[Users] Unauthorized Calls - PLEASE HELP!

Daryl Sanders daryl.sanders at gmail.com
Thu Mar 29 00:15:35 CEST 2007


Thanks for the tips... I'll look at the sipwise config and probably do
some tweeking to add more checks.

I am unfortunately stuck with UDP IP based authentication for the
gateways right now. Are there any other checks I can do make this more
secure?

- Daryl

On 3/28/07, klaus.mailinglists at pernau.at <klaus.mailinglists at pernau.at> wrote:
> at first sight:
>
> 1. always use fix_nated_contact before save.
> 2. IP based authentication can be spoofed when using UDP, thus only use
> with TCP
> 3. you have no checks in loose_route block. Take a look at the sipwise
> wizard and its security checks inside the loose_route block.
>
> regards
> klaus
>
>
> > Hi Everyone,
> >
> > I aparently have something in my openser.cfg that is allowing
> > unauthorized calls to go through to our PSTN gateways. I have included
> > my config below for review. I would appreciate any help understanding
> > how this might be happening.
> >
> > I am currently reviewing the CDRs from my PSTN gateways for clues as well.
> > This is a pretty basic configuration with no NAT involved.
> >
> > Regards,
> > Daryl
> >
> >
> >
> > route {
> >
> >     # -----------------------------------------------------------------
> >     # Sanity Check Section
> >     # -----------------------------------------------------------------
> >     if (!mf_process_maxfwd_header("10")) {
> >         sl_send_reply("483", "Too Many Hops");
> >         exit;
> >     };
> >
> >     if (msg:len > max_len) {
> >         sl_send_reply("513", "Message Overflow");
> >         exit;
> >     };
> >
> >     if (method=="INVITE" || method=="ACK" || method=="BYE") {
> >         setflag(1);
> >     };
> >
> >     if (method=="INVITE") {
> >         if (is_user_in("From","inactive")) {
> >             if (uri =~ "^sip:911@") {
> >                 xlog("L_NOTICE", "[$Tf] R1: $ci -- Allowing 911
> > Emergency Call on Inactive User\n" );
> >             } else {
> >                 sl_send_reply("403", "Forbidden");
> >                 xlog("L_NOTICE", "[$Tf] R1: $ci -- User Inactive\n" );
> >                 return;
> >             };
> >         };
> >     };
> >
> >     # -----------------------------------------------------------------
> >     # Record Route Section
> >     # -----------------------------------------------------------------
> >     if (method!="REGISTER") {
> >         record_route();
> >     };
> >
> >     # -----------------------------------------------------------------
> >     # Loose Route Section
> >     # -----------------------------------------------------------------
> >     if (loose_route()) {
> >             xlog( "L_NOTICE", "[$Tf] RR: $ci -- Loose Route $rm ($rd).\n"
> > );
> >             if (!t_relay()) {
> >                     sl_reply_error();
> >             };
> >             return;
> >     };
> >
> >     # -----------------------------------------------------------------
> >     # Call Type Processing Section
> >     # -----------------------------------------------------------------
> >     if (uri!=myself) {
> >         route(1);
> >         return;
> >     };
> >
> >     if (method=="ACK") {
> >         route(1);
> >         return;
> >     } else  if (method=="REGISTER") {
> >         route(2);
> >         return;
> >     } else if (method=="INVITE") {
> >         route(3);
> >         return;
> >     } else  if (method=="BYE" || method=="CANCEL") {
> >         t_relay();
> >         exit;
> >     }
> >
> >     lookup("aliases");
> >     if (uri!=myself) {
> >         route(1);
> >         return;
> >     };
> >
> >     if (!lookup("location")) {
> >         sl_send_reply("404", "User Not Found");
> >         return;
> >     };
> >
> >     route(1);
> > }
> >
> > route[1] {
> >
> >     # -----------------------------------------------------------------
> >     # Default Message Handler
> >     # -----------------------------------------------------------------
> >     t_on_reply("1");
> >     t_on_failure("2");
> >
> >     if (!t_relay()) {
> >         sl_reply_error();
> >     };
> > }
> >
> > route[2] {
> >
> >     # -----------------------------------------------------------------
> >     # REGISTER Message Handler
> >     # -----------------------------------------------------------------
> >     sl_send_reply("100", "Trying");
> >
> >     if (!www_authorize("","subscriber")) {
> >         www_challenge("","0");
> >         exit;
> >     };
> >     consume_credentials();
> >
> >     if (!save("location")) {
> >         sl_reply_error();
> >     };
> > }
> >
> > route[3] {
> >
> >     # -----------------------------------------------------------------
> >     # INVITE Message Handler
> >     # -----------------------------------------------------------------
> >     # Trusted Provider IPs
> >     if (!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x) {
> >         if (!proxy_authorize("","subscriber")) {
> >             proxy_challenge("","0");
> >             exit;
> >         };
> >         consume_credentials();
> >     };
> >     lookup("aliases");
> >     if (uri!=myself) {
> >         route(1);
> >         return;
> >     };
> >
> >     if (uri=~"[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")){
> >         sl_send_reply("479", "We do not forward to private IP addresses");
> >     };
> >
> >     if ((uri =~ "^sip:0@")||            /* Operator Assistance */
> >         (uri =~ "^sip:911@")||          /* 911 Emergency */
> >         (uri =~ "^sip:411@")||          /* Directory Assistance */
> >         (uri =~ "^sip:1[0-9]{10}@")) {  /* Domestic PSTN */
> >         route(4);
> >         return;
> >     };
> >
> >     if (uri=~"^sip:0111[0-9]*@") { # Kill calls to 011+1... (invalid
> > dialing)
> >         sl_send_reply("406", "Not Acceptable");
> >         return;
> >     }
> >
> >     if (uri=~"^sip:011[0-9]*@") { # International PSTN
> >         if(!is_user_in("From","gateway1")) {
> >             strip(3); # Remove 011 for Gateway2
> >         }
> >         route(4);
> >         return;
> >     };
> >
> >     if (!lookup("location")) {
> >         sl_send_reply("404", "User Not Found");
> >         return;
> >     };
> >
> >     route(1);
> > }
> >
> > route[4] {
> >
> >     # -----------------------------------------------------------------
> >     # PSTN Handler
> >     # -----------------------------------------------------------------
> >     prefix("+"); # add "+" to Request URI
> >     append_hf("P-Asserted-Identity:
> > \"User\"<sip:+1$avp(s:rpid)@x.x.x.x>\r\n");
> >     uac_replace_from("$fn","sip:+$fU@$fd:5060");
> >
> >     if(is_user_in("From","gateway1")) {
> >         force_send_socket(x.x.x.x:5060);
> >         xlog("L_NOTICE", "[$Tf] Message sent via IP-1\n" );
> >     } else {
> >         force_send_socket(x.x.x.x:5060);
> >         xlog("L_NOTICE", "[$Tf] Message sent via IP-2\n" );
> >     };
> >
> >     ds_select_domain("1","0");
> >     route(1);
> > }
> >
> > onreply_route[1] {
> >
> >        # we are checking here for a progressing return... ie a 180 Ringing
> > or
> >        # 183 session progress -- if this occurs we don't care from here on
> >        # about failures as a gateway is handling the call...
> >
> >        if( status =~ "18[0-9]" ) {
> >                xlog( "L_INFO", "[$Tf] ORR: $ci -- SIP-$rs Reset
> > t_on_failure()\n");
> >                t_on_failure("0");
> >        } else {
> >                xlog( "L_INFO", "[$Tf] ORR: $ci -- $rs $rr\n" );
> >        }
> > }
> >
> > failure_route[2] {
> >
> >        # 408 -- timeout -- typically the end party has not answered
> >        # Since we cancel t_on_failure() on a provisional response we
> > should not be
> >        # getting a 408 timeout from a gateway at this stage.. it will
> > just "fall through"
> >        # If fr_timer expires t_check_status("408") is true, although
> > $rs is <null>
> >        if( t_check_status("408") ){
> >                xlog( "L_NOTICE", "[$Tf] FR: $ci -- TIMEOUT for Gateway
> > $rd\n" );
> >        } else {
> >                xlog( "L_NOTICE", "[$Tf] FR: $ci -- $rs reason $rr\n" );
> >        }
> >
> >        # 403 -- Not a valid number, or possibly no permission to use the
> > gateway
> >        if( t_check_status("403") ){
> >                xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Forbidden\n" );
> >                return;
> >        }
> >
> >        # 486 -- User Busy
> >        if( t_check_status("486") ){
> >                xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Destination
> > Busy\n" );
> >                return;
> >        }
> >
> >        # 487 -- Request Cancelled (usually in response to a CANCEL
> > transaction)
> >        if( t_check_status("487") ){
> >                xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Request
> > Cancelled\n" );
> >                return;
> >        }
> >
> >        # At this stage we try the next gateway, if no next gateway we
> > bail.
> >        if( ds_next_domain() ){
> >                t_on_reply("1");
> >                t_on_failure("2");
> >                xlog( "L_NOTICE", "[$Tf] FR: $ci Next gateway $fU ->
> > $tU via $rd\n" );
> >                if( !t_relay() ){
> >                        xlog( "L_WARN", "[$Tf] FR: $ci -- ERROR - Can
> > not t_relay()\n" );
> >                        return;
> >                }
> >                return;
> >        } else {
> >                xlog( "L_WARN", "[$Tf] FR: $ci No more gateways -> 503.\n"
> > );
> >                t_reply("503", "Service unavailable -- no more gateways" );
> >                return;
> >        }
> > }
> >
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
>
>
>




More information about the Users mailing list