[Users] Unauthorized Calls - PLEASE HELP!

Jonas Appel jonas.appel at 1und1.de
Fri Mar 30 16:18:23 CEST 2007


Hi Daryl,

maybe you should add some checks to the route 1 (for INVITEs that don't 
match "uri==myself"). I don't know your exact setup, but it could be possible 
that sending an INVITE to your proxy with "INVITE <number>@<your pstn 
gateway>" is directly t_relayed to your pstn gw.


Regards,

Jonas

Am Mittwoch 28 März 2007 schrieb Daryl Sanders:
> Hi Everyone,
>
> I aparently have something in my openser.cfg that is allowing
> unauthorized calls to go through to our PSTN gateways. I have included
> my config below for review. I would appreciate any help understanding
> how this might be happening.
>
> I am currently reviewing the CDRs from my PSTN gateways for clues as well.
> This is a pretty basic configuration with no NAT involved.
>
> Regards,
> Daryl
>
>
>
> route {
>
>     # -----------------------------------------------------------------
>     # Sanity Check Section
>     # -----------------------------------------------------------------
>     if (!mf_process_maxfwd_header("10")) {
>         sl_send_reply("483", "Too Many Hops");
>         exit;
>     };
>
>     if (msg:len > max_len) {
>         sl_send_reply("513", "Message Overflow");
>         exit;
>     };
>
>     if (method=="INVITE" || method=="ACK" || method=="BYE") {
>         setflag(1);
>     };
>
>     if (method=="INVITE") {
>         if (is_user_in("From","inactive")) {
>             if (uri =~ "^sip:911@") {
>                 xlog("L_NOTICE", "[$Tf] R1: $ci -- Allowing 911
> Emergency Call on Inactive User\n" );
>             } else {
>                 sl_send_reply("403", "Forbidden");
>                 xlog("L_NOTICE", "[$Tf] R1: $ci -- User Inactive\n" );
>                 return;
>             };
>         };
>     };
>
>     # -----------------------------------------------------------------
>     # Record Route Section
>     # -----------------------------------------------------------------
>     if (method!="REGISTER") {
>         record_route();
>     };
>
>     # -----------------------------------------------------------------
>     # Loose Route Section
>     # -----------------------------------------------------------------
>     if (loose_route()) {
>             xlog( "L_NOTICE", "[$Tf] RR: $ci -- Loose Route $rm ($rd).\n"
> ); if (!t_relay()) {
>                     sl_reply_error();
>             };
>             return;
>     };
>
>     # -----------------------------------------------------------------
>     # Call Type Processing Section
>     # -----------------------------------------------------------------
>     if (uri!=myself) {
>         route(1);
>         return;
>     };
>
>     if (method=="ACK") {
>         route(1);
>         return;
>     } else  if (method=="REGISTER") {
>         route(2);
>         return;
>     } else if (method=="INVITE") {
>         route(3);
>         return;
>     } else  if (method=="BYE" || method=="CANCEL") {
>         t_relay();
>         exit;
>     }
>
>     lookup("aliases");
>     if (uri!=myself) {
>         route(1);
>         return;
>     };
>
>     if (!lookup("location")) {
>         sl_send_reply("404", "User Not Found");
>         return;
>     };
>
>     route(1);
> }
>
> route[1] {
>
>     # -----------------------------------------------------------------
>     # Default Message Handler
>     # -----------------------------------------------------------------
>     t_on_reply("1");
>     t_on_failure("2");
>
>     if (!t_relay()) {
>         sl_reply_error();
>     };
> }
>
> route[2] {
>
>     # -----------------------------------------------------------------
>     # REGISTER Message Handler
>     # -----------------------------------------------------------------
>     sl_send_reply("100", "Trying");
>
>     if (!www_authorize("","subscriber")) {
>         www_challenge("","0");
>         exit;
>     };
>     consume_credentials();
>
>     if (!save("location")) {
>         sl_reply_error();
>     };
> }
>
> route[3] {
>
>     # -----------------------------------------------------------------
>     # INVITE Message Handler
>     # -----------------------------------------------------------------
>     # Trusted Provider IPs
>     if (!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x)&&(!src_ip==x.x.x.x) {
>         if (!proxy_authorize("","subscriber")) {
>             proxy_challenge("","0");
>             exit;
>         };
>         consume_credentials();
>     };
>     lookup("aliases");
>     if (uri!=myself) {
>         route(1);
>         return;
>     };
>
>     if (uri=~"[@:](192\.168\.|10\.|172\.16)" && !search("^Route:")){
>         sl_send_reply("479", "We do not forward to private IP addresses");
>     };
>
>     if ((uri =~ "^sip:0@")||            /* Operator Assistance */
>         (uri =~ "^sip:911@")||          /* 911 Emergency */
>         (uri =~ "^sip:411@")||          /* Directory Assistance */
>         (uri =~ "^sip:1[0-9]{10}@")) {  /* Domestic PSTN */
>         route(4);
>         return;
>     };
>
>     if (uri=~"^sip:0111[0-9]*@") { # Kill calls to 011+1... (invalid
> dialing) sl_send_reply("406", "Not Acceptable");
>         return;
>     }
>
>     if (uri=~"^sip:011[0-9]*@") { # International PSTN
>         if(!is_user_in("From","gateway1")) {
>             strip(3); # Remove 011 for Gateway2
>         }
>         route(4);
>         return;
>     };
>
>     if (!lookup("location")) {
>         sl_send_reply("404", "User Not Found");
>         return;
>     };
>
>     route(1);
> }
>
> route[4] {
>
>     # -----------------------------------------------------------------
>     # PSTN Handler
>     # -----------------------------------------------------------------
>     prefix("+"); # add "+" to Request URI
>     append_hf("P-Asserted-Identity:
> \"User\"<sip:+1$avp(s:rpid)@x.x.x.x>\r\n");
> uac_replace_from("$fn","sip:+$fU@$fd:5060");
>
>     if(is_user_in("From","gateway1")) {
>         force_send_socket(x.x.x.x:5060);
>         xlog("L_NOTICE", "[$Tf] Message sent via IP-1\n" );
>     } else {
>         force_send_socket(x.x.x.x:5060);
>         xlog("L_NOTICE", "[$Tf] Message sent via IP-2\n" );
>     };
>
>     ds_select_domain("1","0");
>     route(1);
> }
>
> onreply_route[1] {
>
>        # we are checking here for a progressing return... ie a 180 Ringing
> or # 183 session progress -- if this occurs we don't care from here on #
> about failures as a gateway is handling the call...
>
>        if( status =~ "18[0-9]" ) {
>                xlog( "L_INFO", "[$Tf] ORR: $ci -- SIP-$rs Reset
> t_on_failure()\n");
>                t_on_failure("0");
>        } else {
>                xlog( "L_INFO", "[$Tf] ORR: $ci -- $rs $rr\n" );
>        }
> }
>
> failure_route[2] {
>
>        # 408 -- timeout -- typically the end party has not answered
>        # Since we cancel t_on_failure() on a provisional response we
> should not be
>        # getting a 408 timeout from a gateway at this stage.. it will
> just "fall through"
>        # If fr_timer expires t_check_status("408") is true, although
> $rs is <null>
>        if( t_check_status("408") ){
>                xlog( "L_NOTICE", "[$Tf] FR: $ci -- TIMEOUT for Gateway
> $rd\n" ); } else {
>                xlog( "L_NOTICE", "[$Tf] FR: $ci -- $rs reason $rr\n" );
>        }
>
>        # 403 -- Not a valid number, or possibly no permission to use the
> gateway if( t_check_status("403") ){
>                xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Forbidden\n" );
>                return;
>        }
>
>        # 486 -- User Busy
>        if( t_check_status("486") ){
>                xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Destination
> Busy\n" ); return;
>        }
>
>        # 487 -- Request Cancelled (usually in response to a CANCEL
> transaction) if( t_check_status("487") ){
>                xlog("L_NOTICE", "[$Tf] FR: $ci -- SIP-$rs Request
> Cancelled\n" );
>                return;
>        }
>
>        # At this stage we try the next gateway, if no next gateway we bail.
>        if( ds_next_domain() ){
>                t_on_reply("1");
>                t_on_failure("2");
>                xlog( "L_NOTICE", "[$Tf] FR: $ci Next gateway $fU ->
> $tU via $rd\n" );
>                if( !t_relay() ){
>                        xlog( "L_WARN", "[$Tf] FR: $ci -- ERROR - Can
> not t_relay()\n" );
>                        return;
>                }
>                return;
>        } else {
>                xlog( "L_WARN", "[$Tf] FR: $ci No more gateways -> 503.\n"
> ); t_reply("503", "Service unavailable -- no more gateways" ); return;
>        }
> }
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users




More information about the Users mailing list