[OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
Dan-Cristian Bogos
dan.bogos at gmail.com
Mon Aug 27 17:37:31 CEST 2007
Jeferson,
you can use permission module to check whether the originator's IP is trusted.
So your code will become:
if (!allow_trusted()){
if (method=="INVITE")
{
if (!proxy_authorize("", "subscriber"))
{
proxy_challenge("","0");
exit;
}
};
};
Documentation provided here:
http://www.openser.org/docs/modules/1.2.x/permissions.html#AEN492
Make sure you configure your permission db settings and reload your
trusted table each time from the database into memory.
Cheers,
DanB
On 8/27/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
> Hello DanB,
>
>
> More a problem ! :-(
>
> I apply the following configuration in my openser.cfg:
>
> if (method=="INVITE")
> {
> if (!proxy_authorize("", "subscriber"))
> {
> proxy_challenge("","0");
> exit;
> }
> };
>
> I perceived that with the configuration above 'only' registered users can
> generate called, however I not receive more called originated through of
> PSTN
> or of any branch of PBX. I believe these calls are deny because the source
> (PSTN - Branches) not are registering in the openser server.
>
> Is possible to apply the configuration above only for calls 'originated'
> from openser ?
>
> Thanks !
>
> Regards
> Jeferson
>
>
> ----- Original Message -----
> From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
> To: "Jeferson Prevedello" <jprevedello at terra.com.br>
> Cc: <users at openser.org>
> Sent: Monday, August 27, 2007 8:35 AM
> Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
>
>
> Hello Jeferson,
>
> Your configuration looks a bit messy, if I were OpenSER I would also
> refuse it. :).
>
> I would suggest taking a more standard configuration (u can find many
> examples on this location:
> http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/)
> and use 1.2 branch of software for start, and experiment with it into
> some lab environment.
> It is a bit difficult as a beginner to start directly experimenting on
> a production configuration, perhaps written by somebody else without
> understanding it. You will end up having big issues when
> troubleshooting in production environment.
>
> The tip I gave you would be really easy to implement it with a block
> of few lines, eg:
>
> if (is_method("INVITE")){
> if (!proxy_authorize("", "subscriber)) {
> proxy_challenge("","0");
> exit;
>
> } else if (!check_from()) {
> sl_send_reply("403", "Use From=ID");
> exit;
> };
> };
>
> Documentation for you to understand those lines here:
> http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192
>
> Usually, there is a loot of documentation and howtos in openser wiki,
> so I would suggest you having a glance on some titles which look close
> to your needs as a beginner.
>
> http://www.openser.org/dokuwiki/doku.php
>
> Cheers,
> DanB
>
> On 8/27/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
> > Hello DanB,
> >
> > Thanks!
> >
> > As DanB´s suggestion, I tried to implement a mechanism that only allowed
> > authenticated members make calls, but my configuration didn´t function.
> >
> > This is my first project with openser, therefore I do not have much
> > experience. If someone know how to help me to implement this verification,
> > I
> > will be very thankful.
> >
> > Below, my openser.cfg file:
> >
> > -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
> >
> >
> > # ----------- global configuration parameters ------------------------
> >
> > debug=3
> > fork=yes
> > log_stderror=no
> > log_facility=LOG_LOCAL7
> >
> > # hostname matching an alias will satisfy the condition uri==myself".
> > alias=xxx.xxx.xxx.xxx
> > listen=udp:xxx.xxx.xxx.xxx:5060
> >
> > # check_via - Turn on or off Via host checking when forwarding replies.
> > # Default is no. arcane. looks for discrepancy between name and
> > # ip address when forwarding replies.
> > check_via=yes
> >
> > # syn_branch - Shall the server use stateful synonym branches? It is
> > # faster but not reboot-safe. Default is yes.
> > syn_branch=yes
> >
> > # dns - Uses dns to check if it is necessary to add a "received=" field
> > # to a via. Default is no.
> > # rev_dns - Same as dns but use reverse DNS.
> > dns=no
> > rev_dns=no
> > port=5060
> > children=4
> >
> > # memlog - Debugging level for final memory statistics report. Default
> > # is L_DBG -- memory statistics are dumped only if debug is set high.
> > memlog=3
> >
> > # sip_warning - Should replies include extensive warnings? By default
> > # yes, it is good for trouble-shooting.
> > sip_warning=yes
> >
> > # fifo - FIFO special file pathname
> > fifo="/tmp/openser_fifo"
> >
> > # reply_to_via - A hint to reply modules whether they should send reply
> > # to IP advertised in Via. Turned off by default, which means that
> > # replies are sent to IP address from which requests came.
> > reply_to_via=no
> >
> > # mhomed -- enable calculation of outbound interface; useful on
> > # multihomed servers.
> > mhomed=0
> >
> > # ------------------ module loading ----------------------------------
> >
> > # Uncomment this if you want to use SQL database
> > loadmodule "/usr/lib/openser/modules/mysql.so"
> > loadmodule "/usr/lib/openser/modules/sl.so"
> > loadmodule "/usr/lib/openser/modules/tm.so"
> > loadmodule "/usr/lib/openser/modules/rr.so"
> > loadmodule "/usr/lib/openser/modules/maxfwd.so"
> > loadmodule "/usr/lib/openser/modules/usrloc.so"
> > loadmodule "/usr/lib/openser/modules/registrar.so"
> > loadmodule "/usr/lib/openser/modules/textops.so"
> > loadmodule "/usr/lib/openser/modules/nathelper.so"
> > loadmodule "/usr/lib/openser/modules/acc.so"
> > loadmodule "/usr/lib/openser/modules/xlog.so"
> >
> > # Uncomment this if you want digest authentication
> > # mysql.so must be loaded !
> > loadmodule "/usr/lib/openser/modules/auth.so"
> > loadmodule "/usr/lib/openser/modules/auth_db.so"
> >
> > # ----------------- setting module-specific parameters ---------------
> >
> > # ------------- usrloc parameters
> >
> > # 2 enables write-back to persistent mysql storage for speed
> > # disable=0, write-through=1
> > modparam("usrloc", "db_mode", 0)
> >
> > # minimize write back window - default is 60 seconds
> > modparam("usrloc", "timer_interval", 30)
> >
> > # ------------- auth parameters
> >
> > # Uncomment if you are using auth module
> > modparam("auth_db", "calculate_ha1", yes)
> >
> > # If you set "calculate_ha1" parameter to yes (which true in this config),
> > # uncomment also the following parameter)
> > modparam("auth_db", "password_column", "password")
> >
> > # ------------- rr parameters
> >
> > # add value to ;lr param to make some broken UAs happy
> > modparam("rr", "enable_full_lr", 1)
> >
> > # ------------- !! Nathelper
> >
> > modparam("registrar", "nat_flag", 6)
> > modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
> > modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind
> > NAT
> > modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") #
> > Nathelper with RTPproxy
> >
> > # ------------- tm parameters
> >
> > modparam("tm", "fr_timer", 12)
> > modparam("tm", "fr_inv_timer", 24)
> >
> > # ------------- acc parameters
> >
> > modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser")
> > modparam("acc", "db_flag", 2)
> > modparam("acc", "db_missed_flag", 2)
> > modparam("acc", "log_flag", 1)
> > modparam("acc", "log_missed_flag", 2)
> > modparam("acc", "log_level", 2) # Set log_level to 2
> >
> > # Allow no more than 1 contacts per AOR
> > modparam("registrar", "max_contacts", 3)
> >
> > # ------------------------- request routing logic -------------------
> >
> > # main routing logic
> >
> > route{
> >
> > if (!mf_process_maxfwd_header("10"))
> > {
> > sl_send_reply("483","Too Many Hops");
> > exit;
> > };
> >
> > if (msg:len >= 2048 )
> > {
> > sl_send_reply("513", "Message too big");
> > exit;
> > };
> >
> > # < Acconting >
> > if (method=="INVITE")
> > {
> > log(1, "Generate call - START\n");
> > setflag(1); /* set for accounting (the same value as in
> > log_flag!) */
> > setflag(2);
> > };
> >
> > if (method=="BYE")
> > {
> > log (1, "Hung-up \n");
> > setflag(1);
> > };
> >
> > if (method=="CANCEL")
> > {
> > log (1, "Lost call \n");
> > setflag(1);
> > }
> >
> > if (!method=="REGISTER")
> > record_route();
> >
> > if (nat_uac_test("3"))
> > {
> > # Allow RR-ed requests, as these may indicate that
> > # a NAT-enabled proxy takes care of it; unless it is
> > # a REGISTER
> >
> > if (method == "REGISTER" || ! search("^Record-Route:"))
> > {
> > log(1,"LOG: Someone trying to register from private
> > IP,
> > rewriting\n");
> >
> > # This will work only for user agents that support
> > symmetric
> > # communication. We tested quite many of them and
> > majority is
> > # smart enough to be symmetric. In some phones it
> > takes
> > a configuration
> > # option. With Cisco 7960, it is called
> > NAT_Enable=Yes,
> > with kphone it is
> > # called "symmetric media" and "symmetric signalling".
> >
> > fix_nated_contact(); # Rewrite contact with source IP
> > of
> > signalling
> > force_rport(); # Add rport parameter to topmost
> > Via
> > setflag(6); # Mark as NATed
> > };
> > };
> > # subsequent messages withing a dialog should take the
> > # path determined by record-routing
> >
> > if (loose_route())
> > {
> > # mark routing logic in request
> > append_hf("P-hint: rr-enforced\r\n");
> > route(1);
> > };
> >
> > if (!uri==myself)
> > {
> > # mark routing logic in request
> > append_hf("P-hint: outbound\r\n");
> > route(1);
> > };
> >
> > # if the request is for other domain use UsrLoc
> > # (in case, it does not work, use the following command
> > # with proper names and addresses in it)
> > if (uri==myself)
> > {
> >
> > if (method=="REGISTER")
> > {
> > # Uncomment this if you want to use digest authentication
> > if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber"))
> > {
> > www_challenge("xxx.xxx.xxx.xxx", "0");
> > return;
> > };
> > save("location");
> > return;
> > };
> >
> > lookup("aliases");
> > if (!uri==myself)
> > {
> > append_hf("P-hint: outbound alias\r\n");
> > route(1);
> > return;
> > };
> >
> > # Router Cisco if not sip branche
> > log(1,"LOG: testando se destino-sip e' 418x ...\n");
> >
> > if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
> > ! ( uri =~ "^sip:4397"))
> > {
> > log(1,"LOG: destino-sip not is 418x .\n");
> > route(2);
> >
> > log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
> > rewritehostport("yyy.yyy.yyy.yyy:5060");
> > log(1,"LOG: t_relay...\n");
> > t_relay();
> >
> > log(1,"LOG: break...\n");
> > return;
> > }
> > log(1,"LOG: destino-sip 418x, continue .\n");
> >
> > # native SIP destinations are handled using our USRLOC DB
> > if (!lookup("location"))
> > {
> > sl_send_reply("404", "Not Found");
> > return;
> > };
> > };
> > append_hf("P-hint: usrloc applied\r\n");
> > route(1);
> > }
> >
> > #######################################
> >
> > route[1]
> > {
> > # !! Nathelper
> > if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" &&
> > !search("^Route:"))
> > {
> > sl_send_reply("479", "We don't forward to private IP
> > addresses");
> > return;
> > };
> >
> > # if client or server know to be behind a NAT, enable relay
> > if (isflagset(6))
> > {
> > force_rtp_proxy();
> > t_on_reply("1");
> > append_hf("P-Behind-NAT: Yes\r\n");
> > };
> >
> > if (!t_relay())
> > {
> > sl_reply_error();
> > return;
> > };
> > }
> > # !! Nathelper
> > onreply_route[1]
> > {
> > # NATed transaction ?
> > if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
> > {
> > fix_nated_contact();
> > force_rtp_proxy();
> > }
> > else if (nat_uac_test("1"))
> > {
> > fix_nated_contact();
> > };
> > }
> >
> > #######################################
> >
> > route[2] {
> >
> > ### Dial Plan for gateway VoIP ###
> >
> > # Sao Paulo 11
> > if ( uri =~ "^sip:9911.*" )
> > {
> > log(1,"LOG: destination is 9911x, change prefix...");
> > strip(4);
> > prefix("011");
> > return;
> > }
> >
> > # Error (Number inexistent)
> > sl_reply_error();
> >
> > }
> >
> > -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
> >
> > Regards
> > Jeferson
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
> > To: "Jeferson Prevedello" <jprevedello at terra.com.br>
> > Cc: <users at openser.org>
> > Sent: Saturday, August 25, 2007 3:06 PM
> > Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
> >
> >
> > > Hello Jeferson,
> > >
> > > it all depends on your openser.cfg.
> > > If you put in there that all the INVITE-s should be authenticated, your
> > > users will not be able anymore to call without having a valid user and
> > > password for your server. Note that by default openser will not do any
> > > check for you, in order to keep the flexibility of be used in
> > > different environment setups.
> > >
> > > Cheers,
> > > DanB
> > >
> > > On 8/25/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
> > >>
> > >>
> > >> Hello,
> > >>
> > >> I implemented an environment using to openser + mysql. The enviroment
> > >> functions perfectly, however I perceived that users (branches) not
> > >> registered in mysql are generating called.
> > >>
> > >> I installed the X-lite softphone in my computer trying to reproduce the
> > >> situation.
> >
> > >> In the properties of configuration of the X-lite, "field Password" I
> > >> type
> > >> "trash" as password (wrong password).
> > >>
> > >> The display of X-lite showed the following message: "Registration
> > >> error:
> > >> 401
> > >> - Unauthorized".
> > >>
> > >> In the contacts drawer I add a contact (double click on the new
> > >> contact),
> > >> and the call was generate without restriction (very bad).
> > >>
> > >> Some idea of as I solve this problem?
> > >>
> > >> Thanks
> > >>
> > >> Regards
> > >> Jeferson
> > >>
> > >> _______________________________________________
> > >> Users mailing list
> > >> Users at openser.org
> > >> http://openser.org/cgi-bin/mailman/listinfo/users
> > >>
> > >>
> > >
> >
> >
>
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>
>
More information about the Users
mailing list