[OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

Dan-Cristian Bogos dan.bogos at gmail.com
Mon Aug 27 17:37:31 CEST 2007


Jeferson,

you can use permission module to check whether the originator's IP is trusted.

So your code will become:
if (!allow_trusted()){
       if (method=="INVITE")
       {
               if (!proxy_authorize("", "subscriber"))
               {
                 proxy_challenge("","0");
                 exit;
               }
       };
};

Documentation provided here:
http://www.openser.org/docs/modules/1.2.x/permissions.html#AEN492

Make sure you configure your permission db settings and reload your
trusted table each time from the database into memory.

Cheers,
DanB


On 8/27/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
> Hello DanB,
>
>
> More a problem ! :-(
>
> I apply the following configuration in my openser.cfg:
>
>         if (method=="INVITE")
>         {
>                 if (!proxy_authorize("", "subscriber"))
>                 {
>                   proxy_challenge("","0");
>                   exit;
>                 }
>         };
>
> I perceived that with the configuration above 'only' registered users can
> generate called, however I not receive more called originated through of
> PSTN
> or of any branch of PBX. I believe these calls are deny because the source
> (PSTN - Branches) not are registering in the openser server.
>
> Is possible to apply the configuration above only for calls 'originated'
> from openser ?
>
> Thanks !
>
> Regards
> Jeferson
>
>
> ----- Original Message -----
> From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
> To: "Jeferson Prevedello" <jprevedello at terra.com.br>
> Cc: <users at openser.org>
> Sent: Monday, August 27, 2007 8:35 AM
> Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
>
>
> Hello Jeferson,
>
> Your configuration looks a bit messy, if I were OpenSER I would also
> refuse it. :).
>
> I would suggest taking a more standard configuration (u can find many
> examples on this location:
> http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/)
> and use 1.2 branch of software for start, and experiment with it into
> some lab environment.
> It is a bit difficult as a beginner to start directly experimenting on
> a production configuration, perhaps written by somebody else without
> understanding it. You will end up having big issues when
> troubleshooting in production environment.
>
> The tip I gave you would be really easy to implement it with a block
> of few lines, eg:
>
> if (is_method("INVITE")){
>             if (!proxy_authorize("", "subscriber)) {
>                           proxy_challenge("","0");
>                                       exit;
>
>             } else if (!check_from()) {
>                           sl_send_reply("403", "Use From=ID");
>                           exit;
>             };
> };
>
> Documentation for you to understand those lines here:
> http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192
>
> Usually, there is a loot of documentation and howtos in openser wiki,
> so I would suggest you having a glance on some titles which look close
> to your needs as a beginner.
>
> http://www.openser.org/dokuwiki/doku.php
>
> Cheers,
> DanB
>
> On 8/27/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
> > Hello DanB,
> >
> > Thanks!
> >
> > As DanB´s suggestion, I tried to implement a mechanism that only allowed
> > authenticated members make calls, but my configuration didn´t function.
> >
> > This is my first project with openser, therefore I do not have much
> > experience. If someone know how to help me to implement this verification,
> > I
> > will be very thankful.
> >
> > Below, my openser.cfg file:
> >
> > -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
> >
> >
> > # ----------- global configuration parameters ------------------------
> >
> > debug=3
> > fork=yes
> > log_stderror=no
> > log_facility=LOG_LOCAL7
> >
> > # hostname matching an alias will satisfy the condition uri==myself".
> > alias=xxx.xxx.xxx.xxx
> > listen=udp:xxx.xxx.xxx.xxx:5060
> >
> > # check_via - Turn on or off Via host checking when forwarding replies.
> > # Default is no. arcane. looks for discrepancy between name and
> > # ip address when forwarding replies.
> > check_via=yes
> >
> > # syn_branch - Shall the server use stateful synonym branches? It is
> > # faster but not reboot-safe. Default is yes.
> > syn_branch=yes
> >
> > # dns - Uses dns to check if it is necessary to add a "received=" field
> > # to a via. Default is no.
> > # rev_dns - Same as dns but use reverse DNS.
> > dns=no
> > rev_dns=no
> > port=5060
> > children=4
> >
> > # memlog - Debugging level for final memory statistics report. Default
> > # is L_DBG -- memory statistics are dumped only if debug is set high.
> >  memlog=3
> >
> > # sip_warning - Should replies include extensive warnings? By default
> > # yes, it is good for trouble-shooting.
> > sip_warning=yes
> >
> > # fifo - FIFO special file pathname
> > fifo="/tmp/openser_fifo"
> >
> > # reply_to_via - A hint to reply modules whether they should send reply
> > # to IP advertised in Via. Turned off by default, which means that
> > # replies are sent to IP address from which requests came.
> >  reply_to_via=no
> >
> > # mhomed -- enable calculation of outbound interface; useful on
> > # multihomed servers.
> > mhomed=0
> >
> > # ------------------ module loading ----------------------------------
> >
> > # Uncomment this if you want to use SQL database
> > loadmodule "/usr/lib/openser/modules/mysql.so"
> > loadmodule "/usr/lib/openser/modules/sl.so"
> > loadmodule "/usr/lib/openser/modules/tm.so"
> > loadmodule "/usr/lib/openser/modules/rr.so"
> > loadmodule "/usr/lib/openser/modules/maxfwd.so"
> > loadmodule "/usr/lib/openser/modules/usrloc.so"
> > loadmodule "/usr/lib/openser/modules/registrar.so"
> > loadmodule "/usr/lib/openser/modules/textops.so"
> > loadmodule "/usr/lib/openser/modules/nathelper.so"
> > loadmodule "/usr/lib/openser/modules/acc.so"
> > loadmodule "/usr/lib/openser/modules/xlog.so"
> >
> > # Uncomment this if you want digest authentication
> > # mysql.so must be loaded !
> > loadmodule "/usr/lib/openser/modules/auth.so"
> > loadmodule "/usr/lib/openser/modules/auth_db.so"
> >
> > # ----------------- setting module-specific parameters ---------------
> >
> > # ------------- usrloc parameters
> >
> > # 2 enables write-back to persistent mysql storage for speed
> > # disable=0, write-through=1
> > modparam("usrloc", "db_mode", 0)
> >
> > # minimize write back window - default is 60 seconds
> > modparam("usrloc", "timer_interval", 30)
> >
> > # ------------- auth parameters
> >
> > # Uncomment if you are using auth module
> > modparam("auth_db", "calculate_ha1", yes)
> >
> > # If you set "calculate_ha1" parameter to yes (which true in this config),
> > # uncomment also the following parameter)
> > modparam("auth_db", "password_column", "password")
> >
> > # ------------- rr parameters
> >
> > # add value to ;lr param to make some broken UAs happy
> > modparam("rr", "enable_full_lr", 1)
> >
> > # ------------- !! Nathelper
> >
> > modparam("registrar", "nat_flag", 6)
> > modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
> > modparam("nathelper", "ping_nated_only", 1)   # Ping only clients behind
> > NAT
> > modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")   #
> > Nathelper with RTPproxy
> >
> > # ------------- tm parameters
> >
> > modparam("tm", "fr_timer", 12)
> > modparam("tm", "fr_inv_timer", 24)
> >
> > # -------------  acc parameters
> >
> > modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser")
> > modparam("acc", "db_flag", 2)
> > modparam("acc", "db_missed_flag", 2)
> > modparam("acc", "log_flag", 1)
> > modparam("acc", "log_missed_flag", 2)
> > modparam("acc", "log_level", 2)   # Set log_level to 2
> >
> > # Allow no more than 1 contacts per AOR
> > modparam("registrar", "max_contacts", 3)
> >
> > # -------------------------  request routing logic -------------------
> >
> > # main routing logic
> >
> > route{
> >
> >  if (!mf_process_maxfwd_header("10"))
> >         {
> >   sl_send_reply("483","Too Many Hops");
> >   exit;
> >  };
> >
> >  if (msg:len >=  2048 )
> >  {
> >   sl_send_reply("513", "Message too big");
> >   exit;
> >  };
> >
> >  # < Acconting >
> >         if (method=="INVITE")
> >  {
> >                 log(1, "Generate call - START\n");
> >                 setflag(1); /* set for accounting (the same value as in
> > log_flag!) */
> >     setflag(2);
> >         };
> >
> >         if (method=="BYE")
> >  {
> >                 log (1, "Hung-up \n");
> >                 setflag(1);
> >         };
> >
> >         if (method=="CANCEL")
> >  {
> >                 log (1, "Lost call \n");
> >                 setflag(1);
> >  }
> >
> >  if (!method=="REGISTER")
> >   record_route();
> >
> >  if (nat_uac_test("3"))
> >  {
> >                 # Allow RR-ed requests, as these may indicate that
> >                 # a NAT-enabled proxy takes care of it; unless it is
> >                 # a REGISTER
> >
> >                 if (method == "REGISTER" || ! search("^Record-Route:"))
> >   {
> >                     log(1,"LOG: Someone trying to register from private
> > IP,
> > rewriting\n");
> >
> >                     # This will work only for user agents that support
> > symmetric
> >                     # communication. We tested quite many of them and
> > majority is
> >                     # smart enough to be symmetric. In some phones it
> > takes
> > a configuration
> >                     # option. With Cisco 7960, it is called
> > NAT_Enable=Yes,
> > with kphone it is
> >                     # called "symmetric media" and "symmetric signalling".
> >
> >                     fix_nated_contact(); # Rewrite contact with source IP
> > of
> > signalling
> >                     force_rport();       # Add rport parameter to topmost
> > Via
> >                     setflag(6);          # Mark as NATed
> >                 };
> >         };
> >  # subsequent messages withing a dialog should take the
> >  # path determined by record-routing
> >
> >  if (loose_route())
> >  {
> >     # mark routing logic in request
> >     append_hf("P-hint: rr-enforced\r\n");
> >     route(1);
> >  };
> >
> >  if (!uri==myself)
> >  {
> >     # mark routing logic in request
> >     append_hf("P-hint: outbound\r\n");
> >     route(1);
> >  };
> >
> >  # if the request is for other domain use UsrLoc
> >  # (in case, it does not work, use the following command
> >  # with proper names and addresses in it)
> >  if (uri==myself)
> >  {
> >
> >   if (method=="REGISTER")
> >   {
> >      # Uncomment this if you want to use digest authentication
> >      if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber"))
> >       {
> >         www_challenge("xxx.xxx.xxx.xxx", "0");
> >         return;
> >                    };
> >                       save("location");
> >         return;
> >                 };
> >
> >                 lookup("aliases");
> >                 if (!uri==myself)
> >   {
> >                    append_hf("P-hint: outbound alias\r\n");
> >                    route(1);
> >      return;
> >                 };
> >
> >   # Router Cisco if not sip branche
> >          log(1,"LOG: testando se destino-sip e' 418x ...\n");
> >
> >   if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
> >        ! ( uri =~ "^sip:4397"))
> >   {
> >                log(1,"LOG: destino-sip not is 418x .\n");
> >                route(2);
> >
> >                log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
> >      rewritehostport("yyy.yyy.yyy.yyy:5060");
> >                log(1,"LOG: t_relay...\n");
> >                t_relay();
> >
> >                log(1,"LOG: break...\n");
> >         return;
> >          }
> >             log(1,"LOG: destino-sip  418x, continue .\n");
> >
> >   # native SIP destinations are handled using our USRLOC DB
> >   if (!lookup("location"))
> >   {
> >                sl_send_reply("404", "Not Found");
> >         return;
> >          };
> >  };
> >         append_hf("P-hint: usrloc applied\r\n");
> >         route(1);
> > }
> >
> > #######################################
> >
> > route[1]
> > {
> >         # !! Nathelper
> >         if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" &&
> > !search("^Route:"))
> >  {
> >             sl_send_reply("479", "We don't forward to private IP
> > addresses");
> >      return;
> >         };
> >
> >         # if client or server know to be behind a NAT, enable relay
> >         if (isflagset(6))
> >  {
> >             force_rtp_proxy();
> >      t_on_reply("1");
> >             append_hf("P-Behind-NAT: Yes\r\n");
> >         };
> >
> >      if (!t_relay())
> >  {
> >             sl_reply_error();
> >      return;
> >      };
> > }
> >  # !! Nathelper
> >     onreply_route[1]
> > {
> >      # NATed transaction ?
> >      if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
> >   {
> >             fix_nated_contact();
> >             force_rtp_proxy();
> >       }
> >   else if (nat_uac_test("1"))
> >   {
> >             fix_nated_contact();
> >          };
> > }
> >
> > #######################################
> >
> > route[2] {
> >
> >   ### Dial Plan for gateway VoIP ###
> >
> >   # Sao Paulo 11
> >   if ( uri =~ "^sip:9911.*" )
> >    {
> >    log(1,"LOG: destination is 9911x, change prefix...");
> >    strip(4);
> >    prefix("011");
> >    return;
> >    }
> >
> >   # Error (Number inexistent)
> >   sl_reply_error();
> >
> > }
> >
> > -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
> >
> > Regards
> > Jeferson
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
> > To: "Jeferson Prevedello" <jprevedello at terra.com.br>
> > Cc: <users at openser.org>
> > Sent: Saturday, August 25, 2007 3:06 PM
> > Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
> >
> >
> > > Hello Jeferson,
> > >
> > > it all depends on your openser.cfg.
> > > If you put in there that all the INVITE-s should be authenticated, your
> > > users will not be able anymore to call without having a valid user and
> > > password for your server. Note that by default openser will not do any
> > > check for you, in order to keep the flexibility of be used in
> > > different environment setups.
> > >
> > > Cheers,
> > > DanB
> > >
> > > On 8/25/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
> > >>
> > >>
> > >> Hello,
> > >>
> > >> I implemented an environment using to openser + mysql. The enviroment
> > >> functions perfectly, however I perceived that users (branches) not
> > >> registered in mysql are generating called.
> > >>
> > >> I installed the X-lite softphone in my computer trying to reproduce the
> > >> situation.
> >
> > >> In the properties of configuration of the X-lite, "field Password" I
> > >> type
> > >> "trash" as password (wrong password).
> > >>
> > >> The display of X-lite showed the following message: "Registration
> > >> error:
> > >> 401
> > >> - Unauthorized".
> > >>
> > >> In the contacts drawer I add a contact (double click on the new
> > >> contact),
> > >> and the call was generate without restriction (very bad).
> > >>
> > >> Some idea of as I solve this problem?
> > >>
> > >> Thanks
> > >>
> > >> Regards
> > >> Jeferson
> > >>
> > >> _______________________________________________
> > >> Users mailing list
> > >> Users at openser.org
> > >> http://openser.org/cgi-bin/mailman/listinfo/users
> > >>
> > >>
> > >
> >
> >
>
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>
>




More information about the Users mailing list