\n");
>>>
>>> # This will work only for user agents that support
>>> symmetric
>>> # communication. We tested quite many of them and
>>> majority is
>>> # smart enough to be symmetric. In some phones it
>>> takes
>>> a configuration
>>> # option. With Cisco 7960, it is called
>>> NAT_Enable=Yes,
>>> with kphone it is
>>> # called "symmetric media" and "symmetric
>>> signalling".
>>>
>>> fix_nated_contact(); # Rewrite contact with source
>>> IP of
>>> signalling
>>> force_rport(); # Add rport parameter to
>>> topmost
>>> Via
>>> setflag(6); # Mark as NATed
>>> };
>>> };
>>> # subsequent messages withing a dialog should take the
>>> # path determined by record-routing
>>>
>>> if (loose_route())
>>> {
>>> # mark routing logic in request
>>> append_hf("P-hint: rr-enforced\r\n");
>>> route(1);
>>> };
>>>
>>> if (!uri==myself)
>>> {
>>> # mark routing logic in request
>>> append_hf("P-hint: outbound\r\n");
>>> route(1);
>>> };
>>>
>>> # if the request is for other domain use UsrLoc
>>> # (in case, it does not work, use the following command
>>> # with proper names and addresses in it)
>>> if (uri==myself)
>>> {
>>>
>>> if (method=="REGISTER")
>>> {
>>> # Uncomment this if you want to use digest authentication
>>> if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber"))
>>> {
>>> www_challenge("xxx.xxx.xxx.xxx", "0");
>>> return;
>>> };
>>> save("location");
>>> return;
>>> };
>>>
>>> lookup("aliases");
>>> if (!uri==myself)
>>> {
>>> append_hf("P-hint: outbound alias\r\n");
>>> route(1);
>>> return;
>>> };
>>>
>>> # Router Cisco if not sip branche
>>> log(1,"LOG: testando se destino-sip e' 418x ...\n");
>>>
>>> if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
>>> ! ( uri =~ "^sip:4397"))
>>> {
>>> log(1,"LOG: destino-sip not is 418x .\n");
>>> route(2);
>>>
>>> log(1,"LOG: rewriting hostport
>>> yyy.yyy.yyy.yyy:5060...\n");
>>> rewritehostport("yyy.yyy.yyy.yyy:5060");
>>> log(1,"LOG: t_relay...\n");
>>> t_relay();
>>>
>>> log(1,"LOG: break...\n");
>>> return;
>>> }
>>> log(1,"LOG: destino-sip 418x, continue .\n");
>>>
>>> # native SIP destinations are handled using our USRLOC DB
>>> if (!lookup("location"))
>>> {
>>> sl_send_reply("404", "Not Found");
>>> return;
>>> };
>>> };
>>> append_hf("P-hint: usrloc applied\r\n");
>>> route(1);
>>> }
>>>
>>> #######################################
>>>
>>> route[1]
>>> {
>>> # !! Nathelper
>>> if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)"
>>> &&
>>> !search("^Route:"))
>>> {
>>> sl_send_reply("479", "We don't forward to private IP
>>> addresses");
>>> return;
>>> };
>>>
>>> # if client or server know to be behind a NAT, enable relay
>>> if (isflagset(6))
>>> {
>>> force_rtp_proxy();
>>> t_on_reply("1");
>>> append_hf("P-Behind-NAT: Yes\r\n");
>>> };
>>>
>>> if (!t_relay())
>>> {
>>> sl_reply_error();
>>> return;
>>> };
>>> }
>>> # !! Nathelper
>>> onreply_route[1]
>>> {
>>> # NATed transaction ?
>>> if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
>>> {
>>> fix_nated_contact();
>>> force_rtp_proxy();
>>> }
>>> else if (nat_uac_test("1"))
>>> {
>>> fix_nated_contact();
>>> };
>>> }
>>>
>>> #######################################
>>>
>>> route[2] {
>>>
>>> ### Dial Plan for gateway VoIP ###
>>>
>>> # Sao Paulo 11
>>> if ( uri =~ "^sip:9911.*" )
>>> {
>>> log(1,"LOG: destination is 9911x, change prefix...");
>>> strip(4);
>>> prefix("011");
>>> return;
>>> }
>>>
>>> # Error (Number inexistent)
>>> sl_reply_error();
>>>
>>> }
>>>
>>> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
>>>
>>> Regards
>>> Jeferson
>>>
>>>
>>>
>>>
>>>
>>> ----- Original Message -----
>>> From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
>>> To: "Jeferson Prevedello" <jprevedello at terra.com.br>
>>> Cc: <users at openser.org>
>>> Sent: Saturday, August 25, 2007 3:06 PM
>>> Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
>>>
>>>
>>>
>>>> Hello Jeferson,
>>>>
>>>> it all depends on your openser.cfg.
>>>> If you put in there that all the INVITE-s should be authenticated, your
>>>> users will not be able anymore to call without having a valid user and
>>>> password for your server. Note that by default openser will not do any
>>>> check for you, in order to keep the flexibility of be used in
>>>> different environment setups.
>>>>
>>>> Cheers,
>>>> DanB
>>>>
>>>> On 8/25/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I implemented an environment using to openser + mysql. The enviroment
>>>>> functions perfectly, however I perceived that users (branches) not
>>>>> registered in mysql are generating called.
>>>>>
>>>>> I installed the X-lite softphone in my computer trying to reproduce
>>>>> the
>>>>> situation.
>>>>>
>>>>> In the properties of configuration of the X-lite, "field Password" I
>>>>> type
>>>>> "trash" as password (wrong password).
>>>>>
>>>>> The display of X-lite showed the following message: "Registration
>>>>> error:
>>>>> 401
>>>>> - Unauthorized".
>>>>>
>>>>> In the contacts drawer I add a contact (double click on the new
>>>>> contact),
>>>>> and the call was generate without restriction (very bad).
>>>>>
>>>>> Some idea of as I solve this problem?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Regards
>>>>> Jeferson
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at openser.org
>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>>
>>>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>>
>>
>>
>
>
More information about the Users
mailing list