[OpenSER-Users] Unauthorized Calls - [Openser - X-lite] - sr-users

List overview All Threads
Download

newer

[OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

older

[OpenSER-Users] OpenSER as...

Fw: [OpenSER-Users] Unauthorized...

Jeferson Prevedello

25 Aug 2007 25 Aug '07

5:37 p.m.

Hello,

I implemented an environment using to openser + mysql. The enviroment functions perfectly, however I perceived that users (branches) not registered in mysql are generating called.

I installed the X-lite softphone in my computer trying to reproduce the situation. In the properties of configuration of the X-lite, "field Password" I type "trash" as password (wrong password).

The display of X-lite showed the following message: "Registration error: 401 - Unauthorized".

In the contacts drawer I add a contact (double click on the new contact), and the call was generate without restriction (very bad).

Some idea of as I solve this problem?

Thanks

Regards Jeferson

Attachments:

attachment.html (text/html — 2.0 KB)

Show replies by date

Dan-Cristian Bogos

25 Aug 25 Aug

6:06 p.m.

Hello Jeferson,

it all depends on your openser.cfg. If you put inthere that all the INVITE-s should be authenticated, your users will not be able anymore to call without having a valid user and password for your server. Note that by default openser will not do any check for you, in order to keep the flexibility of be used in different environment setups.

Cheers, DanB

On 8/25/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...

Hello,

I implemented an environment using to openser + mysql. The enviroment functions perfectly, however I perceived that users (branches) not registered in mysql are generating called.

I installed the X-lite softphone in my computer trying to reproduce the situation. In the properties of configuration of the X-lite, "field Password" I type "trash" as password (wrong password).

The display of X-lite showed the following message: "Registration error: 401

Unauthorized".

In the contacts drawer I add a contact (double click on the new contact), and the call was generate without restriction (very bad).

Some idea of as I solve this problem?

Thanks

Regards Jeferson

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

Jeferson Prevedello

27 Aug 27 Aug

12:15 a.m.

Hello DanB,

Thanks!

As DanB´s suggestion, I tried to implement a mechanism that only allowed authenticated members make calls, but my configuration didn´t function.

This is my first project with openser, therefore I do not have much experience. If someone know how to help me to implement this verification, I will be very thankful.

Below, my openser.cfg file:

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

# ----------- global configuration parameters ------------------------

debug=3 fork=yes log_stderror=no log_facility=LOG_LOCAL7

# hostname matching an alias will satisfy the condition uri==myself". alias=xxx.xxx.xxx.xxx listen=udp:xxx.xxx.xxx.xxx:5060

# check_via - Turn on or off Via host checking when forwarding replies. # Default is no. arcane. looks for discrepancy between name and # ip address when forwarding replies. check_via=yes

# syn_branch - Shall the server use stateful synonym branches? It is # faster but not reboot-safe. Default is yes. syn_branch=yes

# dns - Uses dns to check if it is necessary to add a "received=" field # to a via. Default is no. # rev_dns - Same as dns but use reverse DNS. dns=no rev_dns=no port=5060 children=4

# memlog - Debugging level for final memory statistics report. Default # is L_DBG -- memory statistics are dumped only if debug is set high. memlog=3

# sip_warning - Should replies include extensive warnings? By default # yes, it is good for trouble-shooting. sip_warning=yes

# fifo - FIFO special file pathname fifo="/tmp/openser_fifo"

# reply_to_via - A hint to reply modules whether they should send reply # to IP advertised in Via. Turned off by default, which means that # replies are sent to IP address from which requests came. reply_to_via=no

# mhomed -- enable calculation of outbound interface; useful on # multihomed servers. mhomed=0

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database loadmodule "/usr/lib/openser/modules/mysql.so" loadmodule "/usr/lib/openser/modules/sl.so" loadmodule "/usr/lib/openser/modules/tm.so" loadmodule "/usr/lib/openser/modules/rr.so" loadmodule "/usr/lib/openser/modules/maxfwd.so" loadmodule "/usr/lib/openser/modules/usrloc.so" loadmodule "/usr/lib/openser/modules/registrar.so" loadmodule "/usr/lib/openser/modules/textops.so" loadmodule "/usr/lib/openser/modules/nathelper.so" loadmodule "/usr/lib/openser/modules/acc.so" loadmodule "/usr/lib/openser/modules/xlog.so"

# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/lib/openser/modules/auth.so" loadmodule "/usr/lib/openser/modules/auth_db.so"

# ----------------- setting module-specific parameters ---------------

# ------------- usrloc parameters

# 2 enables write-back to persistent mysql storage for speed # disable=0, write-through=1 modparam("usrloc", "db_mode", 0)

# minimize write back window - default is 60 seconds modparam("usrloc", "timer_interval", 30)

# ------------- auth parameters

# Uncomment if you are using auth module modparam("auth_db", "calculate_ha1", yes)

# If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) modparam("auth_db", "password_column", "password")

# ------------- rr parameters

# add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)

# ------------- !! Nathelper

modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") # Nathelper with RTPproxy

# ------------- tm parameters

modparam("tm", "fr_timer", 12) modparam("tm", "fr_inv_timer", 24)

# ------------- acc parameters

modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser") modparam("acc", "db_flag", 2) modparam("acc", "db_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 2) modparam("acc", "log_level", 2) # Set log_level to 2

# Allow no more than 1 contacts per AOR modparam("registrar", "max_contacts", 3)

# ------------------------- request routing logic -------------------

# main routing logic

route{

if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };

if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };

# < Acconting > if (method=="INVITE") { log(1, "Generate call - START\n"); setflag(1); /* set for accounting (the same value as in log_flag!) */ setflag(2); };

if (method=="BYE") { log (1, "Hung-up \n"); setflag(1); };

if (method=="CANCEL") { log (1, "Lost call \n"); setflag(1); }

if (!method=="REGISTER") record_route();

if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER

if (method == "REGISTER" || ! search("^Record-Route:")) { log(1,"LOG: Someone trying to register from private IP, rewriting\n");

# This will work only for user agents that support symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling".

fix_nated_contact(); # Rewrite contact with source IP of signalling force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; }; # subsequent messages withing a dialog should take the # path determined by record-routing

if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); };

if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); };

# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {

if (method=="REGISTER") { # Uncomment this if you want to use digest authentication if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber")) { www_challenge("xxx.xxx.xxx.xxx", "0"); return; }; save("location"); return; };

lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); return; };

# Router Cisco if not sip branche log(1,"LOG: testando se destino-sip e' 418x ...\n");

if ( ! ( uri =~ "^sip:418[1-9].*" ) && ! ( uri =~ "^sip:4397")) { log(1,"LOG: destino-sip not is 418x .\n"); route(2);

log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n"); rewritehostport("yyy.yyy.yyy.yyy:5060"); log(1,"LOG: t_relay...\n"); t_relay();

log(1,"LOG: break...\n"); return; } log(1,"LOG: destino-sip 418x, continue .\n");

# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); return; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }

#######################################

route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")) { sl_send_reply("479", "We don't forward to private IP addresses"); return; };

# if client or server know to be behind a NAT, enable relay if (isflagset(6)) { force_rtp_proxy(); t_on_reply("1"); append_hf("P-Behind-NAT: Yes\r\n"); };

if (!t_relay()) { sl_reply_error(); return; }; } # !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); } else if (nat_uac_test("1")) { fix_nated_contact(); }; }

#######################################

route[2] {

### Dial Plan for gateway VoIP ###

# Sao Paulo 11 if ( uri =~ "^sip:9911.*" ) { log(1,"LOG: destination is 9911x, change prefix..."); strip(4); prefix("011"); return; }

# Error (Number inexistent) sl_reply_error();

}

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

Regards Jeferson

----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Saturday, August 25, 2007 3:06 PM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

...

Hello Jeferson,

it all depends on your openser.cfg. If you put in there that all the INVITE-s should be authenticated, your users will not be able anymore to call without having a valid user and password for your server. Note that by default openser will not do any check for you, in order to keep the flexibility of be used in different environment setups.

Cheers, DanB

On 8/25/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...
Hello,

I implemented an environment using to openser + mysql. The enviroment functions perfectly, however I perceived that users (branches) not registered in mysql are generating called.

I installed the X-lite softphone in my computer trying to reproduce the situation.

...

...
In the properties of configuration of the X-lite, "field Password" I type "trash" as password (wrong password).

The display of X-lite showed the following message: "Registration error: 401

Unauthorized".

In the contacts drawer I add a contact (double click on the new contact), and the call was generate without restriction (very bad).

Some idea of as I solve this problem?

Thanks

Regards Jeferson

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

Dan-Cristian Bogos

11:35 a.m.

Hello Jeferson,

Your configuration looks a bit messy, if I were OpenSER I would also refuse it. :).

I would suggest taking a more standard configuration (u can find many examples on this location: http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/) and use 1.2 branch of software for start, and experiment with it into some lab environment. It is a bit difficult as a beginner to start directly experimenting on a production configuration, perhaps written by somebody else without understanding it. You will end up having big issues when troubleshooting in production environment.

The tip I gave you would be really easy to implement it with a block of few lines, eg:

if (is_method("INVITE")){ if (!proxy_authorize("", "subscriber)) { proxy_challenge("","0"); exit;

} else if (!check_from()) { sl_send_reply("403", "Use From=ID"); exit; }; };

Documentation for you to understand those lines here: http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192

Usually, there is a loot of documentation and howtos in openser wiki, so I would suggest you having a glance on some titles which look close to your needs as a beginner.

http://www.openser.org/dokuwiki/doku.php

Cheers, DanB

On 8/27/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...

Hello DanB,

Thanks!

As DanB´s suggestion, I tried to implement a mechanism that only allowed authenticated members make calls, but my configuration didn´t function.

This is my first project with openser, therefore I do not have much experience. If someone know how to help me to implement this verification, I will be very thankful.

Below, my openser.cfg file:

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

# ----------- global configuration parameters ------------------------

debug=3 fork=yes log_stderror=no log_facility=LOG_LOCAL7

# hostname matching an alias will satisfy the condition uri==myself". alias=xxx.xxx.xxx.xxx listen=udp:xxx.xxx.xxx.xxx:5060

# check_via - Turn on or off Via host checking when forwarding replies. # Default is no. arcane. looks for discrepancy between name and # ip address when forwarding replies. check_via=yes

# syn_branch - Shall the server use stateful synonym branches? It is # faster but not reboot-safe. Default is yes. syn_branch=yes

# dns - Uses dns to check if it is necessary to add a "received=" field # to a via. Default is no. # rev_dns - Same as dns but use reverse DNS. dns=no rev_dns=no port=5060 children=4

# memlog - Debugging level for final memory statistics report. Default # is L_DBG -- memory statistics are dumped only if debug is set high. memlog=3

# sip_warning - Should replies include extensive warnings? By default # yes, it is good for trouble-shooting. sip_warning=yes

# fifo - FIFO special file pathname fifo="/tmp/openser_fifo"

# reply_to_via - A hint to reply modules whether they should send reply # to IP advertised in Via. Turned off by default, which means that # replies are sent to IP address from which requests came. reply_to_via=no

# mhomed -- enable calculation of outbound interface; useful on # multihomed servers. mhomed=0

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database loadmodule "/usr/lib/openser/modules/mysql.so" loadmodule "/usr/lib/openser/modules/sl.so" loadmodule "/usr/lib/openser/modules/tm.so" loadmodule "/usr/lib/openser/modules/rr.so" loadmodule "/usr/lib/openser/modules/maxfwd.so" loadmodule "/usr/lib/openser/modules/usrloc.so" loadmodule "/usr/lib/openser/modules/registrar.so" loadmodule "/usr/lib/openser/modules/textops.so" loadmodule "/usr/lib/openser/modules/nathelper.so" loadmodule "/usr/lib/openser/modules/acc.so" loadmodule "/usr/lib/openser/modules/xlog.so"

# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/lib/openser/modules/auth.so" loadmodule "/usr/lib/openser/modules/auth_db.so"

# ----------------- setting module-specific parameters ---------------

# ------------- usrloc parameters

# 2 enables write-back to persistent mysql storage for speed # disable=0, write-through=1 modparam("usrloc", "db_mode", 0)

# minimize write back window - default is 60 seconds modparam("usrloc", "timer_interval", 30)

# ------------- auth parameters

# Uncomment if you are using auth module modparam("auth_db", "calculate_ha1", yes)

# If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) modparam("auth_db", "password_column", "password")

# ------------- rr parameters

# add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)

# ------------- !! Nathelper

modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") # Nathelper with RTPproxy

# ------------- tm parameters

modparam("tm", "fr_timer", 12) modparam("tm", "fr_inv_timer", 24)

# ------------- acc parameters

modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser") modparam("acc", "db_flag", 2) modparam("acc", "db_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 2) modparam("acc", "log_level", 2) # Set log_level to 2

# Allow no more than 1 contacts per AOR modparam("registrar", "max_contacts", 3)

# ------------------------- request routing logic -------------------

# main routing logic

route{

if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };

if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };

# < Acconting > if (method=="INVITE") { log(1, "Generate call - START\n"); setflag(1); /* set for accounting (the same value as in log_flag!) */ setflag(2); };
    if (method=="BYE")
{ log (1, "Hung-up \n"); setflag(1); };
    if (method=="CANCEL")
{ log (1, "Lost call \n"); setflag(1); }

if (!method=="REGISTER") record_route();

if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER
            if (method == "REGISTER" || ! search("^Record-Route:"))
{ log(1,"LOG: Someone trying to register from private IP, rewriting\n");
                # This will work only for user agents that support
symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling".
                fix_nated_contact(); # Rewrite contact with source IP of
signalling force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; }; # subsequent messages withing a dialog should take the # path determined by record-routing

if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); };

if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); };

# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {

if (method=="REGISTER") { # Uncomment this if you want to use digest authentication if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber")) { www_challenge("xxx.xxx.xxx.xxx", "0"); return; }; save("location"); return; };
            lookup("aliases");
            if (!uri==myself)
{ append_hf("P-hint: outbound alias\r\n"); route(1); return; };

# Router Cisco if not sip branche log(1,"LOG: testando se destino-sip e' 418x ...\n");

if ( ! ( uri =~ "^sip:418[1-9].*" ) && ! ( uri =~ "^sip:4397")) { log(1,"LOG: destino-sip not is 418x .\n"); route(2);
           log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
 rewritehostport("yyy.yyy.yyy.yyy:5060");
           log(1,"LOG: t_relay...\n");
           t_relay();

           log(1,"LOG: break...\n");
    return;
     }
        log(1,"LOG: destino-sip  418x, continue .\n");
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); return; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }

#######################################

route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")) { sl_send_reply("479", "We don't forward to private IP addresses"); return; };
    # if client or server know to be behind a NAT, enable relay
    if (isflagset(6))
{ force_rtp_proxy(); t_on_reply("1"); append_hf("P-Behind-NAT: Yes\r\n"); };
 if (!t_relay())
{ sl_reply_error(); return; }; } # !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); } else if (nat_uac_test("1")) { fix_nated_contact(); }; }

#######################################

route[2] {

### Dial Plan for gateway VoIP ###

# Sao Paulo 11 if ( uri =~ "^sip:9911.*" ) { log(1,"LOG: destination is 9911x, change prefix..."); strip(4); prefix("011"); return; }

# Error (Number inexistent) sl_reply_error();

}

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

Regards Jeferson

----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Saturday, August 25, 2007 3:06 PM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

...
Hello Jeferson,

it all depends on your openser.cfg. If you put in there that all the INVITE-s should be authenticated, your users will not be able anymore to call without having a valid user and password for your server. Note that by default openser will not do any check for you, in order to keep the flexibility of be used in different environment setups.

Cheers, DanB

On 8/25/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...
Hello,

I implemented an environment using to openser + mysql. The enviroment functions perfectly, however I perceived that users (branches) not registered in mysql are generating called.

I installed the X-lite softphone in my computer trying to reproduce the situation.

...
...
In the properties of configuration of the X-lite, "field Password" I type "trash" as password (wrong password).

The display of X-lite showed the following message: "Registration error: 401

Unauthorized".

In the contacts drawer I add a contact (double click on the new contact), and the call was generate without restriction (very bad).

Some idea of as I solve this problem?

Thanks

Regards Jeferson

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

Norman Brandinger

noon

Hi Jeferson,

I agree with Dan's suggestion about finding a standard configuration to learn from. In addition, there is a web site: sipwise.com simplifies the process of building a configuration file.

Below is a little code that you might consider executing when an INVITE request comes in. The documentation on the openser.org web site can use used to learn exactly what the functions used below do.

if (!proxy_authorize("", "subscriber")) { xlog ("L_INFO", "Proxy Authorization requested\n"); proxy_challenge("", "0"); exit; }

#-------------------------------------------------------------------- # Check From username against digest credentials. #-------------------------------------------------------------------- if (!check_from()) { xlog("L_ERR", "Unauthorized: check_from() failed\n"); sl_send_reply("401", "Unauthorized"); exit; }

Regards, Norm

Dan-Cristian Bogos wrote:

...

Hello Jeferson,

Your configuration looks a bit messy, if I were OpenSER I would also refuse it. :).

I would suggest taking a more standard configuration (u can find many examples on this location: http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/) and use 1.2 branch of software for start, and experiment with it into some lab environment. It is a bit difficult as a beginner to start directly experimenting on a production configuration, perhaps written by somebody else without understanding it. You will end up having big issues when troubleshooting in production environment.

The tip I gave you would be really easy to implement it with a block of few lines, eg:

if (is_method("INVITE")){ if (!proxy_authorize("", "subscriber)) { proxy_challenge("","0"); exit;
        } else if (!check_from()) {
                      sl_send_reply("403", "Use From=ID");
                      exit;
        };
};

Documentation for you to understand those lines here: http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192

Usually, there is a loot of documentation and howtos in openser wiki, so I would suggest you having a glance on some titles which look close to your needs as a beginner.

http://www.openser.org/dokuwiki/doku.php

Cheers, DanB

On 8/27/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...
Hello DanB,

Thanks!

As DanB´s suggestion, I tried to implement a mechanism that only allowed authenticated members make calls, but my configuration didn´t function.

This is my first project with openser, therefore I do not have much experience. If someone know how to help me to implement this verification, I will be very thankful.

Below, my openser.cfg file:

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

# ----------- global configuration parameters ------------------------

debug=3 fork=yes log_stderror=no log_facility=LOG_LOCAL7

# hostname matching an alias will satisfy the condition uri==myself". alias=xxx.xxx.xxx.xxx listen=udp:xxx.xxx.xxx.xxx:5060

# check_via - Turn on or off Via host checking when forwarding replies. # Default is no. arcane. looks for discrepancy between name and # ip address when forwarding replies. check_via=yes

# syn_branch - Shall the server use stateful synonym branches? It is # faster but not reboot-safe. Default is yes. syn_branch=yes

# dns - Uses dns to check if it is necessary to add a "received=" field # to a via. Default is no. # rev_dns - Same as dns but use reverse DNS. dns=no rev_dns=no port=5060 children=4

# memlog - Debugging level for final memory statistics report. Default # is L_DBG -- memory statistics are dumped only if debug is set high. memlog=3

# sip_warning - Should replies include extensive warnings? By default # yes, it is good for trouble-shooting. sip_warning=yes

# fifo - FIFO special file pathname fifo="/tmp/openser_fifo"

# reply_to_via - A hint to reply modules whether they should send reply # to IP advertised in Via. Turned off by default, which means that # replies are sent to IP address from which requests came. reply_to_via=no

# mhomed -- enable calculation of outbound interface; useful on # multihomed servers. mhomed=0

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database loadmodule "/usr/lib/openser/modules/mysql.so" loadmodule "/usr/lib/openser/modules/sl.so" loadmodule "/usr/lib/openser/modules/tm.so" loadmodule "/usr/lib/openser/modules/rr.so" loadmodule "/usr/lib/openser/modules/maxfwd.so" loadmodule "/usr/lib/openser/modules/usrloc.so" loadmodule "/usr/lib/openser/modules/registrar.so" loadmodule "/usr/lib/openser/modules/textops.so" loadmodule "/usr/lib/openser/modules/nathelper.so" loadmodule "/usr/lib/openser/modules/acc.so" loadmodule "/usr/lib/openser/modules/xlog.so"

# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/lib/openser/modules/auth.so" loadmodule "/usr/lib/openser/modules/auth_db.so"

# ----------------- setting module-specific parameters ---------------

# ------------- usrloc parameters

# 2 enables write-back to persistent mysql storage for speed # disable=0, write-through=1 modparam("usrloc", "db_mode", 0)

# minimize write back window - default is 60 seconds modparam("usrloc", "timer_interval", 30)

# ------------- auth parameters

# Uncomment if you are using auth module modparam("auth_db", "calculate_ha1", yes)

# If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) modparam("auth_db", "password_column", "password")

# ------------- rr parameters

# add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)

# ------------- !! Nathelper

modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") # Nathelper with RTPproxy

# ------------- tm parameters

modparam("tm", "fr_timer", 12) modparam("tm", "fr_inv_timer", 24)

# ------------- acc parameters

modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser") modparam("acc", "db_flag", 2) modparam("acc", "db_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 2) modparam("acc", "log_level", 2) # Set log_level to 2

# Allow no more than 1 contacts per AOR modparam("registrar", "max_contacts", 3)

# ------------------------- request routing logic -------------------

# main routing logic

route{

if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };

if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };

# < Acconting > if (method=="INVITE") { log(1, "Generate call - START\n"); setflag(1); /* set for accounting (the same value as in log_flag!) */ setflag(2); };
    if (method=="BYE")
{ log (1, "Hung-up \n"); setflag(1); };
    if (method=="CANCEL")
{ log (1, "Lost call \n"); setflag(1); }

if (!method=="REGISTER") record_route();

if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER
            if (method == "REGISTER" || ! search("^Record-Route:"))
{ log(1,"LOG: Someone trying to register from private IP, rewriting\n");
                # This will work only for user agents that support
symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling".
                fix_nated_contact(); # Rewrite contact with source IP of
signalling force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; }; # subsequent messages withing a dialog should take the # path determined by record-routing

if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); };

if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); };

# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {

if (method=="REGISTER") { # Uncomment this if you want to use digest authentication if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber")) { www_challenge("xxx.xxx.xxx.xxx", "0"); return; }; save("location"); return; };
            lookup("aliases");
            if (!uri==myself)
{ append_hf("P-hint: outbound alias\r\n"); route(1); return; };

# Router Cisco if not sip branche log(1,"LOG: testando se destino-sip e' 418x ...\n");

if ( ! ( uri =~ "^sip:418[1-9].*" ) && ! ( uri =~ "^sip:4397")) { log(1,"LOG: destino-sip not is 418x .\n"); route(2);
           log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
 rewritehostport("yyy.yyy.yyy.yyy:5060");
           log(1,"LOG: t_relay...\n");
           t_relay();

           log(1,"LOG: break...\n");
    return;
     }
        log(1,"LOG: destino-sip  418x, continue .\n");
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); return; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }

#######################################

route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")) { sl_send_reply("479", "We don't forward to private IP addresses"); return; };
    # if client or server know to be behind a NAT, enable relay
    if (isflagset(6))
{ force_rtp_proxy(); t_on_reply("1"); append_hf("P-Behind-NAT: Yes\r\n"); };
 if (!t_relay())
{ sl_reply_error(); return; }; } # !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); } else if (nat_uac_test("1")) { fix_nated_contact(); }; }

#######################################

route[2] {

### Dial Plan for gateway VoIP ###

# Sao Paulo 11 if ( uri =~ "^sip:9911.*" ) { log(1,"LOG: destination is 9911x, change prefix..."); strip(4); prefix("011"); return; }

# Error (Number inexistent) sl_reply_error();

}

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

Regards Jeferson

----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Saturday, August 25, 2007 3:06 PM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

...
Hello Jeferson,

it all depends on your openser.cfg. If you put in there that all the INVITE-s should be authenticated, your users will not be able anymore to call without having a valid user and password for your server. Note that by default openser will not do any check for you, in order to keep the flexibility of be used in different environment setups.

Cheers, DanB

On 8/25/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...
Hello,

I implemented an environment using to openser + mysql. The enviroment functions perfectly, however I perceived that users (branches) not registered in mysql are generating called.

I installed the X-lite softphone in my computer trying to reproduce the situation.

In the properties of configuration of the X-lite, "field Password" I type "trash" as password (wrong password).

The display of X-lite showed the following message: "Registration error: 401

Unauthorized".

In the contacts drawer I add a contact (double click on the new contact), and the call was generate without restriction (very bad).

Some idea of as I solve this problem?

Thanks

Regards Jeferson

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

Jeferson Prevedello

2 p.m.

Hi Norm,

Thanks !! :o) The sipwise.com and openser.org web sites are excellent references.

Regards, Jeferson

----- Original Message ----- From: "Norman Brandinger" norm@goes.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Monday, August 27, 2007 9:00 AM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

...

Hi Jeferson,

I agree with Dan's suggestion about finding a standard configuration to learn from. In addition, there is a web site: sipwise.com simplifies the process of building a configuration file.

Below is a little code that you might consider executing when an INVITE request comes in. The documentation on the openser.org web site can use used to learn exactly what the functions used below do.

if (!proxy_authorize("", "subscriber")) { xlog ("L_INFO", "Proxy Authorization requested\n"); proxy_challenge("", "0"); exit; }

#-------------------------------------------------------------------- # Check From username against digest credentials. #-------------------------------------------------------------------- if (!check_from()) { xlog("L_ERR", "Unauthorized: check_from() failed\n"); sl_send_reply("401", "Unauthorized"); exit; }

Regards, Norm

Dan-Cristian Bogos wrote:

...
Hello Jeferson,

Your configuration looks a bit messy, if I were OpenSER I would also refuse it. :).

I would suggest taking a more standard configuration (u can find many examples on this location: http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/) and use 1.2 branch of software for start, and experiment with it into some lab environment. It is a bit difficult as a beginner to start directly experimenting on a production configuration, perhaps written by somebody else without understanding it. You will end up having big issues when troubleshooting in production environment.

The tip I gave you would be really easy to implement it with a block of few lines, eg:

if (is_method("INVITE")){ if (!proxy_authorize("", "subscriber)) { proxy_challenge("","0"); exit;
        } else if (!check_from()) {
                      sl_send_reply("403", "Use From=ID");
                      exit;
        };
};

Documentation for you to understand those lines here: http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192

Usually, there is a loot of documentation and howtos in openser wiki, so I would suggest you having a glance on some titles which look close to your needs as a beginner.

http://www.openser.org/dokuwiki/doku.php

Cheers, DanB

On 8/27/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...
Hello DanB,

Thanks!

As DanB´s suggestion, I tried to implement a mechanism that only allowed authenticated members make calls, but my configuration didn´t function.

This is my first project with openser, therefore I do not have much experience. If someone know how to help me to implement this verification, I will be very thankful.

Below, my openser.cfg file:

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

# ----------- global configuration parameters ------------------------

debug=3 fork=yes log_stderror=no log_facility=LOG_LOCAL7

# hostname matching an alias will satisfy the condition uri==myself". alias=xxx.xxx.xxx.xxx listen=udp:xxx.xxx.xxx.xxx:5060

# check_via - Turn on or off Via host checking when forwarding replies. # Default is no. arcane. looks for discrepancy between name and # ip address when forwarding replies. check_via=yes

# syn_branch - Shall the server use stateful synonym branches? It is # faster but not reboot-safe. Default is yes. syn_branch=yes

# dns - Uses dns to check if it is necessary to add a "received=" field # to a via. Default is no. # rev_dns - Same as dns but use reverse DNS. dns=no rev_dns=no port=5060 children=4

# memlog - Debugging level for final memory statistics report. Default # is L_DBG -- memory statistics are dumped only if debug is set high. memlog=3

# sip_warning - Should replies include extensive warnings? By default # yes, it is good for trouble-shooting. sip_warning=yes

# fifo - FIFO special file pathname fifo="/tmp/openser_fifo"

# reply_to_via - A hint to reply modules whether they should send reply # to IP advertised in Via. Turned off by default, which means that # replies are sent to IP address from which requests came. reply_to_via=no

# mhomed -- enable calculation of outbound interface; useful on # multihomed servers. mhomed=0

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database loadmodule "/usr/lib/openser/modules/mysql.so" loadmodule "/usr/lib/openser/modules/sl.so" loadmodule "/usr/lib/openser/modules/tm.so" loadmodule "/usr/lib/openser/modules/rr.so" loadmodule "/usr/lib/openser/modules/maxfwd.so" loadmodule "/usr/lib/openser/modules/usrloc.so" loadmodule "/usr/lib/openser/modules/registrar.so" loadmodule "/usr/lib/openser/modules/textops.so" loadmodule "/usr/lib/openser/modules/nathelper.so" loadmodule "/usr/lib/openser/modules/acc.so" loadmodule "/usr/lib/openser/modules/xlog.so"

# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/lib/openser/modules/auth.so" loadmodule "/usr/lib/openser/modules/auth_db.so"

# ----------------- setting module-specific parameters ---------------

# ------------- usrloc parameters

# 2 enables write-back to persistent mysql storage for speed # disable=0, write-through=1 modparam("usrloc", "db_mode", 0)

# minimize write back window - default is 60 seconds modparam("usrloc", "timer_interval", 30)

# ------------- auth parameters

# Uncomment if you are using auth module modparam("auth_db", "calculate_ha1", yes)

# If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) modparam("auth_db", "password_column", "password")

# ------------- rr parameters

# add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)

# ------------- !! Nathelper

modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") # Nathelper with RTPproxy

# ------------- tm parameters

modparam("tm", "fr_timer", 12) modparam("tm", "fr_inv_timer", 24)

# ------------- acc parameters

modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser") modparam("acc", "db_flag", 2) modparam("acc", "db_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 2) modparam("acc", "log_level", 2) # Set log_level to 2

# Allow no more than 1 contacts per AOR modparam("registrar", "max_contacts", 3)

# ------------------------- request routing logic -------------------

# main routing logic

route{

if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };

if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };

# < Acconting > if (method=="INVITE") { log(1, "Generate call - START\n"); setflag(1); /* set for accounting (the same value as in log_flag!) */ setflag(2); };
    if (method=="BYE")
{ log (1, "Hung-up \n"); setflag(1); };
    if (method=="CANCEL")
{ log (1, "Lost call \n"); setflag(1); }

if (!method=="REGISTER") record_route();

if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER
            if (method == "REGISTER" || ! search("^Record-Route:"))
{ log(1,"LOG: Someone trying to register from private IP, rewriting\n");
                # This will work only for user agents that support
symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling".
                fix_nated_contact(); # Rewrite contact with source 
IP of signalling force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; }; # subsequent messages withing a dialog should take the # path determined by record-routing

if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); };

if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); };

# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {

if (method=="REGISTER") { # Uncomment this if you want to use digest authentication if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber")) { www_challenge("xxx.xxx.xxx.xxx", "0"); return; }; save("location"); return; };
            lookup("aliases");
            if (!uri==myself)
{ append_hf("P-hint: outbound alias\r\n"); route(1); return; };

# Router Cisco if not sip branche log(1,"LOG: testando se destino-sip e' 418x ...\n");

if ( ! ( uri =~ "^sip:418[1-9].*" ) && ! ( uri =~ "^sip:4397")) { log(1,"LOG: destino-sip not is 418x .\n"); route(2);
           log(1,"LOG: rewriting hostport 
yyy.yyy.yyy.yyy:5060...\n"); rewritehostport("yyy.yyy.yyy.yyy:5060"); log(1,"LOG: t_relay...\n"); t_relay();
           log(1,"LOG: break...\n");
    return;
     }
        log(1,"LOG: destino-sip  418x, continue .\n");
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); return; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }

#######################################

route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")) { sl_send_reply("479", "We don't forward to private IP addresses"); return; };
    # if client or server know to be behind a NAT, enable relay
    if (isflagset(6))
{ force_rtp_proxy(); t_on_reply("1"); append_hf("P-Behind-NAT: Yes\r\n"); };
 if (!t_relay())
{ sl_reply_error(); return; }; } # !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); } else if (nat_uac_test("1")) { fix_nated_contact(); }; }

#######################################

route[2] {

### Dial Plan for gateway VoIP ###

# Sao Paulo 11 if ( uri =~ "^sip:9911.*" ) { log(1,"LOG: destination is 9911x, change prefix..."); strip(4); prefix("011"); return; }

# Error (Number inexistent) sl_reply_error();

}

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

Regards Jeferson

----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Saturday, August 25, 2007 3:06 PM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

...
Hello Jeferson,

it all depends on your openser.cfg. If you put in there that all the INVITE-s should be authenticated, your users will not be able anymore to call without having a valid user and password for your server. Note that by default openser will not do any check for you, in order to keep the flexibility of be used in different environment setups.

Cheers, DanB

On 8/25/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...
Hello,

I implemented an environment using to openser + mysql. The enviroment functions perfectly, however I perceived that users (branches) not registered in mysql are generating called.

I installed the X-lite softphone in my computer trying to reproduce the situation.

In the properties of configuration of the X-lite, "field Password" I type "trash" as password (wrong password).

The display of X-lite showed the following message: "Registration error: 401

Unauthorized".

In the contacts drawer I add a contact (double click on the new contact), and the call was generate without restriction (very bad).

Some idea of as I solve this problem?

Thanks

Regards Jeferson

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

Jeferson Prevedello

1:22 p.m.

Hello DanB !!!

You is a excellent teacher... :-) Your suggestion of implementation functioned perfectly! :

Thanks !

Regards

----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Monday, August 27, 2007 8:35 AM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

Hello Jeferson,

Your configuration looks a bit messy, if I were OpenSER I would also refuse it. :).

The tip I gave you would be really easy to implement it with a block of few lines, eg:

if (is_method("INVITE")){ if (!proxy_authorize("", "subscriber)) { proxy_challenge("","0"); exit;

} else if (!check_from()) { sl_send_reply("403", "Use From=ID"); exit; }; };

Documentation for you to understand those lines here: http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192

Usually, there is a loot of documentation and howtos in openser wiki, so I would suggest you having a glance on some titles which look close to your needs as a beginner.

http://www.openser.org/dokuwiki/doku.php

Cheers, DanB

On 8/27/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...

Hello DanB,

Thanks!

As DanB´s suggestion, I tried to implement a mechanism that only allowed authenticated members make calls, but my configuration didn´t function.

This is my first project with openser, therefore I do not have much experience. If someone know how to help me to implement this verification, I will be very thankful.

Below, my openser.cfg file:

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

# ----------- global configuration parameters ------------------------

debug=3 fork=yes log_stderror=no log_facility=LOG_LOCAL7

# hostname matching an alias will satisfy the condition uri==myself". alias=xxx.xxx.xxx.xxx listen=udp:xxx.xxx.xxx.xxx:5060

# check_via - Turn on or off Via host checking when forwarding replies. # Default is no. arcane. looks for discrepancy between name and # ip address when forwarding replies. check_via=yes

# syn_branch - Shall the server use stateful synonym branches? It is # faster but not reboot-safe. Default is yes. syn_branch=yes

# dns - Uses dns to check if it is necessary to add a "received=" field # to a via. Default is no. # rev_dns - Same as dns but use reverse DNS. dns=no rev_dns=no port=5060 children=4

# memlog - Debugging level for final memory statistics report. Default # is L_DBG -- memory statistics are dumped only if debug is set high. memlog=3

# sip_warning - Should replies include extensive warnings? By default # yes, it is good for trouble-shooting. sip_warning=yes

# fifo - FIFO special file pathname fifo="/tmp/openser_fifo"

# reply_to_via - A hint to reply modules whether they should send reply # to IP advertised in Via. Turned off by default, which means that # replies are sent to IP address from which requests came. reply_to_via=no

# mhomed -- enable calculation of outbound interface; useful on # multihomed servers. mhomed=0

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database loadmodule "/usr/lib/openser/modules/mysql.so" loadmodule "/usr/lib/openser/modules/sl.so" loadmodule "/usr/lib/openser/modules/tm.so" loadmodule "/usr/lib/openser/modules/rr.so" loadmodule "/usr/lib/openser/modules/maxfwd.so" loadmodule "/usr/lib/openser/modules/usrloc.so" loadmodule "/usr/lib/openser/modules/registrar.so" loadmodule "/usr/lib/openser/modules/textops.so" loadmodule "/usr/lib/openser/modules/nathelper.so" loadmodule "/usr/lib/openser/modules/acc.so" loadmodule "/usr/lib/openser/modules/xlog.so"

# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/lib/openser/modules/auth.so" loadmodule "/usr/lib/openser/modules/auth_db.so"

# ----------------- setting module-specific parameters ---------------

# ------------- usrloc parameters

# 2 enables write-back to persistent mysql storage for speed # disable=0, write-through=1 modparam("usrloc", "db_mode", 0)

# minimize write back window - default is 60 seconds modparam("usrloc", "timer_interval", 30)

# ------------- auth parameters

# Uncomment if you are using auth module modparam("auth_db", "calculate_ha1", yes)

# If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) modparam("auth_db", "password_column", "password")

# ------------- rr parameters

# add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)

# ------------- !! Nathelper

modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") # Nathelper with RTPproxy

# ------------- tm parameters

modparam("tm", "fr_timer", 12) modparam("tm", "fr_inv_timer", 24)

# ------------- acc parameters

modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser") modparam("acc", "db_flag", 2) modparam("acc", "db_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 2) modparam("acc", "log_level", 2) # Set log_level to 2

# Allow no more than 1 contacts per AOR modparam("registrar", "max_contacts", 3)

# ------------------------- request routing logic -------------------

# main routing logic

route{

if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };

if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };

# < Acconting > if (method=="INVITE") { log(1, "Generate call - START\n"); setflag(1); /* set for accounting (the same value as in log_flag!) */ setflag(2); };
    if (method=="BYE")
{ log (1, "Hung-up \n"); setflag(1); };
    if (method=="CANCEL")
{ log (1, "Lost call \n"); setflag(1); }

if (!method=="REGISTER") record_route();

if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER
            if (method == "REGISTER" || ! search("^Record-Route:"))
{ log(1,"LOG: Someone trying to register from private IP, rewriting\n");
                # This will work only for user agents that support
symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling".
                fix_nated_contact(); # Rewrite contact with source IP 
of signalling force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; }; # subsequent messages withing a dialog should take the # path determined by record-routing

if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); };

if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); };

# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {

if (method=="REGISTER") { # Uncomment this if you want to use digest authentication if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber")) { www_challenge("xxx.xxx.xxx.xxx", "0"); return; }; save("location"); return; };
            lookup("aliases");
            if (!uri==myself)
{ append_hf("P-hint: outbound alias\r\n"); route(1); return; };

# Router Cisco if not sip branche log(1,"LOG: testando se destino-sip e' 418x ...\n");

if ( ! ( uri =~ "^sip:418[1-9].*" ) && ! ( uri =~ "^sip:4397")) { log(1,"LOG: destino-sip not is 418x .\n"); route(2);
           log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
 rewritehostport("yyy.yyy.yyy.yyy:5060");
           log(1,"LOG: t_relay...\n");
           t_relay();

           log(1,"LOG: break...\n");
    return;
     }
        log(1,"LOG: destino-sip  418x, continue .\n");
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); return; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }

#######################################

route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")) { sl_send_reply("479", "We don't forward to private IP addresses"); return; };
    # if client or server know to be behind a NAT, enable relay
    if (isflagset(6))
{ force_rtp_proxy(); t_on_reply("1"); append_hf("P-Behind-NAT: Yes\r\n"); };
 if (!t_relay())
{ sl_reply_error(); return; }; } # !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); } else if (nat_uac_test("1")) { fix_nated_contact(); }; }

#######################################

route[2] {

### Dial Plan for gateway VoIP ###

# Sao Paulo 11 if ( uri =~ "^sip:9911.*" ) { log(1,"LOG: destination is 9911x, change prefix..."); strip(4); prefix("011"); return; }

# Error (Number inexistent) sl_reply_error();

}

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

Regards Jeferson

----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Saturday, August 25, 2007 3:06 PM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

...
Hello Jeferson,

it all depends on your openser.cfg. If you put in there that all the INVITE-s should be authenticated, your users will not be able anymore to call without having a valid user and password for your server. Note that by default openser will not do any check for you, in order to keep the flexibility of be used in different environment setups.

Cheers, DanB

On 8/25/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...
Hello,

I implemented an environment using to openser + mysql. The enviroment functions perfectly, however I perceived that users (branches) not registered in mysql are generating called.

I installed the X-lite softphone in my computer trying to reproduce the situation.

...
...
In the properties of configuration of the X-lite, "field Password" I type "trash" as password (wrong password).

The display of X-lite showed the following message: "Registration error: 401

Unauthorized".

In the contacts drawer I add a contact (double click on the new contact), and the call was generate without restriction (very bad).

Some idea of as I solve this problem?

Thanks

Regards Jeferson

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

Jeferson Prevedello

3:26 p.m.

Hello DanB,

More a problem ! :-(

I apply the following configuration in my openser.cfg:

if (method=="INVITE") { if (!proxy_authorize("", "subscriber")) { proxy_challenge("","0"); exit; } };

I perceived that with the configuration above 'only' registered users can generate called, however I not receive more called originated through of PSTN or of any branch of PBX. I believe these calls are deny because the source (PSTN - Branches) not are registering in the openser server.

Is possible to apply the configuration above only for calls 'originated' from openser ?

Thanks !

Regards Jeferson

Hello Jeferson,

Your configuration looks a bit messy, if I were OpenSER I would also refuse it. :).

The tip I gave you would be really easy to implement it with a block of few lines, eg:

if (is_method("INVITE")){ if (!proxy_authorize("", "subscriber)) { proxy_challenge("","0"); exit;

} else if (!check_from()) { sl_send_reply("403", "Use From=ID"); exit; }; };

Documentation for you to understand those lines here: http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192

Usually, there is a loot of documentation and howtos in openser wiki, so I would suggest you having a glance on some titles which look close to your needs as a beginner.

http://www.openser.org/dokuwiki/doku.php

Cheers, DanB

On 8/27/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...

Hello DanB,

Thanks!

As DanB´s suggestion, I tried to implement a mechanism that only allowed authenticated members make calls, but my configuration didn´t function.

This is my first project with openser, therefore I do not have much experience. If someone know how to help me to implement this verification, I will be very thankful.

Below, my openser.cfg file:

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

# ----------- global configuration parameters ------------------------

debug=3 fork=yes log_stderror=no log_facility=LOG_LOCAL7

# hostname matching an alias will satisfy the condition uri==myself". alias=xxx.xxx.xxx.xxx listen=udp:xxx.xxx.xxx.xxx:5060

# check_via - Turn on or off Via host checking when forwarding replies. # Default is no. arcane. looks for discrepancy between name and # ip address when forwarding replies. check_via=yes

# syn_branch - Shall the server use stateful synonym branches? It is # faster but not reboot-safe. Default is yes. syn_branch=yes

# dns - Uses dns to check if it is necessary to add a "received=" field # to a via. Default is no. # rev_dns - Same as dns but use reverse DNS. dns=no rev_dns=no port=5060 children=4

# memlog - Debugging level for final memory statistics report. Default # is L_DBG -- memory statistics are dumped only if debug is set high. memlog=3

# sip_warning - Should replies include extensive warnings? By default # yes, it is good for trouble-shooting. sip_warning=yes

# fifo - FIFO special file pathname fifo="/tmp/openser_fifo"

# reply_to_via - A hint to reply modules whether they should send reply # to IP advertised in Via. Turned off by default, which means that # replies are sent to IP address from which requests came. reply_to_via=no

# mhomed -- enable calculation of outbound interface; useful on # multihomed servers. mhomed=0

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database loadmodule "/usr/lib/openser/modules/mysql.so" loadmodule "/usr/lib/openser/modules/sl.so" loadmodule "/usr/lib/openser/modules/tm.so" loadmodule "/usr/lib/openser/modules/rr.so" loadmodule "/usr/lib/openser/modules/maxfwd.so" loadmodule "/usr/lib/openser/modules/usrloc.so" loadmodule "/usr/lib/openser/modules/registrar.so" loadmodule "/usr/lib/openser/modules/textops.so" loadmodule "/usr/lib/openser/modules/nathelper.so" loadmodule "/usr/lib/openser/modules/acc.so" loadmodule "/usr/lib/openser/modules/xlog.so"

# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/lib/openser/modules/auth.so" loadmodule "/usr/lib/openser/modules/auth_db.so"

# ----------------- setting module-specific parameters ---------------

# ------------- usrloc parameters

# 2 enables write-back to persistent mysql storage for speed # disable=0, write-through=1 modparam("usrloc", "db_mode", 0)

# minimize write back window - default is 60 seconds modparam("usrloc", "timer_interval", 30)

# ------------- auth parameters

# Uncomment if you are using auth module modparam("auth_db", "calculate_ha1", yes)

# If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) modparam("auth_db", "password_column", "password")

# ------------- rr parameters

# add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)

# ------------- !! Nathelper

modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") # Nathelper with RTPproxy

# ------------- tm parameters

modparam("tm", "fr_timer", 12) modparam("tm", "fr_inv_timer", 24)

# ------------- acc parameters

modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser") modparam("acc", "db_flag", 2) modparam("acc", "db_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 2) modparam("acc", "log_level", 2) # Set log_level to 2

# Allow no more than 1 contacts per AOR modparam("registrar", "max_contacts", 3)

# ------------------------- request routing logic -------------------

# main routing logic

route{

if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };

if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };

# < Acconting > if (method=="INVITE") { log(1, "Generate call - START\n"); setflag(1); /* set for accounting (the same value as in log_flag!) */ setflag(2); };
    if (method=="BYE")
{ log (1, "Hung-up \n"); setflag(1); };
    if (method=="CANCEL")
{ log (1, "Lost call \n"); setflag(1); }

if (!method=="REGISTER") record_route();

if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER
            if (method == "REGISTER" || ! search("^Record-Route:"))
{ log(1,"LOG: Someone trying to register from private IP, rewriting\n");
                # This will work only for user agents that support
symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling".
                fix_nated_contact(); # Rewrite contact with source IP 
of signalling force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; }; # subsequent messages withing a dialog should take the # path determined by record-routing

if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); };

if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); };

# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {

if (method=="REGISTER") { # Uncomment this if you want to use digest authentication if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber")) { www_challenge("xxx.xxx.xxx.xxx", "0"); return; }; save("location"); return; };
            lookup("aliases");
            if (!uri==myself)
{ append_hf("P-hint: outbound alias\r\n"); route(1); return; };

# Router Cisco if not sip branche log(1,"LOG: testando se destino-sip e' 418x ...\n");

if ( ! ( uri =~ "^sip:418[1-9].*" ) && ! ( uri =~ "^sip:4397")) { log(1,"LOG: destino-sip not is 418x .\n"); route(2);
           log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
 rewritehostport("yyy.yyy.yyy.yyy:5060");
           log(1,"LOG: t_relay...\n");
           t_relay();

           log(1,"LOG: break...\n");
    return;
     }
        log(1,"LOG: destino-sip  418x, continue .\n");
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); return; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }

#######################################

route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")) { sl_send_reply("479", "We don't forward to private IP addresses"); return; };
    # if client or server know to be behind a NAT, enable relay
    if (isflagset(6))
{ force_rtp_proxy(); t_on_reply("1"); append_hf("P-Behind-NAT: Yes\r\n"); };
 if (!t_relay())
{ sl_reply_error(); return; }; } # !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); } else if (nat_uac_test("1")) { fix_nated_contact(); }; }

#######################################

route[2] {

### Dial Plan for gateway VoIP ###

# Sao Paulo 11 if ( uri =~ "^sip:9911.*" ) { log(1,"LOG: destination is 9911x, change prefix..."); strip(4); prefix("011"); return; }

# Error (Number inexistent) sl_reply_error();

}

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

Regards Jeferson

----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Saturday, August 25, 2007 3:06 PM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

...
Hello Jeferson,

it all depends on your openser.cfg. If you put in there that all the INVITE-s should be authenticated, your users will not be able anymore to call without having a valid user and password for your server. Note that by default openser will not do any check for you, in order to keep the flexibility of be used in different environment setups.

Cheers, DanB

On 8/25/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...
Hello,

I implemented an environment using to openser + mysql. The enviroment functions perfectly, however I perceived that users (branches) not registered in mysql are generating called.

I installed the X-lite softphone in my computer trying to reproduce the situation.

...
...
In the properties of configuration of the X-lite, "field Password" I type "trash" as password (wrong password).

The display of X-lite showed the following message: "Registration error: 401

Unauthorized".

In the contacts drawer I add a contact (double click on the new contact), and the call was generate without restriction (very bad).

Some idea of as I solve this problem?

Thanks

Regards Jeferson

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

_______________________________________________ Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

Dan-Cristian Bogos

3:37 p.m.

Jeferson,

you can use permission module to check whether the originator's IP is trusted.

So your code will become: if (!allow_trusted()){ if (method=="INVITE") { if (!proxy_authorize("", "subscriber")) { proxy_challenge("","0"); exit; } }; };

Documentation provided here: http://www.openser.org/docs/modules/1.2.x/permissions.html#AEN492

Make sure you configure your permission db settings and reload your trusted table each time from the database into memory.

Cheers, DanB

On 8/27/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...

Hello DanB,

More a problem ! :-(

I apply the following configuration in my openser.cfg:
    if (method=="INVITE")
    {
            if (!proxy_authorize("", "subscriber"))
            {
              proxy_challenge("","0");
              exit;
            }
    };
I perceived that with the configuration above 'only' registered users can generate called, however I not receive more called originated through of PSTN or of any branch of PBX. I believe these calls are deny because the source (PSTN - Branches) not are registering in the openser server.

Is possible to apply the configuration above only for calls 'originated' from openser ?

Thanks !

Regards Jeferson

----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Monday, August 27, 2007 8:35 AM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

Hello Jeferson,

Your configuration looks a bit messy, if I were OpenSER I would also refuse it. :).

I would suggest taking a more standard configuration (u can find many examples on this location: http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/) and use 1.2 branch of software for start, and experiment with it into some lab environment. It is a bit difficult as a beginner to start directly experimenting on a production configuration, perhaps written by somebody else without understanding it. You will end up having big issues when troubleshooting in production environment.

The tip I gave you would be really easy to implement it with a block of few lines, eg:

if (is_method("INVITE")){ if (!proxy_authorize("", "subscriber)) { proxy_challenge("","0"); exit;
        } else if (!check_from()) {
                      sl_send_reply("403", "Use From=ID");
                      exit;
        };
};

Documentation for you to understand those lines here: http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192

Usually, there is a loot of documentation and howtos in openser wiki, so I would suggest you having a glance on some titles which look close to your needs as a beginner.

http://www.openser.org/dokuwiki/doku.php

Cheers, DanB

On 8/27/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...
Hello DanB,

Thanks!

As DanB´s suggestion, I tried to implement a mechanism that only allowed authenticated members make calls, but my configuration didn´t function.

This is my first project with openser, therefore I do not have much experience. If someone know how to help me to implement this verification, I will be very thankful.

Below, my openser.cfg file:

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

# ----------- global configuration parameters ------------------------

debug=3 fork=yes log_stderror=no log_facility=LOG_LOCAL7

# hostname matching an alias will satisfy the condition uri==myself". alias=xxx.xxx.xxx.xxx listen=udp:xxx.xxx.xxx.xxx:5060

# check_via - Turn on or off Via host checking when forwarding replies. # Default is no. arcane. looks for discrepancy between name and # ip address when forwarding replies. check_via=yes

# syn_branch - Shall the server use stateful synonym branches? It is # faster but not reboot-safe. Default is yes. syn_branch=yes

# dns - Uses dns to check if it is necessary to add a "received=" field # to a via. Default is no. # rev_dns - Same as dns but use reverse DNS. dns=no rev_dns=no port=5060 children=4

# memlog - Debugging level for final memory statistics report. Default # is L_DBG -- memory statistics are dumped only if debug is set high. memlog=3

# sip_warning - Should replies include extensive warnings? By default # yes, it is good for trouble-shooting. sip_warning=yes

# fifo - FIFO special file pathname fifo="/tmp/openser_fifo"

# reply_to_via - A hint to reply modules whether they should send reply # to IP advertised in Via. Turned off by default, which means that # replies are sent to IP address from which requests came. reply_to_via=no

# mhomed -- enable calculation of outbound interface; useful on # multihomed servers. mhomed=0

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database loadmodule "/usr/lib/openser/modules/mysql.so" loadmodule "/usr/lib/openser/modules/sl.so" loadmodule "/usr/lib/openser/modules/tm.so" loadmodule "/usr/lib/openser/modules/rr.so" loadmodule "/usr/lib/openser/modules/maxfwd.so" loadmodule "/usr/lib/openser/modules/usrloc.so" loadmodule "/usr/lib/openser/modules/registrar.so" loadmodule "/usr/lib/openser/modules/textops.so" loadmodule "/usr/lib/openser/modules/nathelper.so" loadmodule "/usr/lib/openser/modules/acc.so" loadmodule "/usr/lib/openser/modules/xlog.so"

# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/lib/openser/modules/auth.so" loadmodule "/usr/lib/openser/modules/auth_db.so"

# ----------------- setting module-specific parameters ---------------

# ------------- usrloc parameters

# 2 enables write-back to persistent mysql storage for speed # disable=0, write-through=1 modparam("usrloc", "db_mode", 0)

# minimize write back window - default is 60 seconds modparam("usrloc", "timer_interval", 30)

# ------------- auth parameters

# Uncomment if you are using auth module modparam("auth_db", "calculate_ha1", yes)

# If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) modparam("auth_db", "password_column", "password")

# ------------- rr parameters

# add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)

# ------------- !! Nathelper

modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") # Nathelper with RTPproxy

# ------------- tm parameters

modparam("tm", "fr_timer", 12) modparam("tm", "fr_inv_timer", 24)

# ------------- acc parameters

modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser") modparam("acc", "db_flag", 2) modparam("acc", "db_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 2) modparam("acc", "log_level", 2) # Set log_level to 2

# Allow no more than 1 contacts per AOR modparam("registrar", "max_contacts", 3)

# ------------------------- request routing logic -------------------

# main routing logic

route{

if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };

if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };

# < Acconting > if (method=="INVITE") { log(1, "Generate call - START\n"); setflag(1); /* set for accounting (the same value as in log_flag!) */ setflag(2); };
    if (method=="BYE")
{ log (1, "Hung-up \n"); setflag(1); };
    if (method=="CANCEL")
{ log (1, "Lost call \n"); setflag(1); }

if (!method=="REGISTER") record_route();

if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER
            if (method == "REGISTER" || ! search("^Record-Route:"))
{ log(1,"LOG: Someone trying to register from private IP, rewriting\n");
                # This will work only for user agents that support
symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling".
                fix_nated_contact(); # Rewrite contact with source IP
of signalling force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; }; # subsequent messages withing a dialog should take the # path determined by record-routing

if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); };

if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); };

# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {

if (method=="REGISTER") { # Uncomment this if you want to use digest authentication if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber")) { www_challenge("xxx.xxx.xxx.xxx", "0"); return; }; save("location"); return; };
            lookup("aliases");
            if (!uri==myself)
{ append_hf("P-hint: outbound alias\r\n"); route(1); return; };

# Router Cisco if not sip branche log(1,"LOG: testando se destino-sip e' 418x ...\n");

if ( ! ( uri =~ "^sip:418[1-9].*" ) && ! ( uri =~ "^sip:4397")) { log(1,"LOG: destino-sip not is 418x .\n"); route(2);
           log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n");
 rewritehostport("yyy.yyy.yyy.yyy:5060");
           log(1,"LOG: t_relay...\n");
           t_relay();

           log(1,"LOG: break...\n");
    return;
     }
        log(1,"LOG: destino-sip  418x, continue .\n");
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); return; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }

#######################################

route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")) { sl_send_reply("479", "We don't forward to private IP addresses"); return; };
    # if client or server know to be behind a NAT, enable relay
    if (isflagset(6))
{ force_rtp_proxy(); t_on_reply("1"); append_hf("P-Behind-NAT: Yes\r\n"); };
 if (!t_relay())
{ sl_reply_error(); return; }; } # !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); } else if (nat_uac_test("1")) { fix_nated_contact(); }; }

#######################################

route[2] {

### Dial Plan for gateway VoIP ###

# Sao Paulo 11 if ( uri =~ "^sip:9911.*" ) { log(1,"LOG: destination is 9911x, change prefix..."); strip(4); prefix("011"); return; }

# Error (Number inexistent) sl_reply_error();

}

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

Regards Jeferson

----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Saturday, August 25, 2007 3:06 PM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

...
Hello Jeferson,

it all depends on your openser.cfg. If you put in there that all the INVITE-s should be authenticated, your users will not be able anymore to call without having a valid user and password for your server. Note that by default openser will not do any check for you, in order to keep the flexibility of be used in different environment setups.

Cheers, DanB

On 8/25/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...
Hello,

I implemented an environment using to openser + mysql. The enviroment functions perfectly, however I perceived that users (branches) not registered in mysql are generating called.

I installed the X-lite softphone in my computer trying to reproduce the situation.

...
...
In the properties of configuration of the X-lite, "field Password" I type "trash" as password (wrong password).

The display of X-lite showed the following message: "Registration error: 401

Unauthorized".

In the contacts drawer I add a contact (double click on the new contact), and the call was generate without restriction (very bad).

Some idea of as I solve this problem?

Thanks

Regards Jeferson

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

Jeferson Prevedello

7:57 p.m.

Hi DanB,

Perfect !!!!! :-))) Thank you very much !

Cheers, Jeferson

----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Monday, August 27, 2007 12:37 PM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

Jeferson,

you can use permission module to check whether the originator's IP is trusted.

So your code will become: if (!allow_trusted()){ if (method=="INVITE") { if (!proxy_authorize("", "subscriber")) { proxy_challenge("","0"); exit; } }; };

Documentation provided here: http://www.openser.org/docs/modules/1.2.x/permissions.html#AEN492

Make sure you configure your permission db settings and reload your trusted table each time from the database into memory.

Cheers, DanB

On 8/27/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...

Hello DanB,

More a problem ! :-(

I apply the following configuration in my openser.cfg:
    if (method=="INVITE")
    {
            if (!proxy_authorize("", "subscriber"))
            {
              proxy_challenge("","0");
              exit;
            }
    };
I perceived that with the configuration above 'only' registered users can generate called, however I not receive more called originated through of PSTN or of any branch of PBX. I believe these calls are deny because the source (PSTN - Branches) not are registering in the openser server.

Is possible to apply the configuration above only for calls 'originated' from openser ?

Thanks !

Regards Jeferson

----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Monday, August 27, 2007 8:35 AM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

Hello Jeferson,

Your configuration looks a bit messy, if I were OpenSER I would also refuse it. :).

I would suggest taking a more standard configuration (u can find many examples on this location: http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/) and use 1.2 branch of software for start, and experiment with it into some lab environment. It is a bit difficult as a beginner to start directly experimenting on a production configuration, perhaps written by somebody else without understanding it. You will end up having big issues when troubleshooting in production environment.

The tip I gave you would be really easy to implement it with a block of few lines, eg:

if (is_method("INVITE")){ if (!proxy_authorize("", "subscriber)) { proxy_challenge("","0"); exit;
        } else if (!check_from()) {
                      sl_send_reply("403", "Use From=ID");
                      exit;
        };
};

Documentation for you to understand those lines here: http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192

Usually, there is a loot of documentation and howtos in openser wiki, so I would suggest you having a glance on some titles which look close to your needs as a beginner.

http://www.openser.org/dokuwiki/doku.php

Cheers, DanB

On 8/27/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...
Hello DanB,

Thanks!

As DanB´s suggestion, I tried to implement a mechanism that only allowed authenticated members make calls, but my configuration didn´t function.

This is my first project with openser, therefore I do not have much experience. If someone know how to help me to implement this verification, I will be very thankful.

Below, my openser.cfg file:

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

# ----------- global configuration parameters ------------------------

debug=3 fork=yes log_stderror=no log_facility=LOG_LOCAL7

# hostname matching an alias will satisfy the condition uri==myself". alias=xxx.xxx.xxx.xxx listen=udp:xxx.xxx.xxx.xxx:5060

# check_via - Turn on or off Via host checking when forwarding replies. # Default is no. arcane. looks for discrepancy between name and # ip address when forwarding replies. check_via=yes

# syn_branch - Shall the server use stateful synonym branches? It is # faster but not reboot-safe. Default is yes. syn_branch=yes

# dns - Uses dns to check if it is necessary to add a "received=" field # to a via. Default is no. # rev_dns - Same as dns but use reverse DNS. dns=no rev_dns=no port=5060 children=4

# memlog - Debugging level for final memory statistics report. Default # is L_DBG -- memory statistics are dumped only if debug is set high. memlog=3

# sip_warning - Should replies include extensive warnings? By default # yes, it is good for trouble-shooting. sip_warning=yes

# fifo - FIFO special file pathname fifo="/tmp/openser_fifo"

# reply_to_via - A hint to reply modules whether they should send reply # to IP advertised in Via. Turned off by default, which means that # replies are sent to IP address from which requests came. reply_to_via=no

# mhomed -- enable calculation of outbound interface; useful on # multihomed servers. mhomed=0

# ------------------ module loading ----------------------------------

# Uncomment this if you want to use SQL database loadmodule "/usr/lib/openser/modules/mysql.so" loadmodule "/usr/lib/openser/modules/sl.so" loadmodule "/usr/lib/openser/modules/tm.so" loadmodule "/usr/lib/openser/modules/rr.so" loadmodule "/usr/lib/openser/modules/maxfwd.so" loadmodule "/usr/lib/openser/modules/usrloc.so" loadmodule "/usr/lib/openser/modules/registrar.so" loadmodule "/usr/lib/openser/modules/textops.so" loadmodule "/usr/lib/openser/modules/nathelper.so" loadmodule "/usr/lib/openser/modules/acc.so" loadmodule "/usr/lib/openser/modules/xlog.so"

# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/lib/openser/modules/auth.so" loadmodule "/usr/lib/openser/modules/auth_db.so"

# ----------------- setting module-specific parameters ---------------

# ------------- usrloc parameters

# 2 enables write-back to persistent mysql storage for speed # disable=0, write-through=1 modparam("usrloc", "db_mode", 0)

# minimize write back window - default is 60 seconds modparam("usrloc", "timer_interval", 30)

# ------------- auth parameters

# Uncomment if you are using auth module modparam("auth_db", "calculate_ha1", yes)

# If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) modparam("auth_db", "password_column", "password")

# ------------- rr parameters

# add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1)

# ------------- !! Nathelper

modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") # Nathelper with RTPproxy

# ------------- tm parameters

modparam("tm", "fr_timer", 12) modparam("tm", "fr_inv_timer", 24)

# ------------- acc parameters

modparam("acc", "db_url", "mysql://openser:openserrw@localhost/openser") modparam("acc", "db_flag", 2) modparam("acc", "db_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 2) modparam("acc", "log_level", 2) # Set log_level to 2

# Allow no more than 1 contacts per AOR modparam("registrar", "max_contacts", 3)

# ------------------------- request routing logic -------------------

# main routing logic

route{

if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };

if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };

# < Acconting > if (method=="INVITE") { log(1, "Generate call - START\n"); setflag(1); /* set for accounting (the same value as in log_flag!) */ setflag(2); };
    if (method=="BYE")
{ log (1, "Hung-up \n"); setflag(1); };
    if (method=="CANCEL")
{ log (1, "Lost call \n"); setflag(1); }

if (!method=="REGISTER") record_route();

if (nat_uac_test("3")) { # Allow RR-ed requests, as these may indicate that # a NAT-enabled proxy takes care of it; unless it is # a REGISTER
            if (method == "REGISTER" || ! search("^Record-Route:"))
{ log(1,"LOG: Someone trying to register from private IP, rewriting\n");
                # This will work only for user agents that support
symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling".
                fix_nated_contact(); # Rewrite contact with source 
IP of signalling force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; }; # subsequent messages withing a dialog should take the # path determined by record-routing

if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); };

if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); };

# if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) {

if (method=="REGISTER") { # Uncomment this if you want to use digest authentication if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber")) { www_challenge("xxx.xxx.xxx.xxx", "0"); return; }; save("location"); return; };
            lookup("aliases");
            if (!uri==myself)
{ append_hf("P-hint: outbound alias\r\n"); route(1); return; };

# Router Cisco if not sip branche log(1,"LOG: testando se destino-sip e' 418x ...\n");

if ( ! ( uri =~ "^sip:418[1-9].*" ) && ! ( uri =~ "^sip:4397")) { log(1,"LOG: destino-sip not is 418x .\n"); route(2);
           log(1,"LOG: rewriting hostport 
yyy.yyy.yyy.yyy:5060...\n"); rewritehostport("yyy.yyy.yyy.yyy:5060"); log(1,"LOG: t_relay...\n"); t_relay();
           log(1,"LOG: break...\n");
    return;
     }
        log(1,"LOG: destino-sip  418x, continue .\n");
# native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); return; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }

#######################################

route[1] { # !! Nathelper if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")) { sl_send_reply("479", "We don't forward to private IP addresses"); return; };
    # if client or server know to be behind a NAT, enable relay
    if (isflagset(6))
{ force_rtp_proxy(); t_on_reply("1"); append_hf("P-Behind-NAT: Yes\r\n"); };
 if (!t_relay())
{ sl_reply_error(); return; }; } # !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); } else if (nat_uac_test("1")) { fix_nated_contact(); }; }

#######################################

route[2] {

### Dial Plan for gateway VoIP ###

# Sao Paulo 11 if ( uri =~ "^sip:9911.*" ) { log(1,"LOG: destination is 9911x, change prefix..."); strip(4); prefix("011"); return; }

# Error (Number inexistent) sl_reply_error();

}

-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x

Regards Jeferson

----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Saturday, August 25, 2007 3:06 PM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]

...
Hello Jeferson,

it all depends on your openser.cfg. If you put in there that all the INVITE-s should be authenticated, your users will not be able anymore to call without having a valid user and password for your server. Note that by default openser will not do any check for you, in order to keep the flexibility of be used in different environment setups.

Cheers, DanB

On 8/25/07, Jeferson Prevedello jprevedello@terra.com.br wrote:

...
Hello,

I implemented an environment using to openser + mysql. The enviroment functions perfectly, however I perceived that users (branches) not registered in mysql are generating called.

I installed the X-lite softphone in my computer trying to reproduce the situation.

...
...
In the properties of configuration of the X-lite, "field Password" I type "trash" as password (wrong password).

The display of X-lite showed the following message: "Registration error: 401

Unauthorized".

In the contacts drawer I add a contact (double click on the new contact), and the call was generate without restriction (very bad).

Some idea of as I solve this problem?

Thanks

Regards Jeferson

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

Norman Brandinger

25 Aug 25 Aug

6:21 p.m.

Hi Jeferson,

Please post your configuration to the "users" list only so that someone might attempt to assist you.

Please only post to the development list issues of a developmental nature.

Regards, Norm

Jeferson Prevedello wrote:

...

Hello,

I implemented an environment using to openser + mysql. The enviroment functions perfectly, however I perceived that users (branches) not registered in mysql are generating called.

I installed the X-lite softphone in my computer trying to reproduce the situation. In the properties of configuration of the X-lite, "field Password" I type "trash" as password (wrong password).

The display of X-lite showed the following message: "Registration error: 401 - Unauthorized".

In the contacts drawer I add a contact (double click on the new contact), and the call was generate without restriction (very bad).

Some idea of as I solve this problem?

Thanks

Regards Jeferson

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users

6387

Age (days ago)

6389

Last active (days ago)

sr-users@lists.kamailio.org

10 comments

3 participants

tags (0)

participants (3)

Dan-Cristian Bogos
Jeferson Prevedello
Norman Brandinger