[OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

Norman Brandinger norm at goes.com
Mon Aug 27 14:00:21 CEST 2007


Hi Jeferson,

I agree with Dan's suggestion about finding a standard configuration to
learn from. 
In addition, there is a web site: sipwise.com simplifies the process of
building a configuration file.

Below is a little code that you might consider executing when an INVITE
request comes in.
The documentation on the openser.org web site can use used to learn
exactly what the functions used below do.

    if (!proxy_authorize("", "subscriber")) {
      xlog ("L_INFO", "Proxy Authorization requested\n");
      proxy_challenge("", "0");
      exit;
    }

    #--------------------------------------------------------------------
    # Check From username against digest credentials.
    #--------------------------------------------------------------------
    if (!check_from()) {
      xlog("L_ERR", "Unauthorized: check_from() failed\n");
      sl_send_reply("401", "Unauthorized");
      exit;
    }

Regards,
Norm


Dan-Cristian Bogos wrote:
> Hello Jeferson,
>
> Your configuration looks a bit messy, if I were OpenSER I would also
> refuse it. :).
>
> I would suggest taking a more standard configuration (u can find many
> examples on this location:
> http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/)
> and use 1.2 branch of software for start, and experiment with it into
> some lab environment.
> It is a bit difficult as a beginner to start directly experimenting on
> a production configuration, perhaps written by somebody else without
> understanding it. You will end up having big issues when
> troubleshooting in production environment.
>
> The tip I gave you would be really easy to implement it with a block
> of few lines, eg:
>
> if (is_method("INVITE")){
>             if (!proxy_authorize("", "subscriber)) {
>                           proxy_challenge("","0");
>                                       exit;
>
>             } else if (!check_from()) {
>                           sl_send_reply("403", "Use From=ID");
>                           exit;
>             };
> };
>
> Documentation for you to understand those lines here:
> http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192
>
> Usually, there is a loot of documentation and howtos in openser wiki,
> so I would suggest you having a glance on some titles which look close
> to your needs as a beginner.
>
> http://www.openser.org/dokuwiki/doku.php
>
> Cheers,
> DanB
>
> On 8/27/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
>   
>> Hello DanB,
>>
>> Thanks!
>>
>> As DanB´s suggestion, I tried to implement a mechanism that only allowed
>> authenticated members make calls, but my configuration didn´t function.
>>
>> This is my first project with openser, therefore I do not have much
>> experience. If someone know how to help me to implement this verification, I
>> will be very thankful.
>>
>> Below, my openser.cfg file:
>>
>> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
>>
>>
>> # ----------- global configuration parameters ------------------------
>>
>> debug=3
>> fork=yes
>> log_stderror=no
>> log_facility=LOG_LOCAL7
>>
>> # hostname matching an alias will satisfy the condition uri==myself".
>> alias=xxx.xxx.xxx.xxx
>> listen=udp:xxx.xxx.xxx.xxx:5060
>>
>> # check_via - Turn on or off Via host checking when forwarding replies.
>> # Default is no. arcane. looks for discrepancy between name and
>> # ip address when forwarding replies.
>> check_via=yes
>>
>> # syn_branch - Shall the server use stateful synonym branches? It is
>> # faster but not reboot-safe. Default is yes.
>> syn_branch=yes
>>
>> # dns - Uses dns to check if it is necessary to add a "received=" field
>> # to a via. Default is no.
>> # rev_dns - Same as dns but use reverse DNS.
>> dns=no
>> rev_dns=no
>> port=5060
>> children=4
>>
>> # memlog - Debugging level for final memory statistics report. Default
>> # is L_DBG -- memory statistics are dumped only if debug is set high.
>>  memlog=3
>>
>> # sip_warning - Should replies include extensive warnings? By default
>> # yes, it is good for trouble-shooting.
>> sip_warning=yes
>>
>> # fifo - FIFO special file pathname
>> fifo="/tmp/openser_fifo"
>>
>> # reply_to_via - A hint to reply modules whether they should send reply
>> # to IP advertised in Via. Turned off by default, which means that
>> # replies are sent to IP address from which requests came.
>>  reply_to_via=no
>>
>> # mhomed -- enable calculation of outbound interface; useful on
>> # multihomed servers.
>> mhomed=0
>>
>> # ------------------ module loading ----------------------------------
>>
>> # Uncomment this if you want to use SQL database
>> loadmodule "/usr/lib/openser/modules/mysql.so"
>> loadmodule "/usr/lib/openser/modules/sl.so"
>> loadmodule "/usr/lib/openser/modules/tm.so"
>> loadmodule "/usr/lib/openser/modules/rr.so"
>> loadmodule "/usr/lib/openser/modules/maxfwd.so"
>> loadmodule "/usr/lib/openser/modules/usrloc.so"
>> loadmodule "/usr/lib/openser/modules/registrar.so"
>> loadmodule "/usr/lib/openser/modules/textops.so"
>> loadmodule "/usr/lib/openser/modules/nathelper.so"
>> loadmodule "/usr/lib/openser/modules/acc.so"
>> loadmodule "/usr/lib/openser/modules/xlog.so"
>>
>> # Uncomment this if you want digest authentication
>> # mysql.so must be loaded !
>> loadmodule "/usr/lib/openser/modules/auth.so"
>> loadmodule "/usr/lib/openser/modules/auth_db.so"
>>
>> # ----------------- setting module-specific parameters ---------------
>>
>> # ------------- usrloc parameters
>>
>> # 2 enables write-back to persistent mysql storage for speed
>> # disable=0, write-through=1
>> modparam("usrloc", "db_mode", 0)
>>
>> # minimize write back window - default is 60 seconds
>> modparam("usrloc", "timer_interval", 30)
>>
>> # ------------- auth parameters
>>
>> # Uncomment if you are using auth module
>> modparam("auth_db", "calculate_ha1", yes)
>>
>> # If you set "calculate_ha1" parameter to yes (which true in this config),
>> # uncomment also the following parameter)
>> modparam("auth_db", "password_column", "password")
>>
>> # ------------- rr parameters
>>
>> # add value to ;lr param to make some broken UAs happy
>> modparam("rr", "enable_full_lr", 1)
>>
>> # ------------- !! Nathelper
>>
>> modparam("registrar", "nat_flag", 6)
>> modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
>> modparam("nathelper", "ping_nated_only", 1)   # Ping only clients behind NAT
>> modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")   #
>> Nathelper with RTPproxy
>>
>> # ------------- tm parameters
>>
>> modparam("tm", "fr_timer", 12)
>> modparam("tm", "fr_inv_timer", 24)
>>
>> # -------------  acc parameters
>>
>> modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser")
>> modparam("acc", "db_flag", 2)
>> modparam("acc", "db_missed_flag", 2)
>> modparam("acc", "log_flag", 1)
>> modparam("acc", "log_missed_flag", 2)
>> modparam("acc", "log_level", 2)   # Set log_level to 2
>>
>> # Allow no more than 1 contacts per AOR
>> modparam("registrar", "max_contacts", 3)
>>
>> # -------------------------  request routing logic -------------------
>>
>> # main routing logic
>>
>> route{
>>
>>  if (!mf_process_maxfwd_header("10"))
>>         {
>>   sl_send_reply("483","Too Many Hops");
>>   exit;
>>  };
>>
>>  if (msg:len >=  2048 )
>>  {
>>   sl_send_reply("513", "Message too big");
>>   exit;
>>  };
>>
>>  # < Acconting >
>>         if (method=="INVITE")
>>  {
>>                 log(1, "Generate call - START\n");
>>                 setflag(1); /* set for accounting (the same value as in
>> log_flag!) */
>>     setflag(2);
>>         };
>>
>>         if (method=="BYE")
>>  {
>>                 log (1, "Hung-up \n");
>>                 setflag(1);
>>         };
>>
>>         if (method=="CANCEL")
>>  {
>>                 log (1, "Lost call \n");
>>                 setflag(1);
>>  }
>>
>>  if (!method=="REGISTER")
>>   record_route();
>>
>>  if (nat_uac_test("3"))
>>  {
>>                 # Allow RR-ed requests, as these may indicate that
>>                 # a NAT-enabled proxy takes care of it; unless it is
>>                 # a REGISTER
>>
>>                 if (method == "REGISTER" || ! search("^Record-Route:"))
>>   {
>>                     log(1,"LOG: Someone trying to register from private IP,
>> rewriting\n");
>>
>>                     # This will work only for user agents that support
>> symmetric
>>                     # communication. We tested quite many of them and
>> majority is
>>                     # smart enough to be symmetric. In some phones it takes
>> a configuration
>>                     # option. With Cisco 7960, it is called NAT_Enable=Yes,
>> with kphone it is
>>                     # called "symmetric media" and "symmetric signalling".
>>
>>                     fix_nated_contact(); # Rewrite contact with source IP of
>> signalling
>>                     force_rport();       # Add rport parameter to topmost
>> Via
>>                     setflag(6);          # Mark as NATed
>>                 };
>>         };
>>  # subsequent messages withing a dialog should take the
>>  # path determined by record-routing
>>
>>  if (loose_route())
>>  {
>>     # mark routing logic in request
>>     append_hf("P-hint: rr-enforced\r\n");
>>     route(1);
>>  };
>>
>>  if (!uri==myself)
>>  {
>>     # mark routing logic in request
>>     append_hf("P-hint: outbound\r\n");
>>     route(1);
>>  };
>>
>>  # if the request is for other domain use UsrLoc
>>  # (in case, it does not work, use the following command
>>  # with proper names and addresses in it)
>>  if (uri==myself)
>>  {
>>
>>   if (method=="REGISTER")
>>   {
>>      # Uncomment this if you want to use digest authentication
>>      if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber"))
>>       {
>>         www_challenge("xxx.xxx.xxx.xxx", "0");
>>         return;
>>                    };
>>                       save("location");
>>         return;
>>                 };
>>
>>                 lookup("aliases");
>>                 if (!uri==myself)
>>   {
>>                    append_hf("P-hint: outbound alias\r\n");
>>                    route(1);
>>      return;
>>                 };
>>
>>   # Router Cisco if not sip branche
>>          log(1,"LOG: testando se destino-sip e' 418x ...\n");
>>
>>   if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
>>        ! ( uri =~ "^sip:4397"))
>>   {
>>                log(1,"LOG: destino-sip not is 418x .\n");
>>                route(2);
>>
>>                log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
>>      rewritehostport("yyy.yyy.yyy.yyy:5060");
>>                log(1,"LOG: t_relay...\n");
>>                t_relay();
>>
>>                log(1,"LOG: break...\n");
>>         return;
>>          }
>>             log(1,"LOG: destino-sip  418x, continue .\n");
>>
>>   # native SIP destinations are handled using our USRLOC DB
>>   if (!lookup("location"))
>>   {
>>                sl_send_reply("404", "Not Found");
>>         return;
>>          };
>>  };
>>         append_hf("P-hint: usrloc applied\r\n");
>>         route(1);
>> }
>>
>> #######################################
>>
>> route[1]
>> {
>>         # !! Nathelper
>>         if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" &&
>> !search("^Route:"))
>>  {
>>             sl_send_reply("479", "We don't forward to private IP
>> addresses");
>>      return;
>>         };
>>
>>         # if client or server know to be behind a NAT, enable relay
>>         if (isflagset(6))
>>  {
>>             force_rtp_proxy();
>>      t_on_reply("1");
>>             append_hf("P-Behind-NAT: Yes\r\n");
>>         };
>>
>>      if (!t_relay())
>>  {
>>             sl_reply_error();
>>      return;
>>      };
>> }
>>  # !! Nathelper
>>     onreply_route[1]
>> {
>>      # NATed transaction ?
>>      if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
>>   {
>>             fix_nated_contact();
>>             force_rtp_proxy();
>>       }
>>   else if (nat_uac_test("1"))
>>   {
>>             fix_nated_contact();
>>          };
>> }
>>
>> #######################################
>>
>> route[2] {
>>
>>   ### Dial Plan for gateway VoIP ###
>>
>>   # Sao Paulo 11
>>   if ( uri =~ "^sip:9911.*" )
>>    {
>>    log(1,"LOG: destination is 9911x, change prefix...");
>>    strip(4);
>>    prefix("011");
>>    return;
>>    }
>>
>>   # Error (Number inexistent)
>>   sl_reply_error();
>>
>> }
>>
>> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
>>
>> Regards
>> Jeferson
>>
>>
>>
>>
>>
>> ----- Original Message -----
>> From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
>> To: "Jeferson Prevedello" <jprevedello at terra.com.br>
>> Cc: <users at openser.org>
>> Sent: Saturday, August 25, 2007 3:06 PM
>> Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
>>
>>
>>     
>>> Hello Jeferson,
>>>
>>> it all depends on your openser.cfg.
>>> If you put in there that all the INVITE-s should be authenticated, your
>>> users will not be able anymore to call without having a valid user and
>>> password for your server. Note that by default openser will not do any
>>> check for you, in order to keep the flexibility of be used in
>>> different environment setups.
>>>
>>> Cheers,
>>> DanB
>>>
>>> On 8/25/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
>>>       
>>>> Hello,
>>>>
>>>> I implemented an environment using to openser + mysql. The enviroment
>>>> functions perfectly, however I perceived that users (branches) not
>>>> registered in mysql are generating called.
>>>>
>>>> I installed the X-lite softphone in my computer trying to reproduce the
>>>> situation.
>>>>         
>>>> In the properties of configuration of the X-lite, "field Password" I type
>>>> "trash" as password (wrong password).
>>>>
>>>> The display of X-lite showed the following message: "Registration error:
>>>> 401
>>>> - Unauthorized".
>>>>
>>>> In the contacts drawer I add a contact (double click on the new contact),
>>>> and the call was generate without restriction (very bad).
>>>>
>>>> Some idea of as I solve this problem?
>>>>
>>>> Thanks
>>>>
>>>> Regards
>>>> Jeferson
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at openser.org
>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>>         
>>     
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>
>
>   





More information about the Users mailing list