[OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

Jeferson Prevedello jprevedello at terra.com.br
Mon Aug 27 16:00:38 CEST 2007


Hi Norm,

Thanks !! :o)
The sipwise.com and openser.org web sites are excellent references.

Regards,
Jeferson

----- Original Message ----- 
From: "Norman Brandinger" <norm at goes.com>
To: "Jeferson Prevedello" <jprevedello at terra.com.br>
Cc: <users at openser.org>
Sent: Monday, August 27, 2007 9:00 AM
Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]


> Hi Jeferson,
>
> I agree with Dan's suggestion about finding a standard configuration to
> learn from.
> In addition, there is a web site: sipwise.com simplifies the process of
> building a configuration file.
>
> Below is a little code that you might consider executing when an INVITE
> request comes in.
> The documentation on the openser.org web site can use used to learn
> exactly what the functions used below do.
>
>    if (!proxy_authorize("", "subscriber")) {
>      xlog ("L_INFO", "Proxy Authorization requested\n");
>      proxy_challenge("", "0");
>      exit;
>    }
>
>    #--------------------------------------------------------------------
>    # Check From username against digest credentials.
>    #--------------------------------------------------------------------
>    if (!check_from()) {
>      xlog("L_ERR", "Unauthorized: check_from() failed\n");
>      sl_send_reply("401", "Unauthorized");
>      exit;
>    }
>
> Regards,
> Norm
>
>
> Dan-Cristian Bogos wrote:
>> Hello Jeferson,
>>
>> Your configuration looks a bit messy, if I were OpenSER I would also
>> refuse it. :).
>>
>> I would suggest taking a more standard configuration (u can find many
>> examples on this location:
>> http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/)
>> and use 1.2 branch of software for start, and experiment with it into
>> some lab environment.
>> It is a bit difficult as a beginner to start directly experimenting on
>> a production configuration, perhaps written by somebody else without
>> understanding it. You will end up having big issues when
>> troubleshooting in production environment.
>>
>> The tip I gave you would be really easy to implement it with a block
>> of few lines, eg:
>>
>> if (is_method("INVITE")){
>>             if (!proxy_authorize("", "subscriber)) {
>>                           proxy_challenge("","0");
>>                                       exit;
>>
>>             } else if (!check_from()) {
>>                           sl_send_reply("403", "Use From=ID");
>>                           exit;
>>             };
>> };
>>
>> Documentation for you to understand those lines here:
>> http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192
>>
>> Usually, there is a loot of documentation and howtos in openser wiki,
>> so I would suggest you having a glance on some titles which look close
>> to your needs as a beginner.
>>
>> http://www.openser.org/dokuwiki/doku.php
>>
>> Cheers,
>> DanB
>>
>> On 8/27/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
>>
>>> Hello DanB,
>>>
>>> Thanks!
>>>
>>> As DanB´s suggestion, I tried to implement a mechanism that only allowed
>>> authenticated members make calls, but my configuration didn´t function.
>>>
>>> This is my first project with openser, therefore I do not have much
>>> experience. If someone know how to help me to implement this 
>>> verification, I
>>> will be very thankful.
>>>
>>> Below, my openser.cfg file:
>>>
>>> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
>>>
>>>
>>> # ----------- global configuration parameters ------------------------
>>>
>>> debug=3
>>> fork=yes
>>> log_stderror=no
>>> log_facility=LOG_LOCAL7
>>>
>>> # hostname matching an alias will satisfy the condition uri==myself".
>>> alias=xxx.xxx.xxx.xxx
>>> listen=udp:xxx.xxx.xxx.xxx:5060
>>>
>>> # check_via - Turn on or off Via host checking when forwarding replies.
>>> # Default is no. arcane. looks for discrepancy between name and
>>> # ip address when forwarding replies.
>>> check_via=yes
>>>
>>> # syn_branch - Shall the server use stateful synonym branches? It is
>>> # faster but not reboot-safe. Default is yes.
>>> syn_branch=yes
>>>
>>> # dns - Uses dns to check if it is necessary to add a "received=" field
>>> # to a via. Default is no.
>>> # rev_dns - Same as dns but use reverse DNS.
>>> dns=no
>>> rev_dns=no
>>> port=5060
>>> children=4
>>>
>>> # memlog - Debugging level for final memory statistics report. Default
>>> # is L_DBG -- memory statistics are dumped only if debug is set high.
>>>  memlog=3
>>>
>>> # sip_warning - Should replies include extensive warnings? By default
>>> # yes, it is good for trouble-shooting.
>>> sip_warning=yes
>>>
>>> # fifo - FIFO special file pathname
>>> fifo="/tmp/openser_fifo"
>>>
>>> # reply_to_via - A hint to reply modules whether they should send reply
>>> # to IP advertised in Via. Turned off by default, which means that
>>> # replies are sent to IP address from which requests came.
>>>  reply_to_via=no
>>>
>>> # mhomed -- enable calculation of outbound interface; useful on
>>> # multihomed servers.
>>> mhomed=0
>>>
>>> # ------------------ module loading ----------------------------------
>>>
>>> # Uncomment this if you want to use SQL database
>>> loadmodule "/usr/lib/openser/modules/mysql.so"
>>> loadmodule "/usr/lib/openser/modules/sl.so"
>>> loadmodule "/usr/lib/openser/modules/tm.so"
>>> loadmodule "/usr/lib/openser/modules/rr.so"
>>> loadmodule "/usr/lib/openser/modules/maxfwd.so"
>>> loadmodule "/usr/lib/openser/modules/usrloc.so"
>>> loadmodule "/usr/lib/openser/modules/registrar.so"
>>> loadmodule "/usr/lib/openser/modules/textops.so"
>>> loadmodule "/usr/lib/openser/modules/nathelper.so"
>>> loadmodule "/usr/lib/openser/modules/acc.so"
>>> loadmodule "/usr/lib/openser/modules/xlog.so"
>>>
>>> # Uncomment this if you want digest authentication
>>> # mysql.so must be loaded !
>>> loadmodule "/usr/lib/openser/modules/auth.so"
>>> loadmodule "/usr/lib/openser/modules/auth_db.so"
>>>
>>> # ----------------- setting module-specific parameters ---------------
>>>
>>> # ------------- usrloc parameters
>>>
>>> # 2 enables write-back to persistent mysql storage for speed
>>> # disable=0, write-through=1
>>> modparam("usrloc", "db_mode", 0)
>>>
>>> # minimize write back window - default is 60 seconds
>>> modparam("usrloc", "timer_interval", 30)
>>>
>>> # ------------- auth parameters
>>>
>>> # Uncomment if you are using auth module
>>> modparam("auth_db", "calculate_ha1", yes)
>>>
>>> # If you set "calculate_ha1" parameter to yes (which true in this 
>>> config),
>>> # uncomment also the following parameter)
>>> modparam("auth_db", "password_column", "password")
>>>
>>> # ------------- rr parameters
>>>
>>> # add value to ;lr param to make some broken UAs happy
>>> modparam("rr", "enable_full_lr", 1)
>>>
>>> # ------------- !! Nathelper
>>>
>>> modparam("registrar", "nat_flag", 6)
>>> modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
>>> modparam("nathelper", "ping_nated_only", 1)   # Ping only clients behind 
>>> NAT
>>> modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") 
>>> #
>>> Nathelper with RTPproxy
>>>
>>> # ------------- tm parameters
>>>
>>> modparam("tm", "fr_timer", 12)
>>> modparam("tm", "fr_inv_timer", 24)
>>>
>>> # -------------  acc parameters
>>>
>>> modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser")
>>> modparam("acc", "db_flag", 2)
>>> modparam("acc", "db_missed_flag", 2)
>>> modparam("acc", "log_flag", 1)
>>> modparam("acc", "log_missed_flag", 2)
>>> modparam("acc", "log_level", 2)   # Set log_level to 2
>>>
>>> # Allow no more than 1 contacts per AOR
>>> modparam("registrar", "max_contacts", 3)
>>>
>>> # -------------------------  request routing logic -------------------
>>>
>>> # main routing logic
>>>
>>> route{
>>>
>>>  if (!mf_process_maxfwd_header("10"))
>>>         {
>>>   sl_send_reply("483","Too Many Hops");
>>>   exit;
>>>  };
>>>
>>>  if (msg:len >=  2048 )
>>>  {
>>>   sl_send_reply("513", "Message too big");
>>>   exit;
>>>  };
>>>
>>>  # < Acconting >
>>>         if (method=="INVITE")
>>>  {
>>>                 log(1, "Generate call - START\n");
>>>                 setflag(1); /* set for accounting (the same value as in
>>> log_flag!) */
>>>     setflag(2);
>>>         };
>>>
>>>         if (method=="BYE")
>>>  {
>>>                 log (1, "Hung-up \n");
>>>                 setflag(1);
>>>         };
>>>
>>>         if (method=="CANCEL")
>>>  {
>>>                 log (1, "Lost call \n");
>>>                 setflag(1);
>>>  }
>>>
>>>  if (!method=="REGISTER")
>>>   record_route();
>>>
>>>  if (nat_uac_test("3"))
>>>  {
>>>                 # Allow RR-ed requests, as these may indicate that
>>>                 # a NAT-enabled proxy takes care of it; unless it is
>>>                 # a REGISTER
>>>
>>>                 if (method == "REGISTER" || ! search("^Record-Route:"))
>>>   {
>>>                     log(1,"LOG: Someone trying to register from private 
>>> IP,
>>> rewriting\n");
>>>
>>>                     # This will work only for user agents that support
>>> symmetric
>>>                     # communication. We tested quite many of them and
>>> majority is
>>>                     # smart enough to be symmetric. In some phones it 
>>> takes
>>> a configuration
>>>                     # option. With Cisco 7960, it is called 
>>> NAT_Enable=Yes,
>>> with kphone it is
>>>                     # called "symmetric media" and "symmetric 
>>> signalling".
>>>
>>>                     fix_nated_contact(); # Rewrite contact with source 
>>> IP of
>>> signalling
>>>                     force_rport();       # Add rport parameter to 
>>> topmost
>>> Via
>>>                     setflag(6);          # Mark as NATed
>>>                 };
>>>         };
>>>  # subsequent messages withing a dialog should take the
>>>  # path determined by record-routing
>>>
>>>  if (loose_route())
>>>  {
>>>     # mark routing logic in request
>>>     append_hf("P-hint: rr-enforced\r\n");
>>>     route(1);
>>>  };
>>>
>>>  if (!uri==myself)
>>>  {
>>>     # mark routing logic in request
>>>     append_hf("P-hint: outbound\r\n");
>>>     route(1);
>>>  };
>>>
>>>  # if the request is for other domain use UsrLoc
>>>  # (in case, it does not work, use the following command
>>>  # with proper names and addresses in it)
>>>  if (uri==myself)
>>>  {
>>>
>>>   if (method=="REGISTER")
>>>   {
>>>      # Uncomment this if you want to use digest authentication
>>>      if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber"))
>>>       {
>>>         www_challenge("xxx.xxx.xxx.xxx", "0");
>>>         return;
>>>                    };
>>>                       save("location");
>>>         return;
>>>                 };
>>>
>>>                 lookup("aliases");
>>>                 if (!uri==myself)
>>>   {
>>>                    append_hf("P-hint: outbound alias\r\n");
>>>                    route(1);
>>>      return;
>>>                 };
>>>
>>>   # Router Cisco if not sip branche
>>>          log(1,"LOG: testando se destino-sip e' 418x ...\n");
>>>
>>>   if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
>>>        ! ( uri =~ "^sip:4397"))
>>>   {
>>>                log(1,"LOG: destino-sip not is 418x .\n");
>>>                route(2);
>>>
>>>                log(1,"LOG: rewriting hostport 
>>> yyy.yyy.yyy.yyy:5060...\n");
>>>      rewritehostport("yyy.yyy.yyy.yyy:5060");
>>>                log(1,"LOG: t_relay...\n");
>>>                t_relay();
>>>
>>>                log(1,"LOG: break...\n");
>>>         return;
>>>          }
>>>             log(1,"LOG: destino-sip  418x, continue .\n");
>>>
>>>   # native SIP destinations are handled using our USRLOC DB
>>>   if (!lookup("location"))
>>>   {
>>>                sl_send_reply("404", "Not Found");
>>>         return;
>>>          };
>>>  };
>>>         append_hf("P-hint: usrloc applied\r\n");
>>>         route(1);
>>> }
>>>
>>> #######################################
>>>
>>> route[1]
>>> {
>>>         # !! Nathelper
>>>         if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" 
>>> &&
>>> !search("^Route:"))
>>>  {
>>>             sl_send_reply("479", "We don't forward to private IP
>>> addresses");
>>>      return;
>>>         };
>>>
>>>         # if client or server know to be behind a NAT, enable relay
>>>         if (isflagset(6))
>>>  {
>>>             force_rtp_proxy();
>>>      t_on_reply("1");
>>>             append_hf("P-Behind-NAT: Yes\r\n");
>>>         };
>>>
>>>      if (!t_relay())
>>>  {
>>>             sl_reply_error();
>>>      return;
>>>      };
>>> }
>>>  # !! Nathelper
>>>     onreply_route[1]
>>> {
>>>      # NATed transaction ?
>>>      if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
>>>   {
>>>             fix_nated_contact();
>>>             force_rtp_proxy();
>>>       }
>>>   else if (nat_uac_test("1"))
>>>   {
>>>             fix_nated_contact();
>>>          };
>>> }
>>>
>>> #######################################
>>>
>>> route[2] {
>>>
>>>   ### Dial Plan for gateway VoIP ###
>>>
>>>   # Sao Paulo 11
>>>   if ( uri =~ "^sip:9911.*" )
>>>    {
>>>    log(1,"LOG: destination is 9911x, change prefix...");
>>>    strip(4);
>>>    prefix("011");
>>>    return;
>>>    }
>>>
>>>   # Error (Number inexistent)
>>>   sl_reply_error();
>>>
>>> }
>>>
>>> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
>>>
>>> Regards
>>> Jeferson
>>>
>>>
>>>
>>>
>>>
>>> ----- Original Message -----
>>> From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
>>> To: "Jeferson Prevedello" <jprevedello at terra.com.br>
>>> Cc: <users at openser.org>
>>> Sent: Saturday, August 25, 2007 3:06 PM
>>> Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
>>>
>>>
>>>
>>>> Hello Jeferson,
>>>>
>>>> it all depends on your openser.cfg.
>>>> If you put in there that all the INVITE-s should be authenticated, your
>>>> users will not be able anymore to call without having a valid user and
>>>> password for your server. Note that by default openser will not do any
>>>> check for you, in order to keep the flexibility of be used in
>>>> different environment setups.
>>>>
>>>> Cheers,
>>>> DanB
>>>>
>>>> On 8/25/07, Jeferson Prevedello <jprevedello at terra.com.br> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I implemented an environment using to openser + mysql. The enviroment
>>>>> functions perfectly, however I perceived that users (branches) not
>>>>> registered in mysql are generating called.
>>>>>
>>>>> I installed the X-lite softphone in my computer trying to reproduce 
>>>>> the
>>>>> situation.
>>>>>
>>>>> In the properties of configuration of the X-lite, "field Password" I 
>>>>> type
>>>>> "trash" as password (wrong password).
>>>>>
>>>>> The display of X-lite showed the following message: "Registration 
>>>>> error:
>>>>> 401
>>>>> - Unauthorized".
>>>>>
>>>>> In the contacts drawer I add a contact (double click on the new 
>>>>> contact),
>>>>> and the call was generate without restriction (very bad).
>>>>>
>>>>> Some idea of as I solve this problem?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Regards
>>>>> Jeferson
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at openser.org
>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>>
>>>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>>
>>
>>
>
> 





More information about the Users mailing list