Hello Jeferson,
Your configuration looks a bit messy, if I were OpenSER I would also
refuse it. :).
I would suggest taking a more standard configuration (u can find many
examples on this location:
)
and use 1.2 branch of software for start, and experiment with it into
some lab environment.
It is a bit difficult as a beginner to start directly experimenting on
a production configuration, perhaps written by somebody else without
understanding it. You will end up having big issues when
troubleshooting in production environment.
The tip I gave you would be really easy to implement it with a block
of few lines, eg:
if (is_method("INVITE")){
if (!proxy_authorize("", "subscriber)) {
proxy_challenge("","0");
exit;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
exit;
};
};
Documentation for you to understand those lines here:
Usually, there is a loot of documentation and howtos in openser wiki,
so I would suggest you having a glance on some titles which look close
to your needs as a beginner.
Cheers,
DanB
On 8/27/07, Jeferson Prevedello <jprevedello(a)terra.com.br> wrote:
Hello DanB,
Thanks!
As DanB´s suggestion, I tried to implement a mechanism that only allowed
authenticated members make calls, but my configuration didn´t function.
This is my first project with openser, therefore I do not have much
experience. If someone know how to help me to implement this verification, I
will be very thankful.
Below, my openser.cfg file:
-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
# ----------- global configuration parameters ------------------------
debug=3
fork=yes
log_stderror=no
log_facility=LOG_LOCAL7
# hostname matching an alias will satisfy the condition uri==myself".
alias=xxx.xxx.xxx.xxx
listen=udp:xxx.xxx.xxx.xxx:5060
# check_via - Turn on or off Via host checking when forwarding replies.
# Default is no. arcane. looks for discrepancy between name and
# ip address when forwarding replies.
check_via=yes
# syn_branch - Shall the server use stateful synonym branches? It is
# faster but not reboot-safe. Default is yes.
syn_branch=yes
# dns - Uses dns to check if it is necessary to add a "received=" field
# to a via. Default is no.
# rev_dns - Same as dns but use reverse DNS.
dns=no
rev_dns=no
port=5060
children=4
# memlog - Debugging level for final memory statistics report. Default
# is L_DBG -- memory statistics are dumped only if debug is set high.
memlog=3
# sip_warning - Should replies include extensive warnings? By default
# yes, it is good for trouble-shooting.
sip_warning=yes
# fifo - FIFO special file pathname
fifo="/tmp/openser_fifo"
# reply_to_via - A hint to reply modules whether they should send reply
# to IP advertised in Via. Turned off by default, which means that
# replies are sent to IP address from which requests came.
reply_to_via=no
# mhomed -- enable calculation of outbound interface; useful on
# multihomed servers.
mhomed=0
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/lib/openser/modules/mysql.so"
loadmodule "/usr/lib/openser/modules/sl.so"
loadmodule "/usr/lib/openser/modules/tm.so"
loadmodule "/usr/lib/openser/modules/rr.so"
loadmodule "/usr/lib/openser/modules/maxfwd.so"
loadmodule "/usr/lib/openser/modules/usrloc.so"
loadmodule "/usr/lib/openser/modules/registrar.so"
loadmodule "/usr/lib/openser/modules/textops.so"
loadmodule "/usr/lib/openser/modules/nathelper.so"
loadmodule "/usr/lib/openser/modules/acc.so"
loadmodule "/usr/lib/openser/modules/xlog.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/lib/openser/modules/auth.so"
loadmodule "/usr/lib/openser/modules/auth_db.so"
# ----------------- setting module-specific parameters ---------------
# ------------- usrloc parameters
# 2 enables write-back to persistent mysql storage for speed
# disable=0, write-through=1
modparam("usrloc", "db_mode", 0)
# minimize write back window - default is 60 seconds
modparam("usrloc", "timer_interval", 30)
# ------------- auth parameters
# Uncomment if you are using auth module
modparam("auth_db", "calculate_ha1", yes)
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
modparam("auth_db", "password_column", "password")
# ------------- rr parameters
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# ------------- !! Nathelper
modparam("registrar", "nat_flag", 6)
modparam("nathelper", "natping_interval", 30) # Ping interval 30 s
modparam("nathelper", "ping_nated_only", 1) # Ping only clients
behind NAT
modparam("nathelper", "rtpproxy_sock",
"unix:/var/run/rtpproxy.sock") #
Nathelper with RTPproxy
# ------------- tm parameters
modparam("tm", "fr_timer", 12)
modparam("tm", "fr_inv_timer", 24)
# ------------- acc parameters
modparam("acc", "db_url",
"mysql://openser:openserrw@localhost/openser")
modparam("acc", "db_flag", 2)
modparam("acc", "db_missed_flag", 2)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
modparam("acc", "log_level", 2) # Set log_level to 2
# Allow no more than 1 contacts per AOR
modparam("registrar", "max_contacts", 3)
# ------------------------- request routing logic -------------------
# main routing logic
route{
if (!mf_process_maxfwd_header("10"))
{
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 )
{
sl_send_reply("513", "Message too big");
exit;
};
# < Acconting >
if (method=="INVITE")
{
log(1, "Generate call - START\n");
setflag(1); /* set for accounting (the same value as in
log_flag!) */
setflag(2);
};
if (method=="BYE")
{
log (1, "Hung-up \n");
setflag(1);
};
if (method=="CANCEL")
{
log (1, "Lost call \n");
setflag(1);
}
if (!method=="REGISTER")
record_route();
if (nat_uac_test("3"))
{
# Allow RR-ed requests, as these may indicate that
# a NAT-enabled proxy takes care of it; unless it is
# a REGISTER
if (method == "REGISTER" || !
search("^Record-Route:"))
{
log(1,"LOG: Someone trying to register from private IP,
rewriting\n");
# This will work only for user agents that support
symmetric
# communication. We tested quite many of them and
majority is
# smart enough to be symmetric. In some phones it takes
a configuration
# option. With Cisco 7960, it is called NAT_Enable=Yes,
with kphone it is
# called "symmetric media" and "symmetric
signalling".
fix_nated_contact(); # Rewrite contact with source IP of
signalling
force_rport(); # Add rport parameter to topmost
Via
setflag(6); # Mark as NATed
};
};
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route())
{
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself)
{
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself)
{
if (method=="REGISTER")
{
# Uncomment this if you want to use digest authentication
if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber"))
{
www_challenge("xxx.xxx.xxx.xxx", "0");
return;
};
save("location");
return;
};
lookup("aliases");
if (!uri==myself)
{
append_hf("P-hint: outbound alias\r\n");
route(1);
return;
};
# Router Cisco if not sip branche
log(1,"LOG: testando se destino-sip e' 418x ...\n");
if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
! ( uri =~ "^sip:4397"))
{
log(1,"LOG: destino-sip not is 418x .\n");
route(2);
log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
rewritehostport("yyy.yyy.yyy.yyy:5060");
log(1,"LOG: t_relay...\n");
t_relay();
log(1,"LOG: break...\n");
return;
}
log(1,"LOG: destino-sip 418x, continue .\n");
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location"))
{
sl_send_reply("404", "Not Found");
return;
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
#######################################
route[1]
{
# !! Nathelper
if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)"
&&
!search("^Route:"))
{
sl_send_reply("479", "We don't forward to private IP
addresses");
return;
};
# if client or server know to be behind a NAT, enable relay
if (isflagset(6))
{
force_rtp_proxy();
t_on_reply("1");
append_hf("P-Behind-NAT: Yes\r\n");
};
if (!t_relay())
{
sl_reply_error();
return;
};
}
# !! Nathelper
onreply_route[1]
{
# NATed transaction ?
if (isflagset(6) && status =~ "(183)|2[0-9][0-9]")
{
fix_nated_contact();
force_rtp_proxy();
}
else if (nat_uac_test("1"))
{
fix_nated_contact();
};
}
#######################################
route[2] {
### Dial Plan for gateway VoIP ###
# Sao Paulo 11
if ( uri =~ "^sip:9911.*" )
{
log(1,"LOG: destination is 9911x, change prefix...");
strip(4);
prefix("011");
return;
}
# Error (Number inexistent)
sl_reply_error();
}
-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
Regards
Jeferson
----- Original Message -----
From: "Dan-Cristian Bogos" <dan.bogos(a)gmail.com>
To: "Jeferson Prevedello" <jprevedello(a)terra.com.br>
Cc: <users(a)openser.org>
Sent: Saturday, August 25, 2007 3:06 PM
Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
Hello Jeferson,
it all depends on your openser.cfg.
If you put in there that all the INVITE-s should be authenticated, your
users will not be able anymore to call without having a valid user and
password for your server. Note that by default openser will not do any
check for you, in order to keep the flexibility of be used in
different environment setups.
Cheers,
DanB
On 8/25/07, Jeferson Prevedello <jprevedello(a)terra.com.br> wrote:
> Hello,
>
> I implemented an environment using to openser + mysql. The enviroment
> functions perfectly, however I perceived that users (branches) not
> registered in mysql are generating called.
>
> I installed the X-lite softphone in my computer trying to reproduce the
> situation.
>
> In the properties of configuration of the X-lite, "field Password" I type
> "trash" as password (wrong password).
>
> The display of X-lite showed the following message: "Registration error:
> 401
> - Unauthorized".
>
> In the contacts drawer I add a contact (double click on the new contact),
> and the call was generate without restriction (very bad).
>
> Some idea of as I solve this problem?
>
> Thanks
>
> Regards
> Jeferson
>
> _______________________________________________
> Users mailing list
> Users(a)openser.org
>
http://openser.org/cgi-bin/mailman/listinfo/users
>
>
>
_______________________________________________
Users mailing list
Users(a)openser.org