[Users] Unauthorized Calls - PLEASE HELP!
Daryl Sanders
daryl.sanders at gmail.com
Thu Mar 29 00:15:35 CEST 2007
Thanks for the tips... I'll look at the sipwise config and probably do
some tweeking to add more checks.
I am unfortunately stuck with UDP IP based authentication for the
gateways right now. Are there any other checks I can do make this more
secure?
- Daryl
On 3/28/07, klaus.mailinglists at pernau.at <klaus.mailinglists at pernau.at> wrote:
> at first sight:
>
> 1. always use fix_nated_contact before save.
> 2. IP based authentication can be spoofed when using UDP, thus only use
> with TCP
> 3. you have no checks in loose_route block. Take a look at the sipwise
> wizard and its security checks inside the loose_route block.
>
> regards
> klaus
>
>
> > Hi Everyone,
> >
> > I aparently have something in my openser.cfg that is allowing
> > unauthorized calls to go through to our PSTN gateways. I have included
> > my config below for review. I would appreciate any help understanding
> > how this might be happening.
> >
> > I am currently reviewing the CDRs from my PSTN gateways for clues as well.
> > This is a pretty basic configuration with no NAT involved.
> >
> > Regards,
> > Daryl
> >
> >
> >
> > route {
> >
> > # -----------------------------------------------------------------
> > # Sanity Check Section
> > # -----------------------------------------------------------------
> > if (!mf_process_maxfwd_header("10")) {
> > sl_send_reply("483", "Too Many Hops");
> > exit;
> > };
> >
> > if (msg:len > max_len) {
> > sl_send_reply("513", "Message Overflow");
> > exit;
> > };
> >
> > if (method=="INVITE" || method=="ACK" || method=="BYE") {
> > setflag(1);
> > };
> >
> > if (method=="INVITE") {
> > if (is_user_in("From","inactive")) {
> > if (uri =~ "^sip:911@") {
> > xlog("L_NOTICE", "[$Tf] R1: $ci -- Allowing 911
> > Emergency Call on Inactive User\n" );
> > } else {
> > sl_send_reply("403", "Forbidden");
> > xlog("L_NOTICE", "[$Tf] R1: $ci -- User Inactive\n" );
> > return;
> > };
> > };
> > };
> >
> > # -----------------------------------------------------------------
> > # Record Route Section
> > # -----------------------------------------------------------------
> > if (method!="REGISTER") {
> > record_route();
> > };
> >
> > # -----------------------------------------------------------------
> > # Loose Route Section
> > # -----------------------------------------------------------------
> > if (loose_route()) {
> > xlog( "L_NOTICE", "[$Tf] RR: $ci -- Loose Route $rm ($rd).\n"
> > );
> > if (!t_relay()) {
> > sl_reply_error();
> > };
> > return;
> > };
> >
> > # -----------------------------------------------------------------
> > # Call Type Processing Section
> > # -----------------------------------------------------------------
> > if (uri!=myself) {
> > route(1);
> > return;
> > };
> >
> > if (method=="ACK") {
> > route(1);
> > return;
> > } else if (method=="REGISTER") {
> > route(2);
> > return;
> > } else if (method=="INVITE") {
> > route(3);
> > return;
> > } else if (method=="BYE" || method=="CANCEL") {
> > t_relay();
> > exit;
> > }
> >
> > lookup("aliases");
> > if (uri!=myself) {
> > route(1);
> > return;
> > };
> >
> > if (!lookup("location")) {
> > sl_send_reply("404", "User Not Found");
> > return;
> > };
> >
> > route(1);
> > }
> >
> > route[1] {
> >
> > # -----------------------------------------------------------------
> > # Default Message Handler
> > # -----------------------------------------------------------------
> > t_on_reply("1");
> > t_on_failure("2");
> >
> > if (!t_relay()) {
> > sl_reply_error();
> > };
> > }
> >
> > route[2] {
> >
> > # -----------------------------------------------------------------
> > # REGISTER Message Handler
> > # -----------------------------------------------------------------
> > sl_send_reply("100", "Trying");
> >
> > if (!www_authorize("","subscriber")) {
> > www_challenge("","0");
> > exit;
> > };
> > consume_credentials();
> >
> > if (!save("location")) {
> > sl_reply_error();
> > };
> > }
> >
> > route[3] {
> >
> > # -----------------------------------------------------------------
> > # INVITE Message Handler
> > # -----------------------------------------------------------------
> > # Trusted Provider IPs
> > if (!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x) {
> > if (!proxy_authorize("","subscriber")) {
> > proxy_challenge("","0");
> > exit;
> > };
> > consume_credentials();
> > };
> > lookup("aliases");
> > if (uri!=myself) {
> > route(1);
> > return;
> > };
> >
> > if (uri=~"[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")){
> > sl_send_reply("479", "We do not forward to private IP addresses");
> > };
> >
> > if ((uri =~ "^sip:0@")|| /* Operator Assistance */
> > (uri =~ "^sip:911@")|| /* 911 Emergency */
> > (uri =~ "^sip:411@")|| /* Directory Assistance */
> > (uri =~ "^sip:1[0-9]{10}@")) { /* Domestic PSTN */
> > route(4);
> > return;
> > };
> >
> > if (uri=~"^sip:0111[0-9]*@") { # Kill calls to 011+1... (invalid
> > dialing)
> > sl_send_reply("406", "Not Acceptable");
> > return;
> > }
> >
> > if (uri=~"^sip:011[0-9]*@") { # International PSTN
> > if(!is_user_in("From","gateway1")) {
> > strip(3); # Remove 011 for Gateway2
> > }
> > route(4);
> > return;
> > };
> >
> > if (!lookup("location")) {
> > sl_send_reply("404", "User Not Found");
> > return;
> > };
> >
> > route(1);
> > }
> >
> > route[4] {
> >
> > # -----------------------------------------------------------------
> > # PSTN Handler
> > # -----------------------------------------------------------------
> > prefix("+"); # add "+" to Request URI
> > append_hf("P-Asserted-Identity:
> > \"User\"<sip:+1$avp(s:rpid)@x.x.x.x>\r\n");
> > uac_replace_from("$fn","sip:+$fU@$fd:5060");
> >
> > if(is_user_in("From","gateway1")) {
> > force_send_socket(x.x.x.x:5060);
> > xlog("L_NOTICE", "[$Tf] Message sent via IP-1\n" );
> > } else {
> > force_send_socket(x.x.x.x:5060);
> > xlog("L_NOTICE", "[$Tf] Message sent via IP-2\n" );
> > };
> >
> > ds_select_domain("1","0");
> > route(1);
> > }
> >
> > onreply_route[1] {
> >
> > # we are checking here for a progressing return... ie a 180 Ringing
> > or
> > # 183 session progress -- if this occurs we don't care from here on
> > # about failures as a gateway is handling the call...
> >
> > if( status =~ "18[0-9]" ) {
> > xlog( "L_INFO", "[$Tf] ORR: $ci -- SIP-$rs Reset
> > t_on_failure()\n");
> > t_on_failure("0");
> > } else {
> > xlog( "L_INFO", "[$Tf] ORR: $ci -- $rs $rr\n" );
> > }
> > }
> >
> > failure_route[2] {
> >
> > # 408 -- timeout -- typically the end party has not answered
> > # Since we cancel t_on_failure() on a provisional response we
> > should not be
> > # getting a 408 timeout from a gateway at this stage.. it will
> > just "fall through"
> > # If fr_timer expires t_check_status("408") is true, although
> > $rs is <null>
> > if( t_check_status("408") ){
> > xlog( "L_NOTICE", "[$Tf] FR: $ci -- TIMEOUT for Gateway
> > $rd\n" );
> > } else {
> > xlog( "L_NOTICE", "[$Tf] FR: $ci -- $rs reason $rr\n" );
> > }
> >
> > # 403 -- Not a valid number, or possibly no permission to use the
> > gateway
> > if( t_check_status("403") ){
> > xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Forbidden\n" );
> > return;
> > }
> >
> > # 486 -- User Busy
> > if( t_check_status("486") ){
> > xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Destination
> > Busy\n" );
> > return;
> > }
> >
> > # 487 -- Request Cancelled (usually in response to a CANCEL
> > transaction)
> > if( t_check_status("487") ){
> > xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Request
> > Cancelled\n" );
> > return;
> > }
> >
> > # At this stage we try the next gateway, if no next gateway we
> > bail.
> > if( ds_next_domain() ){
> > t_on_reply("1");
> > t_on_failure("2");
> > xlog( "L_NOTICE", "[$Tf] FR: $ci Next gateway $fU ->
> > $tU via $rd\n" );
> > if( !t_relay() ){
> > xlog( "L_WARN", "[$Tf] FR: $ci -- ERROR - Can
> > not t_relay()\n" );
> > return;
> > }
> > return;
> > } else {
> > xlog( "L_WARN", "[$Tf] FR: $ci No more gateways -> 503.\n"
> > );
> > t_reply("503", "Service unavailable -- no more gateways" );
> > return;
> > }
> > }
> >
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
>
>
>
More information about the Users
mailing list