26 Mar
2005
26 Mar
'05
10:06 p.m.
HI
I have this problem when I made a call from a registered endpoint to a
PSTN number through a GW AS5350 I can´t cancel this call and
destination keeps ringing until timeout occur;
this happen only when I use "is_user_in" function before to forward the call.
some idea???
ser.cfg<:::
....
if (uri==myself) {
if (method == "REGISTER") {
log(1, "ANALYZING REGISTER REQUEST\n");
# to use digest authentication
if (!www_authorize("mydomain.com.pe",
"subscriber")) {
www_challenge("mydomain.com.pe",
"0");
break;
};
if (!save("location")) {
sl_reply_error();
};
break;
};
if (method == "INVITE" && src_ip!=GW_AS5350_IP) {
log(1, "ANALYZING INVITE REQUEST\n");
if (!proxy_authorize("mydomain.com.pe",
"subscriber")) {
proxy_challenge("mydomain.com.pe",
"0");
break;
} else if (is_user_in("credentials",
"deactivated")) {
sl_send_reply("402", "Su
cuenta fue desactivada");
break;
};
};
/* ***************** Dial out to Local and PSTN logic
****************** */
# forward n digit requests to gateway AS5350 (Celulares)
if(uri=~"^sip:9"){
log(1," digit expression match - Celulares");
if (!is_user_in("credentials", "mobile")) {
sl_send_reply("403", "No permission
for mobile calls");
break;
};
rewritehostport("GW_AS5350_IP:5060");
route(1); ## to NatHelper l...
break;
};
# Forward calls to 6607+ to Asterisk OH323 Module gk´s
if(uri=~"^sip:6607[0-9][0-9][0-9]*@(mydomain\.com\.pe)"){
rewritehostport("Asterisk-IP:5060");
log(1,"digit expression match - Local (oH323)");
route(2);
break;
};
.....
.
.
.
--
rrgv
26 Mar
26 Mar
11:55 p.m.
Hi Rafael,
the cancelling doesn't work because you process the INVITEs and CANCELs
in different way and because of this the CANCEL cannot follow the same
path as the INVITE.
As CANCEL is not authenticate (and it should not be), the
is_user_in("credentials", "mobile") will fail for CANCELs and you will
reply with "403 No permission for mobile calls".
Either replace "credential" with "from", either skip this test for
CANCELS.
Best regards,
Marian
Rafael J. Risco G.V. wrote:
HI
I have this problem when I made a call from a registered endpoint to a
PSTN number through a GW AS5350 I can´t cancel this call and
destination keeps ringing until timeout occur;
this happen only when I use "is_user_in" function before to forward the call.
some idea???
ser.cfg<:::
....
if (uri==myself) {
if (method == "REGISTER") {
log(1, "ANALYZING REGISTER REQUEST\n");
# to use digest authentication
if (!www_authorize("mydomain.com.pe",
"subscriber")) {
www_challenge("mydomain.com.pe",
"0");
break;
};
if (!save("location")) {
sl_reply_error();
};
break;
};
if (method == "INVITE" && src_ip!=GW_AS5350_IP) {
log(1, "ANALYZING INVITE REQUEST\n");
if (!proxy_authorize("mydomain.com.pe",
"subscriber")) {
proxy_challenge("mydomain.com.pe",
"0");
break;
} else if (is_user_in("credentials",
"deactivated")) {
sl_send_reply("402", "Su
cuenta fue desactivada");
break;
};
};
/* ***************** Dial out to Local and PSTN logic
****************** */
# forward n digit requests to gateway AS5350 (Celulares)
if(uri=~"^sip:9"){
log(1," digit expression match - Celulares");
if (!is_user_in("credentials", "mobile")) {
sl_send_reply("403", "No permission
for mobile calls");
break;
};
rewritehostport("GW_AS5350_IP:5060");
route(1); ## to NatHelper l...
break;
};
# Forward calls to 6607+ to Asterisk OH323 Module gk´s
if(uri=~"^sip:6607[0-9][0-9][0-9]*@(mydomain\.com\.pe)"){
rewritehostport("Asterisk-IP:5060");
log(1,"digit expression match - Local (oH323)");
route(2);
break;
};
.....
.
.
.
--
Voice System
http://www.voice-system.ro
27 Mar
27 Mar
3:29 a.m.
Marian
thanks a lot again, it works with uri "from" instead of "credentials"
, I also changed my script to challenge all non-register messages just
to ensure CANCELs and INVITEs follow the same path, its that correct?
(...according to Jan "auth module will never challenge ACKs and
CANCELs, it will always return that the authentication was sucessful),
by the way, is there any security disadvantage in to use "from"
instead of credentials?
best regards
rafael
PS: thats my new register and non-register auth method:
if (method == "REGISTER") {
log(1, "ANALYZING REGISTER REQUEST\n");
if (is_user_in("Request-URI", "deactivated"))
{
sl_send_reply("402", "Su cuenta fue
desactivada");
break;
};
### digest authentication
if (!www_authorize("mydomain.com.pe",
"subscriber")) {
www_challenge("mydomain.com.pe",
"0");
break;
};
if (!save("location")) {
sl_reply_error();
};
break;
};
if (!method == "REGISTER" && src_ip!=GW_AS5350_IP) {
log(1, "ANALYZING INVITE||CANCEL... REQUESTs\n");
if (!proxy_authorize("mydomain.com.pe",
"subscriber")) {
proxy_challenge("mydomain.com.pe",
"1");
break;
};
/* ***************** Dial out to Local and PSTN logic
****************** */
# forward n digit requests to gateway AS5350 (Celulares)
if(uri=~"^sip:9"){
log(1," digit expression match - Celulares");
if (!is_user_in("from", "mobile")) {
sl_send_reply("403", "No permission
for mobile calls");
break;
};
rewritehostport("GW_AS5350_IP:5060");
route(1); ##Nathelper
break;
};
};
......
.
.
.
On Sat, 26 Mar 2005 23:55:28 +0100, Marian Dumitru
<marian.dumitru(a)voice-sistem.ro> wrote:
Hi Rafael,
the cancelling doesn't work because you process the INVITEs and CANCELs
in different way and because of this the CANCEL cannot follow the same
path as the INVITE.
As CANCEL is not authenticate (and it should not be), the
is_user_in("credentials", "mobile") will fail for CANCELs and you
will
reply with "403 No permission for mobile calls".
Either replace "credential" with "from", either skip this test for
CANCELS.
Best regards,
Marian
Rafael J. Risco G.V. wrote:
--
rrgv
HI
I have this problem when I made a call from a registered endpoint to a
PSTN number through a GW AS5350 I can´t cancel this call and
destination keeps ringing until timeout occur;
this happen only when I use "is_user_in" function before to forward the call.
some idea???
ser.cfg<:::
....
if (uri==myself) {
if (method == "REGISTER") {
log(1, "ANALYZING REGISTER REQUEST\n");
# to use digest authentication
if (!www_authorize("mydomain.com.pe",
"subscriber")) {
www_challenge("mydomain.com.pe",
"0");
break;
};
if (!save("location")) {
sl_reply_error();
};
break;
};
if (method == "INVITE" && src_ip!=GW_AS5350_IP) {
log(1, "ANALYZING INVITE REQUEST\n");
if (!proxy_authorize("mydomain.com.pe",
"subscriber")) {
proxy_challenge("mydomain.com.pe",
"0");
break;
} else if (is_user_in("credentials",
"deactivated")) {
sl_send_reply("402", "Su
cuenta fue desactivada");
break;
};
};
/* ***************** Dial out to Local and PSTN logic
****************** */
# forward n digit requests to gateway AS5350 (Celulares)
if(uri=~"^sip:9"){
log(1," digit expression match - Celulares");
if (!is_user_in("credentials", "mobile")) {
sl_send_reply("403", "No permission
for mobile calls");
break;
};
rewritehostport("GW_AS5350_IP:5060");
route(1); ## to NatHelper l...
break;
};
# Forward calls to 6607+ to Asterisk OH323 Module gk´s
if(uri=~"^sip:6607[0-9][0-9][0-9]*@(mydomain\.com\.pe)"){
rewritehostport("Asterisk-IP:5060");
log(1,"digit expression match - Local (oH323)");
route(2);
break;
};
.....
.
.
.
--
Voice System
http://www.voice-system.ro
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
1:01 p.m.
Hi Rafael,
You shouldn't authenticate request within the dialog (with to_tag), but
only the initial requests (which create the dialog).
To be sure "from" is the same as "credentials" call check_from() after
authentication was confirmed - this way , further in your script, you
can check "from" with the same confidence as for "credentials".
Best regards,
Marian
Rafael J. Risco G.V. wrote:
Marian
thanks a lot again, it works with uri "from" instead of
"credentials"
, I also changed my script to challenge all non-register messages just
to ensure CANCELs and INVITEs follow the same path, its that correct?
(...according to Jan "auth module will never challenge ACKs and
CANCELs, it will always return that the authentication was sucessful),
by the way, is there any security disadvantage in to use "from"
instead of credentials?
best regards
rafael
PS: thats my new register and non-register auth method:
if (method == "REGISTER") {
log(1, "ANALYZING REGISTER REQUEST\n");
if (is_user_in("Request-URI",
"deactivated")) {
sl_send_reply("402", "Su cuenta fue
desactivada");
break;
};
### digest authentication
if (!www_authorize("mydomain.com.pe",
"subscriber")) {
www_challenge("mydomain.com.pe",
"0");
break;
};
if (!save("location")) {
sl_reply_error();
};
break;
};
if (!method == "REGISTER" && src_ip!=GW_AS5350_IP) {
log(1, "ANALYZING INVITE||CANCEL... REQUESTs\n");
if (!proxy_authorize("mydomain.com.pe",
"subscriber")) {
proxy_challenge("mydomain.com.pe",
"1");
break;
};
/* ***************** Dial out to Local and PSTN logic
****************** */
# forward n digit requests to gateway AS5350 (Celulares)
if(uri=~"^sip:9"){
log(1," digit expression match - Celulares");
if (!is_user_in("from", "mobile")) {
sl_send_reply("403", "No permission
for mobile calls");
break;
};
rewritehostport("GW_AS5350_IP:5060");
route(1); ##Nathelper
break;
};
};
......
.
.
.
On Sat, 26 Mar 2005 23:55:28 +0100, Marian Dumitru
<marian.dumitru(a)voice-sistem.ro> wrote:
--
Voice System
http://www.voice-system.ro
Hi Rafael,
the cancelling doesn't work because you process the INVITEs and CANCELs
in different way and because of this the CANCEL cannot follow the same
path as the INVITE.
As CANCEL is not authenticate (and it should not be), the
is_user_in("credentials", "mobile") will fail for CANCELs and you
will
reply with "403 No permission for mobile calls".
Either replace "credential" with "from", either skip this test for
CANCELS.
Best regards,
Marian
--
Voice System
http://www.voice-system.ro
28 Mar
28 Mar
4:46 p.m.
that´s great, below you can see the changes that works perfect using
check_to and check_from... now I am planning to do all this security
issues using radius modules and I found 2 problems:
1.- I have been able to authenticate and register users but when use
radius_is_user_in I don´t known what attribute to use for Request-URI
to verify if it belongs to a group "deactivated" in Register process
or verify if user is in "voicemail" group, same problem checking
"from" or "credentials"
...This is an example in freeradius user file:
6609876(a)10.0.1.22 Auth-Type := Digest, User-Password == "9876"
2.- There is no "check_to" or "check_from" functions in uri_radius
module... Is there any other way to do this using radius?
regards
Rafael
PS: config:
if (method == "REGISTER") {
log(1, "ANALYZING REGISTER REQUEST\n");
# to use digest authentication
if (is_user_in("Request-URI", "deactivated"))
{
sl_send_reply("402", "Su cuenta fue
desactivada");
break;
};
if (!www_authorize("mydomain.com.pe",
"subscriber")) {
www_challenge("mydomain.com.pe",
"0");
break;
};
# only registered users are allowed
if (!check_to()) {
log(1, "LOG: Hijack!!!--> unregistered
user registration attempt\n");
sl_send_reply("403", "hijack
attempt!!!! Only registered users are allowed");
break;
};
log(1," Registered!!! \n");
if (!save("location")) {
sl_reply_error();
};
break;
};
if (method == "INVITE" || method== "CANCEL" ||
method== "ACK" && src_ip!=GW_IP ) {
log(1, "ANALYZING INVITE||CANCEL REQUESTs\n");
if (!proxy_authorize("mydomain.com.pe",
"subscriber")) {
proxy_challenge("mydomain.com.pe",
"1");
break;
} else {
if (method == "INVITE" && !check_from()) {
sl_send_reply("403", "Only registered
users are allowed");
break;
};
};
/* *********** Dial out to Local and PSTN
logic ********* */
# Forward n digit requests to gateway AS5350 (Celulares)
if(uri=~"^sip:9" ){
log(1," digit expression match - Celulares\n");
if (!is_user_in("from", "mobile")) {
sl_send_reply("403", "No
permission for mobile calls");
break;
};
rewritehostport("GW_IP:5060");
route(1); ## to nathelper...
break;
};
};
Rafael J. Risco G.V.
7186
days inactive
7188
days old
4 comments
2 participants
participants (2)
-
Marian Dumitru -
Rafael J. Risco G.V.