Fw: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
Simone Torri
sitorri at yahoo.com.br
Mon Aug 27 19:34:04 CEST 2007
Hi Guys,
Here in my company I have the same problem.
The solution that I adopted was apply the
proxy_authorize function and restrict all incoming
calls. I use openser only for originate calls.
Some tip ?
Cheers,
Torri
----- Original Message -----
From: "Jeferson Prevedello" <jprevedello at terra.com.br>
To: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
Cc: <users at openser.org>
Sent: Monday, August 27, 2007 12:26 PM
Subject: Re: [OpenSER-Users] Unauthorized Calls -
[Openser - X-lite]
Hello DanB,
More a problem ! :-(
I apply the following configuration in my openser.cfg:
if (method=="INVITE")
{
if (!proxy_authorize("",
"subscriber"))
{
proxy_challenge("","0");
exit;
}
};
I perceived that with the configuration above 'only'
registered users can
generate called, however I not receive more called
originated through of
PSTN
or of any branch of PBX. I believe these calls are
deny because the source
(PSTN - Branches) not are registering in the openser
server.
Is possible to apply the configuration above only for
calls 'originated'
from openser ?
Thanks !
Regards
Jeferson
----- Original Message -----
From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
To: "Jeferson Prevedello" <jprevedello at terra.com.br>
Cc: <users at openser.org>
Sent: Monday, August 27, 2007 8:35 AM
Subject: Re: [OpenSER-Users] Unauthorized Calls -
[Openser - X-lite]
Hello Jeferson,
Your configuration looks a bit messy, if I were
OpenSER I would also
refuse it. :).
I would suggest taking a more standard configuration
(u can find many
examples on this location:
http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/)
and use 1.2 branch of software for start, and
experiment with it into
some lab environment.
It is a bit difficult as a beginner to start directly
experimenting on
a production configuration, perhaps written by
somebody else without
understanding it. You will end up having big issues
when
troubleshooting in production environment.
The tip I gave you would be really easy to implement
it with a block
of few lines, eg:
if (is_method("INVITE")){
if (!proxy_authorize("", "subscriber)) {
proxy_challenge("","0");
exit;
} else if (!check_from()) {
sl_send_reply("403", "Use
From=ID");
exit;
};
};
Documentation for you to understand those lines here:
http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192
Usually, there is a loot of documentation and howtos
in openser wiki,
so I would suggest you having a glance on some titles
which look close
to your needs as a beginner.
http://www.openser.org/dokuwiki/doku.php
Cheers,
DanB
On 8/27/07, Jeferson Prevedello
<jprevedello at terra.com.br> wrote:
> Hello DanB,
>
> Thanks!
>
> As DanB´s suggestion, I tried to implement a
mechanism that only allowed
> authenticated members make calls, but my
configuration didn´t function.
>
> This is my first project with openser, therefore I
do not have much
> experience. If someone know how to help me to
implement this verification,
> I
> will be very thankful.
>
> Below, my openser.cfg file:
>
> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
>
>
> # ----------- global configuration parameters
------------------------
>
> debug=3
> fork=yes
> log_stderror=no
> log_facility=LOG_LOCAL7
>
> # hostname matching an alias will satisfy the
condition uri==myself".
> alias=xxx.xxx.xxx.xxx
> listen=udp:xxx.xxx.xxx.xxx:5060
>
> # check_via - Turn on or off Via host checking when
forwarding replies.
> # Default is no. arcane. looks for discrepancy
between name and
> # ip address when forwarding replies.
> check_via=yes
>
> # syn_branch - Shall the server use stateful synonym
branches? It is
> # faster but not reboot-safe. Default is yes.
> syn_branch=yes
>
> # dns - Uses dns to check if it is necessary to add
a "received=" field
> # to a via. Default is no.
> # rev_dns - Same as dns but use reverse DNS.
> dns=no
> rev_dns=no
> port=5060
> children=4
>
> # memlog - Debugging level for final memory
statistics report. Default
> # is L_DBG -- memory statistics are dumped only if
debug is set high.
> memlog=3
>
> # sip_warning - Should replies include extensive
warnings? By default
> # yes, it is good for trouble-shooting.
> sip_warning=yes
>
> # fifo - FIFO special file pathname
> fifo="/tmp/openser_fifo"
>
> # reply_to_via - A hint to reply modules whether
they should send reply
> # to IP advertised in Via. Turned off by default,
which means that
> # replies are sent to IP address from which requests
came.
> reply_to_via=no
>
> # mhomed -- enable calculation of outbound
interface; useful on
> # multihomed servers.
> mhomed=0
>
> # ------------------ module loading
----------------------------------
>
> # Uncomment this if you want to use SQL database
> loadmodule "/usr/lib/openser/modules/mysql.so"
> loadmodule "/usr/lib/openser/modules/sl.so"
> loadmodule "/usr/lib/openser/modules/tm.so"
> loadmodule "/usr/lib/openser/modules/rr.so"
> loadmodule "/usr/lib/openser/modules/maxfwd.so"
> loadmodule "/usr/lib/openser/modules/usrloc.so"
> loadmodule "/usr/lib/openser/modules/registrar.so"
> loadmodule "/usr/lib/openser/modules/textops.so"
> loadmodule "/usr/lib/openser/modules/nathelper.so"
> loadmodule "/usr/lib/openser/modules/acc.so"
> loadmodule "/usr/lib/openser/modules/xlog.so"
>
> # Uncomment this if you want digest authentication
> # mysql.so must be loaded !
> loadmodule "/usr/lib/openser/modules/auth.so"
> loadmodule "/usr/lib/openser/modules/auth_db.so"
>
> # ----------------- setting module-specific
parameters ---------------
>
> # ------------- usrloc parameters
>
> # 2 enables write-back to persistent mysql storage
for speed
> # disable=0, write-through=1
> modparam("usrloc", "db_mode", 0)
>
> # minimize write back window - default is 60 seconds
> modparam("usrloc", "timer_interval", 30)
>
> # ------------- auth parameters
>
> # Uncomment if you are using auth module
> modparam("auth_db", "calculate_ha1", yes)
>
> # If you set "calculate_ha1" parameter to yes (which
true in this config),
> # uncomment also the following parameter)
> modparam("auth_db", "password_column", "password")
>
> # ------------- rr parameters
>
> # add value to ;lr param to make some broken UAs
happy
> modparam("rr", "enable_full_lr", 1)
>
> # ------------- !! Nathelper
>
> modparam("registrar", "nat_flag", 6)
> modparam("nathelper", "natping_interval", 30) # Ping
interval 30 s
> modparam("nathelper", "ping_nated_only", 1) # Ping
only clients behind
> NAT
> modparam("nathelper", "rtpproxy_sock",
"unix:/var/run/rtpproxy.sock") #
> Nathelper with RTPproxy
>
> # ------------- tm parameters
>
> modparam("tm", "fr_timer", 12)
> modparam("tm", "fr_inv_timer", 24)
>
> # ------------- acc parameters
>
> modparam("acc", "db_url",
"mysql://openser:openserrw@localhost/openser")
> modparam("acc", "db_flag", 2)
> modparam("acc", "db_missed_flag", 2)
> modparam("acc", "log_flag", 1)
> modparam("acc", "log_missed_flag", 2)
> modparam("acc", "log_level", 2) # Set log_level to
2
>
> # Allow no more than 1 contacts per AOR
> modparam("registrar", "max_contacts", 3)
>
> # ------------------------- request routing logic
-------------------
>
> # main routing logic
>
> route{
>
> if (!mf_process_maxfwd_header("10"))
> {
> sl_send_reply("483","Too Many Hops");
> exit;
> };
>
> if (msg:len >= 2048 )
> {
> sl_send_reply("513", "Message too big");
> exit;
> };
>
> # < Acconting >
> if (method=="INVITE")
> {
> log(1, "Generate call - START\n");
> setflag(1); /* set for accounting
(the same value as in
> log_flag!) */
> setflag(2);
> };
>
> if (method=="BYE")
> {
> log (1, "Hung-up \n");
> setflag(1);
> };
>
> if (method=="CANCEL")
> {
> log (1, "Lost call \n");
> setflag(1);
> }
>
> if (!method=="REGISTER")
> record_route();
>
> if (nat_uac_test("3"))
> {
> # Allow RR-ed requests, as these may
indicate that
> # a NAT-enabled proxy takes care of
it; unless it is
> # a REGISTER
>
> if (method == "REGISTER" || !
search("^Record-Route:"))
> {
> log(1,"LOG: Someone trying to
register from private
> IP,
> rewriting\n");
>
> # This will work only for user
agents that support
> symmetric
> # communication. We tested quite
many of them and
> majority is
> # smart enough to be symmetric.
In some phones it
> takes
> a configuration
> # option. With Cisco 7960, it is
called
> NAT_Enable=Yes,
> with kphone it is
> # called "symmetric media" and
"symmetric signalling".
>
> fix_nated_contact(); # Rewrite
contact with source IP
> of
> signalling
> force_rport(); # Add rport
parameter to topmost
> Via
> setflag(6); # Mark as
NATed
> };
> };
> # subsequent messages withing a dialog should take
the
> # path determined by record-routing
>
> if (loose_route())
> {
> # mark routing logic in request
> append_hf("P-hint: rr-enforced\r\n");
> route(1);
> };
>
> if (!uri==myself)
> {
> # mark routing logic in request
> append_hf("P-hint: outbound\r\n");
> route(1);
> };
>
> # if the request is for other domain use UsrLoc
> # (in case, it does not work, use the following
command
> # with proper names and addresses in it)
> if (uri==myself)
> {
>
> if (method=="REGISTER")
> {
> # Uncomment this if you want to use digest
authentication
> if (!www_authorize("xxx.xxx.xxx.xxx",
"subscriber"))
> {
> www_challenge("xxx.xxx.xxx.xxx", "0");
> return;
> };
> save("location");
> return;
> };
>
> lookup("aliases");
> if (!uri==myself)
> {
> append_hf("P-hint: outbound
alias\r\n");
> route(1);
> return;
> };
>
> # Router Cisco if not sip branche
> log(1,"LOG: testando se destino-sip e' 418x
...\n");
>
> if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
> ! ( uri =~ "^sip:4397"))
> {
> log(1,"LOG: destino-sip not is 418x
.\n");
> route(2);
>
> log(1,"LOG: rewriting hostport
yyy.yyy.yyy.yyy:5060...\n");
> rewritehostport("yyy.yyy.yyy.yyy:5060");
> log(1,"LOG: t_relay...\n");
> t_relay();
>
> log(1,"LOG: break...\n");
> return;
> }
> log(1,"LOG: destino-sip 418x, continue
.\n");
>
> # native SIP destinations are handled using our
USRLOC DB
> if (!lookup("location"))
> {
> sl_send_reply("404", "Not Found");
> return;
> };
> };
> append_hf("P-hint: usrloc applied\r\n");
> route(1);
> }
>
> #######################################
>
> route[1]
> {
> # !! Nathelper
> if
(uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)"
&&
> !search("^Route:"))
> {
> sl_send_reply("479", "We don't forward
to private IP
> addresses");
> return;
> };
>
> # if client or server know to be behind a
NAT, enable relay
> if (isflagset(6))
> {
> force_rtp_proxy();
> t_on_reply("1");
> append_hf("P-Behind-NAT: Yes\r\n");
> };
>
> if (!t_relay())
> {
> sl_reply_error();
> return;
> };
> }
> # !! Nathelper
> onreply_route[1]
> {
> # NATed transaction ?
> if (isflagset(6) && status =~
"(183)|2[0-9][0-9]")
> {
> fix_nated_contact();
> force_rtp_proxy();
> }
> else if (nat_uac_test("1"))
> {
> fix_nated_contact();
> };
> }
>
> #######################################
>
> route[2] {
>
> ### Dial Plan for gateway VoIP ###
>
> # Sao Paulo 11
> if ( uri =~ "^sip:9911.*" )
> {
> log(1,"LOG: destination is 9911x, change
prefix...");
> strip(4);
> prefix("011");
> return;
> }
>
> # Error (Number inexistent)
> sl_reply_error();
>
> }
>
> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
>
> Regards
> Jeferson
>
>
>
>
>
> ----- Original Message -----
> From: "Dan-Cristian Bogos" <dan.bogos at gmail.com>
> To: "Jeferson Prevedello" <jprevedello at terra.com.br>
> Cc: <users at openser.org>
> Sent: Saturday, August 25, 2007 3:06 PM
> Subject: Re: [OpenSER-Users] Unauthorized Calls -
[Openser - X-lite]
>
>
> > Hello Jeferson,
> >
> > it all depends on your openser.cfg.
> > If you put in there that all the INVITE-s should
be authenticated, your
> > users will not be able anymore to call without
having a valid user and
> > password for your server. Note that by default
openser will not do any
> > check for you, in order to keep the flexibility of
be used in
> > different environment setups.
> >
> > Cheers,
> > DanB
> >
> > On 8/25/07, Jeferson Prevedello
<jprevedello at terra.com.br> wrote:
> >>
> >>
> >> Hello,
> >>
> >> I implemented an environment using to openser +
mysql. The enviroment
> >> functions perfectly, however I perceived that
users (branches) not
> >> registered in mysql are generating called.
> >>
> >> I installed the X-lite softphone in my computer
trying to reproduce the
> >> situation.
>
> >> In the properties of configuration of the X-lite,
"field Password" I
> >> type
> >> "trash" as password (wrong password).
> >>
> >> The display of X-lite showed the following
message: "Registration
> >> error:
> >> 401
> >> - Unauthorized".
> >>
> >> In the contacts drawer I add a contact (double
click on the new
> >> contact),
> >> and the call was generate without restriction
(very bad).
> >>
> >> Some idea of as I solve this problem?
> >>
> >> Thanks
> >>
> >> Regards
> >> Jeferson
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at openser.org
> >> http://openser.org/cgi-bin/mailman/listinfo/users
> >>
> >>
> >
>
>
_______________________________________________
Users mailing list
Users at openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users at openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
Flickr agora em português. Você clica, todo mundo vê.
http://www.flickr.com.br/
More information about the Users
mailing list