[OpenSIPS-Users] Problem with the configuration of permissions module

Alejandro Recarey alexrecarey at gmail.com
Mon Jan 17 03:10:26 CET 2011


Hi all,

I have been checking the SIP security of my configuration and am shocked
to find out that my configuration is currently not working correctly.

I am using OpenSIPS 1.6.2 and the check_source_address function to only
allow calls from my own domain but it seems that no matter what I write
to the address table, I can always call! That means that any IP address
has access to my OpenSIPS server for outbound calls.

Now, I am certain that it must be a problem with my configuration of the
opensips.cfg file, so any help would be appreciated to find out the
problem.

I am using the permissions module with the following configuration:

mysql> select * from address;
+----+-----+---------------+------+------+-------+----------+----------+
| id | grp | ip            | mask | port | proto | pattern  | context_i|
+----+-----+---------------+------+------+-------+----------+----------+
|  1 |   0 | 130.117.93.0  |   25 | 5060 | any   | ^sip:.*$ |          |
+----+-----+---------------+------+------+-------+----------+----------+

My route table is as follows:

route{

    if (!mf_process_maxfwd_header("10")) {
        sl_send_reply("483","Too Many Hops");
        exit;
    }

    if (has_totag()) {
        # sequential request withing a dialog should
        # take the path determined by record-routing
        if (loose_route()) {
            if (is_method("BYE")) {
                setflag(1); # do accounting ...
                setflag(3); # ... even if the transaction fails
            } else if (is_method("INVITE")) {
                # even if in most of the cases is useless, do RR for
                # re-INVITEs alos, as some buggy clients do change route set
                # during the dialog.
                record_route();
            }
            # route it out to whatever destination was set by loose_route()
            # in $du (destination URI).
            route(1);
        } else {
            /* uncomment the following lines if you want to enable presence */
            ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
            ##    # in-dialog subscribe requests
            ##    route(2);
            ##    exit;
            ##}
            if ( is_method("ACK") ) {
                if ( t_check_trans() ) {
                    # non loose-route, but stateful ACK; must be an ACK after
                    # a 487 or e.g. 404 from upstream server
                    t_relay();
                    exit;
                } else {
                    # ACK without matching transaction ->
                    # ignore and discard
                    exit;
                }
            }
            sl_send_reply("404","Not here");
        }
        exit;
    }

    #initial requests

    # CANCEL processing
    if (is_method("CANCEL"))
    {
        if (t_check_trans())
            t_relay();
        exit;
    }

    t_check_trans();


    if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
    {
        # Here is where I check that the INVITE comes from my servers
        if(!check_source_address("0")){

            sl_send_reply("403", "Forbidden");

            if (!proxy_authorize("", "subscriber")) {
                proxy_challenge("", "0");
                exit;
            }
            if (!db_check_from()) {
                sl_send_reply("403","Forbidden auth ID");
                exit;
            }

            consume_credentials();
            # caller authenticated
        }
    }

    # preloaded route checking
    if (loose_route()) {
        xlog("L_ERR",
        "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
        if (!is_method("ACK"))
            sl_send_reply("403","Preload Route denied");
        exit;
    }

    # record routing
    if (!is_method("REGISTER|MESSAGE"))
        record_route();

    # account only INVITEs
    if (is_method("INVITE")) {
        setflag(1); # do accounting
    }

    if (!uri==myself)
    {
        append_hf("P-hint: outbound\r\n");

        # Do not act as an open relay
        #   only allow requests from handled domains
        if(from_uri==myself){
            route(1);
        }
        else {
            sl_send_reply("403", "Not here");
        }
    }

    # requests for my domain

    if (is_method("PUBLISH"))
    {
        sl_send_reply("503", "Service Unavailable");
        exit;
    }


    if (is_method("REGISTER"))
    {
        # authenticate the REGISTER requests (uncomment to enable auth)
        if (!www_authorize("", "subscriber"))
        {
            www_challenge("", "0");
            exit;
        }

        if (!db_check_to())
        {
            sl_send_reply("403","Forbidden auth ID");
            exit;
        }

        if (!save("location"))
            sl_reply_error();

        exit;
    }

    if ($rU==NULL) {
        # request with no Username in RURI
        sl_send_reply("484","Address Incomplete");
        exit;
    }

    # ROUTING happens here
 - - - - - - - - -
    #

route[1] {
    # for INVITEs enable some additional helper routes
    if (is_method("INVITE")) {
        t_on_branch("2");
        t_on_reply("2");
        t_on_failure("1");
    }

    if (!t_relay()) {
        sl_reply_error();
    };
    exit;
}





        # request with no Username in RURI
        sl_send_reply("484","Address Incomplete");
        exit;
    }





Thank you in advance, and any explanation of WHERE and WHAT I did wrong
would be a great help to secure my installation.

Regards,

Alex



More information about the Users mailing list