sr-users December 2007

sr-users@lists.kamailio.org

130 participants
234 discussions

by David Villasmil Govea

Hello all, I've configured Openser 1.2 with accounting + mysql. at the momento i'm only loggin: BYE CANCEL INVITE REGISTER * How do i identify missed calls? * Furthermore, Openser doesn't see all INVITES+BYE, so i can't make cdrs!! I've read somewhere that to log all transaction messages i should have "strict route" as oppossed to "loose route". Is that enabled by: modparam("rr", "enable_full_lr", 0) ?? Thanks a lot! this is my config: # # sample config file to be used with nathelper/rtpproxy # # start RTPProxy with: rtpproxy -l your_public_ip -s udp:localhost:8899 # # ----------- global configuration parameters ------------------------ debug=2 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=yes # (cmd line: -E) # Uncomment these lines to enter debugging mode #fork=no #log_stderror=yes check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) port=5060 children=20 disable_dns_blacklist=true # # --- module loading mpath="/usr/lib/openser/modules/" loadmodule "mysql.so" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "nathelper.so" loadmodule "auth.so" loadmodule "auth_db.so" loadmodule "mi_fifo.so" loadmodule "dispatcher.so" #loadmodule "domain.so" loadmodule "xlog.so" loadmodule "/usr/lib/openser/modules/acc.so" modparam("acc", "early_media", 1) modparam("acc", "report_cancels", 1) modparam("acc", "db_flag", 2) modparam("acc", "db_url", "mysql://user:password@localhost/openser") modparam("acc", "report_ack", 0) modparam("acc", "db_missed_flag", 3) modparam("acc", "failed_transaction_flag", 4) modparam("acc", "db_extra", "from_uri=$fu ; to_uri=$tu ; from_user=$fU; source_ip=$si") # # CONSTANTS # # --- setting module parameters #modparam("domain","db_url","mysql://user:password@localhost/openser") #modparam("domain", "db_mode", 1) #modparam("domain", "domain_table", "domain") #modparam("domain", "domain_col", "domain") modparam("xlog", "buf_size", 8192) # --- setting module parameters modparam("dispatcher", "list_file", "/etc/openser/dispatcher.list") # -- mi_fifo params -- modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo") modparam("usrloc|auth_db","db_url","mysql://user:password@localhost /openser") # -- usrloc params -- modparam("usrloc", "db_mode", 1) modparam("usrloc", "nat_bflag", 6) #modparam("usrloc", "use_domain", 0) # -- registrar params -- modparam("registrar|nathelper", "received_avp", "$avp(i:42)") # -- auth params -- modparam("auth_db", "calculate_ha1", yes) modparam("auth_db", "password_column", "password") #modparam("auth_db", "use_domain", 0) # -- rr params -- #modparam("rr", "enable_full_lr", 1) # -- nathelper modparam("nathelper", "rtpproxy_sock", "udp:1.2.3.5:8899") modparam("nathelper", "natping_interval", 30) modparam("nathelper", "ping_nated_only", 1) modparam("nathelper", "sipping_bflag", 7) modparam("nathelper", "sipping_from", "sip:pinger@sip2.telmaxi.com.br") #modparam("registrar", "max_contacts", 1) # --- main routing logic route{ if (method=="INVITE") { xlog("L_NOTICE", "INVITE MESSAGE RECEIVED - START ACC\n"); setflag(2); setflag(3); setflag(4); }; if (method=="BYE") { xlog ("L_NOTICE", "BYE - STOP ACCOUNTING\n"); setflag(2); setflag(3); setflag(4); }; if (method=="CANCEL") { xlog ("L_NOTICE", "CANCEL - STOP ACCOUNTING\n"); setflag(2); setflag(3); setflag(4); }; if (method=="REGISTER") { setflag(2); setflag(3); setflag(4); }; if (!mf_process_maxfwd_header("100")) { sl_send_reply("483","Too Many Hops"); exit; }; #if (msg:len >= 2048 ) { # sl_send_reply("513", "Message too big"); # exit; #}; # NAT detection route(2); if (!method=="REGISTER") record_route(); if (loose_route()) { append_hf("P-hint: rr-enforced\r\n"); route(1); }; if (!uri==myself) { # if (!is_uri_host_local() ) { append_hf("P-hint: outbound\r\n"); route(1); }; if (uri==myself) { if (method=="REGISTER") { xlog("L_NOTICE", "\nNew Registration\n"); if (!www_authorize("1.2.3.4", "subscriber")) { xlog("L_NOTICE", "\nRegistration FAILED! CLIENT: $au\n"); www_challenge("1.2.3.4", "0"); exit; }; if (isflagset(5)) { xlog("L_NOTICE", "\nRegistration OK\n"); setbflag(6); # if you want OPTIONS natpings uncomment next # setbflag(7); }; save("location"); exit; }; if (uri=~"^sip:0"){ xlog("L_NOTICE", "\n************** GOT OUTSIDE CALL ************\n"); ds_select_dst("1","2"); sl_send_reply("100","Trying"); forward(); exit(); } if (uri=~"^sip:7"){ ds_select_dst("1","2"); sl_send_reply("100","Trying"); forward(); exit(); } if (uri=~"^sip:1"){ ds_select_dst("1","2"); sl_send_reply("100","Trying"); forward(); exit(); } if (!lookup("location")) { sl_send_reply("404", "Not Found"); exit; }; append_hf("P-hint: usrloc applied\r\n"); #}; }; route(1); } route[1] { xlog("L_NOTICE", "\n**************IN ROUTE 1************\n"); if (subst_uri('/(sip:.*);nat=yes/\1/')){ setbflag(6); }; if (isflagset(5)||isbflagset(6)) { route(3); } if (!t_relay()) { sl_reply_error(); }; exit; } route[2]{ force_rport(); if (nat_uac_test("19")) { if (method=="REGISTER") { fix_nated_register(); } else { fix_nated_contact(); }; setflag(5); }; } route[3] { if (is_method("BYE|CANCEL")) { unforce_rtp_proxy(); } else if (is_method("INVITE")){ force_rtp_proxy(); t_on_failure("1"); }; if (isflagset(5)) search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes'); t_on_reply("1"); } failure_route[1] { if (isbflagset(6) || isflagset(5)) { unforce_rtp_proxy(); } } onreply_route[1] { if ((isflagset(5) || isbflagset(6)) && status=~"(183)|(2[0-9][0-9])") { force_rtp_proxy(); } search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes'); if (isbflagset(6)) { fix_nated_contact(); } exit; }

16 years, 11 months

[OpenSER-Users] Security hole in REGISTER's Contact using domain

by Iñaki Baz Castillo

Hi, Permissions module tries to avoid REGISTER with privileged IP's in Contact (using "register.deny" file) but I have some doubs about this security. I'll play with the example explained in "register.deny" file: --------------------------------------------------------------------------------------- # Suppose that we have a PSTN gateway with IP address 1.2.3.4 # We should prevent REGISTER messages that contain that IP # address in Contact header field because that can cause serious # security hole (a malicious user might be able to register such # a contact and bypass security checks performed by the SIP proxy). # # The following line prevents registering Contacts with IP 1.2.3.4 # (Don't forget to list also all hostnames that can be used to # reach the PSTN gateway) ALL : "^sip:.*1\.2\.3\.4" --------------------------------------------------------------------------------------- Ok, now a malicious user could just use SipSak to send a malicious REGISTER to call for free to a PSTN number 01666555444: ~# sipsak -U -C sip:01666555444@1.2.3.00004 -a passwd -s sip:200@domain.org Note the "000004" !!!! So this causes a entry in "location" with fields: - username = 200 - domain = domain.org - contact = sip:01666555444@1.2.3.00004 And sure 1.2.3.00004 is a valid IPv4. This is: if the user calls itself (sip:200@domain.org) he'll get a free PSTN call. Oppss... Ok, a solution could be to improve the regular expression by avoiding any number of 0's: ALL : "^sip:.*0*1\.0*2\.0*3\.0*4" Ok, but now the malicious user can register a domain "hacking_my_proxy.com" to resolve to IP 1.2.3.4, and send this REGISTER: ~# sipsak -U -C sip:01666555444@hacking_my_proxy.com -a passwd -s sip:200@domain.org So this will bypass the "register.deny" policy !!!! Note that "register.deny" file says: # (Don't forget to list also all hostnames that can be used to # reach the PSTN gateway) Of course, it's not possible to list all hostnames and domain resolving an IP (anyone can register a domain to any IP). So then... is it really valid this "register.deny" security???? Solution for this? ------------------------- - Forbid hostnames or domains in Contact: Ohh, too much anti-RFC 3261 (what would "alice(a)pc33.atlanta.com" think about it? XDDD). - Do a DNS query for the "Contact" during REGISTER: What about if DNS changes later? - Match the resolved IP against IP's in "register.deny" for every INVITE leaving OpenSer. Humm. - Avoid OpenSer using internet DNS system (so "hacking_my_proxy.com" wouldn't be resolved) and allow just secure domains (internal DNS or /etc/hosts): and what about outbound calls? isn't this solution an atrocity? How to handle it? is it not a real security hole? Comments are welcome. Regards. -- Iñaki Baz Castillo

16 years, 11 months

[OpenSER-Users] which media server to use to write a Ringback Tone application

by Srinivas Kotamarti

All, I am trying to write a carrier grade Ringback Tone application on top of OpenSER, does anybody know which media server (preferably OpenSource) to use? Is WeSIP the only way to write an application on top of OpenSER or there are otherways? Also, does anybody know how the applications in WeSIP perform can they be deployed as a carrier grade solution? Regards --Srinivas Kotamarti

16 years, 11 months

[OpenSER-Users] 1.3.0 FreeBSD port committed to svn

by Jesus Rodriguez

Hi, Yesterday night i committed to the svn the update of the FreeBSD port to 1.3.0 version. This update will also be committed in the FreeBSD ports tree as soon as possible. Meanwhile, if you want to use the port or create your own packages, you can obtain the port here: http://openser.svn.sourceforge.net/viewvc/openser/branches/1.3/packaging/fr… Regards. Saludos JesusR. ------------------------------------ Jesus Rodriguez VozTelecom Sistemas, S.L. jesusr(a)voztele.com http://www.voztele.com Tel. 902360305 -------------------------------------

16 years, 11 months

[OpenSER-Users] PARALLEL FORKING

by Gomtesh Jain

Hi All , I am trying to do parallel forking from Openser.But when I call then one user gets 2 calls and rest of the users get one call . Please any one explain why it is happening. Here I attach my openser.cfg file... # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; }; # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route(); # subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); }; if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); # if you have some interdomain connections via TLS #if(uri=~"@tls_domain1.net") { # t_relay("tls:domain1.net"); # exit; #} else if(uri=~"@tls_domain2.net") { # t_relay("tls: domain2.net"); # exit; #} route(1); }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { if (method=="REGISTER") { # Uncomment this if you want to use digest authentication #if (!www_authorize("192.168.3.15", "subscriber")) { # www_challenge("192.168.3.15", "0"); # exit; #}; save("location"); exit; }; lookup("aliases"); log("I M IN lookup"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); exit; } else { append_branch(); append_hf("P-hint: usrloc applied\r\n"); t_relay(); } }; route(1); }

16 years, 11 months

Re: [OpenSER-Users] Preparing the release of OpenSER 1.3 "BlackCat"

by Sergio Gutierrez

Hi Bogdan. The compilation on Solaris 10/SPARC has ended succesfully. Acording to my current setup, in particular, related to fulfilled dependencies, my final gmake command was: *gmake exclude_modules="jabber mi_xmlrpc osp perl postgres unixodbc snmpstats xmpp tlsops db_berkeley ldap mi_dm perlvdb xcap_client" *I have mysql 5.0.22 and radiusclient 0.5.2 The attached file contains the whole warnings reported at the compilation process; most of them are related to assignments without casting, and implicit declaration of functions. I will peform the TLS compilation, and the testing on Solaris x86, and I will be notifying you as soon as they end. If there is something I can help, or another test you would like I perform, please let me know. Best Regards. Sergio Gutiérrez EPM Telecomunicaciones Medellin, Colombia Tel: +574 - 3802947 On Dec 12, 2007 4:54 PM, Sergio Gutierrez <saguti(a)gmail.com> wrote: > Hi Bogdan. > > Continuing with compilation, this error appeared when compiling LDAP > module: > > In file included from ldap_api_fn.c:40: > ldap_api_fn.h:57: error: conflicting types for 'ldap_url_search' > /usr/include/ldap.h:789: error: previous declaration of 'ldap_url_search' > was here > ldap_api_fn.h:57: error: conflicting types for 'ldap_url_search' > /usr/include/ldap.h:789: error: previous declaration of 'ldap_url_search' > was here > ldap_api_fn.c: In function `ldap_params_search': > ldap_api_fn.c:211: warning: implicit declaration of function > `LDAP_API_ERROR' > > In my case, I do not have OpenLDAP libraries installed, but my system has > the LDAP library which is standard on Solaris since Solaris 9. > > checking at the manual, I see the declaration on Solaris is: > > int *ldap_url_search*(LDAP *ld, char *url, int attrsonly); > > > Please, let me know how can we continue. > > Regards. > > Sergio. > > > > On Dec 12, 2007 4:22 PM, Bogdan-Andrei Iancu < bogdan(a)voice-system.ro> > wrote: > > > Hi Sergio, > > > > Thanks for the feedback - I'm glad we were able to catch this issue in > > last minutes before release :). I also applied your patch for the > > Makefile of the carrierroute module. > > > > Regards, > > Bogdan > > > > Sergio Gutierrez wrote: > > > Hi Bogdan. > > > > > > The compilation so far is going right, with no warnings; > > > > > > A modification I did is I installed libconfuse, because for our > > > particular setup we are interested in exploring the carrierroute > > > module; I installed at my LOCALBASE, and at compiling the module, it > > > failed; trying to fix it I added a couple lines to the Makefile of the > > > module as indicated at the following diff; I am not sure if they are > > > required, but they fixed my problem: > > > > > > > > > ------------------------- BEGIN DIFF > > > --- Makefile Wed Dec 12 16:05:06 2007 > > > +++ Makefile.saguti Wed Dec 12 16:04:58 2007 > > > @@ -8,7 +8,8 @@ > > > include ../../Makefile.defs > > > auto_gen= > > > NAME=carrierroute.so > > > -LIBS=-lconfuse > > > +LIBS+=-L$(LOCALBASE)/lib -lconfuse > > > +DEFS+=-I$(LOCALBASE)/include > > > > > > include ../../Makefile.modules > > > > > > ------------------------ END DIFF > > > > > > I will try again the compilation, and I hope to test it too on Solaris > > > x86. > > > > > > Best regards. > > > > > > Sergio. > > > > > > > >

16 years, 11 months

[OpenSER-Users] OpenSER 1.3.0 BlackCat is released !

by Bogdan-Andrei Iancu

Hi, I'm glad to announce that OpenSER 1.3.0 was released - I want to thanks to all people that contributed to it, as code, documentation, assistance, packaging, etc... The SVN branch for 1.3 and tag for 1.3.0 was created, so feel free to download : # svn co https://openser.svn.sourceforge.net/svnroot/openser/branches/1.3 openser As tarballs, only source (tls and non-tls) and linux binaries are available on openser.org site. In the next following days packages will be uploaded on both openser.org and SF sites. There are still pending to upload on the sites a news about the features in 1.3.0, about migration from 1.2 to 1.3 - all these will be done in the following days. More announcement email (for detailed) will follow ;). Regards, Bogdan

16 years, 11 months

[OpenSER-Users] SUSE packages

by Daniel-Constantin Mierla

Thanks to Peter Nixon, the OpenSER 1.3.0 packages for different flavors of SUSE are already available: http://download.opensuse.org/repositories/network:/telephony/ More details about how to use the repository with different package managers: http://www.openser.org/mos/view/Download/ Cheers, Daniel

16 years, 11 months

[OpenSER-Users] openser 1.3.0 release notes

by Daniel-Constantin Mierla

Hello, the release notes for version 1.3.0 are available at: http://www.openser.org/mos/view/OpenSER-v1.3.x-Release-Notes/ If you feel that something is missing, let me know to update the page. Enjoy the new version! Daniel

16 years, 11 months

[Serusers] loose_ route domain import

by Jan Ruzicka

Hi, does loose_route import the domains from domain module? My multidomain 0.9.6 seems no to do this and I found same issues for openser (http://www.mail-archive.com/users@openser.org/msg12794.html). What about 2.x? I'm afraid the only workaround, as mentioned, is to use alias=domain for all domains served by server. Thanks Jan -- ------------------------------------------------------------------- Ing. Jan Ruzicka CESNET z. s. p. o. tel: +420234680499 Zikova 4 e-mail,sip: janru(a)cesnet.cz 160 00 Praha 6 icq:151316768 Czech Republic -------------------------------------------------------------------

16 years, 11 months

← Newer
1
...
10
11
12
13
14
15
16
...
24
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

sr-users December 2007