HI I have this problem when I made a call from a registered endpoint to a PSTN number through a GW AS5350 I can´t cancel this call and destination keeps ringing until timeout occur;
this happen only when I use "is_user_in" function before to forward the call.
some idea???
ser.cfg<::: .... if (uri==myself) {
if (method == "REGISTER") { log(1, "ANALYZING REGISTER REQUEST\n"); # to use digest authentication if (!www_authorize("mydomain.com.pe", "subscriber")) { www_challenge("mydomain.com.pe", "0"); break; }; if (!save("location")) { sl_reply_error(); }; break; };
if (method == "INVITE" && src_ip!=GW_AS5350_IP) { log(1, "ANALYZING INVITE REQUEST\n"); if (!proxy_authorize("mydomain.com.pe", "subscriber")) { proxy_challenge("mydomain.com.pe", "0"); break; } else if (is_user_in("credentials", "deactivated")) { sl_send_reply("402", "Su cuenta fue desactivada"); break; }; };
/* ***************** Dial out to Local and PSTN logic ****************** */
# forward n digit requests to gateway AS5350 (Celulares) if(uri=~"^sip:9"){ log(1," digit expression match - Celulares"); if (!is_user_in("credentials", "mobile")) { sl_send_reply("403", "No permission for mobile calls"); break; }; rewritehostport("GW_AS5350_IP:5060"); route(1); ## to NatHelper l... break; };
# Forward calls to 6607+ to Asterisk OH323 Module gk´s if(uri=~"^sip:6607[0-9][0-9][0-9]*@(mydomain.com.pe)"){ rewritehostport("Asterisk-IP:5060"); log(1,"digit expression match - Local (oH323)"); route(2); break; }; ..... . . .
Hi Rafael,
the cancelling doesn't work because you process the INVITEs and CANCELs in different way and because of this the CANCEL cannot follow the same path as the INVITE. As CANCEL is not authenticate (and it should not be), the is_user_in("credentials", "mobile") will fail for CANCELs and you will reply with "403 No permission for mobile calls". Either replace "credential" with "from", either skip this test for CANCELS.
Best regards, Marian
Rafael J. Risco G.V. wrote:
HI I have this problem when I made a call from a registered endpoint to a PSTN number through a GW AS5350 I can´t cancel this call and destination keeps ringing until timeout occur;
this happen only when I use "is_user_in" function before to forward the call.
some idea???
ser.cfg<::: .... if (uri==myself) {
if (method == "REGISTER") { log(1, "ANALYZING REGISTER REQUEST\n"); # to use digest authentication if (!www_authorize("mydomain.com.pe", "subscriber")) { www_challenge("mydomain.com.pe", "0"); break; }; if (!save("location")) { sl_reply_error(); }; break; }; if (method == "INVITE" && src_ip!=GW_AS5350_IP) { log(1, "ANALYZING INVITE REQUEST\n"); if (!proxy_authorize("mydomain.com.pe", "subscriber")) { proxy_challenge("mydomain.com.pe", "0"); break; } else if (is_user_in("credentials", "deactivated")) { sl_send_reply("402", "Sucuenta fue desactivada"); break; }; };
/* ***************** Dial out to Local and PSTN logic****************** */
# forward n digit requests to gateway AS5350 (Celulares) if(uri=~"^sip:9"){ log(1," digit expression match - Celulares"); if (!is_user_in("credentials", "mobile")) { sl_send_reply("403", "No permissionfor mobile calls"); break; }; rewritehostport("GW_AS5350_IP:5060"); route(1); ## to NatHelper l... break; };
# Forward calls to 6607+ to Asterisk OH323 Module gk´s if(uri=~"^sip:6607[0-9][0-9][0-9]*@(mydomain\.com\.pe)"){ rewritehostport("Asterisk-IP:5060"); log(1,"digit expression match - Local (oH323)"); route(2); break; };..... . . .
Marian thanks a lot again, it works with uri "from" instead of "credentials" , I also changed my script to challenge all non-register messages just to ensure CANCELs and INVITEs follow the same path, its that correct? (...according to Jan "auth module will never challenge ACKs and CANCELs, it will always return that the authentication was sucessful), by the way, is there any security disadvantage in to use "from" instead of credentials?
best regards rafael
PS: thats my new register and non-register auth method:
if (method == "REGISTER") { log(1, "ANALYZING REGISTER REQUEST\n"); if (is_user_in("Request-URI", "deactivated")) { sl_send_reply("402", "Su cuenta fue desactivada"); break; }; ### digest authentication if (!www_authorize("mydomain.com.pe", "subscriber")) { www_challenge("mydomain.com.pe", "0"); break; };
if (!save("location")) { sl_reply_error(); }; break; };
if (!method == "REGISTER" && src_ip!=GW_AS5350_IP) { log(1, "ANALYZING INVITE||CANCEL... REQUESTs\n"); if (!proxy_authorize("mydomain.com.pe", "subscriber")) { proxy_challenge("mydomain.com.pe", "1"); break; };
/* ***************** Dial out to Local and PSTN logic ****************** */
# forward n digit requests to gateway AS5350 (Celulares) if(uri=~"^sip:9"){ log(1," digit expression match - Celulares"); if (!is_user_in("from", "mobile")) { sl_send_reply("403", "No permission for mobile calls"); break; }; rewritehostport("GW_AS5350_IP:5060"); route(1); ##Nathelper break; };
}; ...... . . .
On Sat, 26 Mar 2005 23:55:28 +0100, Marian Dumitru marian.dumitru@voice-sistem.ro wrote:
Hi Rafael,
the cancelling doesn't work because you process the INVITEs and CANCELs in different way and because of this the CANCEL cannot follow the same path as the INVITE. As CANCEL is not authenticate (and it should not be), the is_user_in("credentials", "mobile") will fail for CANCELs and you will reply with "403 No permission for mobile calls". Either replace "credential" with "from", either skip this test for CANCELS.
Best regards, Marian
Rafael J. Risco G.V. wrote:
HI I have this problem when I made a call from a registered endpoint to a PSTN number through a GW AS5350 I can´t cancel this call and destination keeps ringing until timeout occur;
this happen only when I use "is_user_in" function before to forward the call.
some idea???
ser.cfg<::: .... if (uri==myself) {
if (method == "REGISTER") { log(1, "ANALYZING REGISTER REQUEST\n"); # to use digest authentication if (!www_authorize("mydomain.com.pe", "subscriber")) { www_challenge("mydomain.com.pe", "0"); break; }; if (!save("location")) { sl_reply_error(); }; break; }; if (method == "INVITE" && src_ip!=GW_AS5350_IP) { log(1, "ANALYZING INVITE REQUEST\n"); if (!proxy_authorize("mydomain.com.pe", "subscriber")) { proxy_challenge("mydomain.com.pe", "0"); break; } else if (is_user_in("credentials", "deactivated")) { sl_send_reply("402", "Sucuenta fue desactivada"); break; }; };
/* ***************** Dial out to Local and PSTN logic****************** */
# forward n digit requests to gateway AS5350 (Celulares) if(uri=~"^sip:9"){ log(1," digit expression match - Celulares"); if (!is_user_in("credentials", "mobile")) { sl_send_reply("403", "No permissionfor mobile calls"); break; }; rewritehostport("GW_AS5350_IP:5060"); route(1); ## to NatHelper l... break; };
# Forward calls to 6607+ to Asterisk OH323 Module gk´s if(uri=~"^sip:6607[0-9][0-9][0-9]*@(mydomain\.com\.pe)"){ rewritehostport("Asterisk-IP:5060"); log(1,"digit expression match - Local (oH323)"); route(2); break; };..... . . .
-- Voice System http://www.voice-system.ro
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hi Rafael,
You shouldn't authenticate request within the dialog (with to_tag), but only the initial requests (which create the dialog).
To be sure "from" is the same as "credentials" call check_from() after authentication was confirmed - this way , further in your script, you can check "from" with the same confidence as for "credentials".
Best regards, Marian
Rafael J. Risco G.V. wrote:
Marian thanks a lot again, it works with uri "from" instead of "credentials" , I also changed my script to challenge all non-register messages just to ensure CANCELs and INVITEs follow the same path, its that correct? (...according to Jan "auth module will never challenge ACKs and CANCELs, it will always return that the authentication was sucessful), by the way, is there any security disadvantage in to use "from" instead of credentials?
best regards rafael
PS: thats my new register and non-register auth method:
if (method == "REGISTER") { log(1, "ANALYZING REGISTER REQUEST\n"); if (is_user_in("Request-URI", "deactivated")) { sl_send_reply("402", "Su cuenta fuedesactivada"); break; }; ### digest authentication if (!www_authorize("mydomain.com.pe", "subscriber")) { www_challenge("mydomain.com.pe", "0"); break; };
if (!save("location")) { sl_reply_error(); }; break; }; if (!method == "REGISTER" && src_ip!=GW_AS5350_IP) { log(1, "ANALYZING INVITE||CANCEL... REQUESTs\n"); if (!proxy_authorize("mydomain.com.pe", "subscriber")) { proxy_challenge("mydomain.com.pe", "1"); break; }; /* ***************** Dial out to Local and PSTN logic****************** */
# forward n digit requests to gateway AS5350 (Celulares) if(uri=~"^sip:9"){ log(1," digit expression match - Celulares"); if (!is_user_in("from", "mobile")) { sl_send_reply("403", "No permissionfor mobile calls"); break; }; rewritehostport("GW_AS5350_IP:5060"); route(1); ##Nathelper break; };
}; ...... . . .
On Sat, 26 Mar 2005 23:55:28 +0100, Marian Dumitru marian.dumitru@voice-sistem.ro wrote:
Hi Rafael,
the cancelling doesn't work because you process the INVITEs and CANCELs in different way and because of this the CANCEL cannot follow the same path as the INVITE. As CANCEL is not authenticate (and it should not be), the is_user_in("credentials", "mobile") will fail for CANCELs and you will reply with "403 No permission for mobile calls". Either replace "credential" with "from", either skip this test for CANCELS.
Best regards, Marian
-- Voice System http://www.voice-system.ro
that´s great, below you can see the changes that works perfect using check_to and check_from... now I am planning to do all this security issues using radius modules and I found 2 problems:
1.- I have been able to authenticate and register users but when use radius_is_user_in I don´t known what attribute to use for Request-URI to verify if it belongs to a group "deactivated" in Register process or verify if user is in "voicemail" group, same problem checking "from" or "credentials"
...This is an example in freeradius user file:
6609876@10.0.1.22 Auth-Type := Digest, User-Password == "9876"
2.- There is no "check_to" or "check_from" functions in uri_radius module... Is there any other way to do this using radius?
regards Rafael
PS: config:
if (method == "REGISTER") { log(1, "ANALYZING REGISTER REQUEST\n"); # to use digest authentication if (is_user_in("Request-URI", "deactivated")) { sl_send_reply("402", "Su cuenta fue desactivada"); break; };
if (!www_authorize("mydomain.com.pe", "subscriber")) { www_challenge("mydomain.com.pe", "0"); break; };
# only registered users are allowed if (!check_to()) { log(1, "LOG: Hijack!!!--> unregistered user registration attempt\n"); sl_send_reply("403", "hijack attempt!!!! Only registered users are allowed"); break; }; log(1," Registered!!! \n"); if (!save("location")) { sl_reply_error(); }; break; };
if (method == "INVITE" || method== "CANCEL" || method== "ACK" && src_ip!=GW_IP ) { log(1, "ANALYZING INVITE||CANCEL REQUESTs\n"); if (!proxy_authorize("mydomain.com.pe", "subscriber")) { proxy_challenge("mydomain.com.pe", "1"); break; } else { if (method == "INVITE" && !check_from()) { sl_send_reply("403", "Only registered users are allowed"); break; }; };
/* *********** Dial out to Local and PSTN logic ********* */
# Forward n digit requests to gateway AS5350 (Celulares) if(uri=~"^sip:9" ){ log(1," digit expression match - Celulares\n"); if (!is_user_in("from", "mobile")) { sl_send_reply("403", "No permission for mobile calls"); break; }; rewritehostport("GW_IP:5060"); route(1); ## to nathelper... break; }; };
Rafael J. Risco G.V.
-
Marian Dumitru -
Rafael J. Risco G.V.