On Wed, Nov 12, 2008 at 12:59:35PM +0100, inge wrote:
Hi all,
I look for a workaround to use a white list in addition of
authentification proces, based on User-Agent (ie. for example : deny
"Asterisk IPBX" permit "Cisco IPhone...")
There is (unofficial) check_ua module added as a patch in FreeBSD port,
which works exactly as 'additional UA check'.
Setup is not too complicated: you must create and populate some table
in your database. In my example, DB is postgresql, exact create/populate
commands is the next:
CREATE TABLE check_ua (
rexx VARCHAR(256) NOT NULL UNIQUE,
flag INTEGER NOT NULL DEFAULT(0)
);
-- main goal is to disallow user-agents with invalid symbols:
INSERT INTO check_ua VALUES('^[0-9A-Za-z/.() _-]{1,64}$',1);
-- in your case it should be something like
INSERT INTO check_ua VALUES('^Cisco IP Phone.*',1);
Then, add to global configuration:
loadmodule "/usr/local/lib/ser/modules/check_ua.so"
modparam("check_ua", "db_url",
"postgres://<username>:<password>@<host>/<db>")
modparam("check_ua", "db_table", "check_ua")
and somewhere in route section:
if(!check_ua()) {
xlog("L_ERR","Invalid UA DENIED: %fu, %is, %ua\n");
sl_send_reply("403", "Forbidden (Invalid UA)");
break;
};
Voila. Until your Asterisk users will not find correct User-Agent
they must use in their sip.conf - it will work... :) In my case -
protection against bad symbols - it works even with asterisk... :)
PS: not sure is that module can be found somewhere outside FreeBSD port,
at least my google skills is not enough to ...
However, both authors (Valentin Nechayev and Maxim Sobolev) read this list.