Hi Guys,
Here in my company I have the same problem.
The solution that I adopted was apply the proxy_authorize function and restrict all incoming calls. I use openser only for originate calls.
Some tip ?
Cheers, Torri
----- Original Message ----- From: "Jeferson Prevedello" jprevedello@terra.com.br To: "Dan-Cristian Bogos" dan.bogos@gmail.com Cc: users@openser.org Sent: Monday, August 27, 2007 12:26 PM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
Hello DanB,
More a problem ! :-(
I apply the following configuration in my openser.cfg:
if (method=="INVITE") { if (!proxy_authorize("", "subscriber")) { proxy_challenge("","0"); exit; } };
I perceived that with the configuration above 'only' registered users can generate called, however I not receive more called originated through of PSTN or of any branch of PBX. I believe these calls are deny because the source (PSTN - Branches) not are registering in the openser server.
Is possible to apply the configuration above only for calls 'originated' from openser ?
Thanks !
Regards Jeferson
----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Monday, August 27, 2007 8:35 AM Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite]
Hello Jeferson,
Your configuration looks a bit messy, if I were OpenSER I would also refuse it. :).
I would suggest taking a more standard configuration (u can find many examples on this location: http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/) and use 1.2 branch of software for start, and experiment with it into some lab environment. It is a bit difficult as a beginner to start directly experimenting on a production configuration, perhaps written by somebody else without understanding it. You will end up having big issues when troubleshooting in production environment.
The tip I gave you would be really easy to implement it with a block of few lines, eg:
if (is_method("INVITE")){ if (!proxy_authorize("", "subscriber)) { proxy_challenge("","0"); exit;
} else if (!check_from()) { sl_send_reply("403", "Use From=ID"); exit; }; };
Documentation for you to understand those lines here: http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192
Usually, there is a loot of documentation and howtos in openser wiki, so I would suggest you having a glance on some titles which look close to your needs as a beginner.
http://www.openser.org/dokuwiki/doku.php
Cheers, DanB
On 8/27/07, Jeferson Prevedello jprevedello@terra.com.br wrote:
Hello DanB,
Thanks!
As DanB´s suggestion, I tried to implement a
mechanism that only allowed
authenticated members make calls, but my
configuration didn´t function.
This is my first project with openser, therefore I
do not have much
experience. If someone know how to help me to
implement this verification,
I will be very thankful.
Below, my openser.cfg file:
-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
# ----------- global configuration parameters
------------------------
debug=3 fork=yes log_stderror=no log_facility=LOG_LOCAL7
# hostname matching an alias will satisfy the
condition uri==myself".
alias=xxx.xxx.xxx.xxx listen=udp:xxx.xxx.xxx.xxx:5060
# check_via - Turn on or off Via host checking when
forwarding replies.
# Default is no. arcane. looks for discrepancy
between name and
# ip address when forwarding replies. check_via=yes
# syn_branch - Shall the server use stateful synonym
branches? It is
# faster but not reboot-safe. Default is yes. syn_branch=yes
# dns - Uses dns to check if it is necessary to add
a "received=" field
# to a via. Default is no. # rev_dns - Same as dns but use reverse DNS. dns=no rev_dns=no port=5060 children=4
# memlog - Debugging level for final memory
statistics report. Default
# is L_DBG -- memory statistics are dumped only if
debug is set high.
memlog=3
# sip_warning - Should replies include extensive
warnings? By default
# yes, it is good for trouble-shooting. sip_warning=yes
# fifo - FIFO special file pathname fifo="/tmp/openser_fifo"
# reply_to_via - A hint to reply modules whether
they should send reply
# to IP advertised in Via. Turned off by default,
which means that
# replies are sent to IP address from which requests
came.
reply_to_via=no
# mhomed -- enable calculation of outbound
interface; useful on
# multihomed servers. mhomed=0
# ------------------ module loading
----------------------------------
# Uncomment this if you want to use SQL database loadmodule "/usr/lib/openser/modules/mysql.so" loadmodule "/usr/lib/openser/modules/sl.so" loadmodule "/usr/lib/openser/modules/tm.so" loadmodule "/usr/lib/openser/modules/rr.so" loadmodule "/usr/lib/openser/modules/maxfwd.so" loadmodule "/usr/lib/openser/modules/usrloc.so" loadmodule "/usr/lib/openser/modules/registrar.so" loadmodule "/usr/lib/openser/modules/textops.so" loadmodule "/usr/lib/openser/modules/nathelper.so" loadmodule "/usr/lib/openser/modules/acc.so" loadmodule "/usr/lib/openser/modules/xlog.so"
# Uncomment this if you want digest authentication # mysql.so must be loaded ! loadmodule "/usr/lib/openser/modules/auth.so" loadmodule "/usr/lib/openser/modules/auth_db.so"
# ----------------- setting module-specific
parameters ---------------
# ------------- usrloc parameters
# 2 enables write-back to persistent mysql storage
for speed
# disable=0, write-through=1 modparam("usrloc", "db_mode", 0)
# minimize write back window - default is 60 seconds modparam("usrloc", "timer_interval", 30)
# ------------- auth parameters
# Uncomment if you are using auth module modparam("auth_db", "calculate_ha1", yes)
# If you set "calculate_ha1" parameter to yes (which
true in this config),
# uncomment also the following parameter) modparam("auth_db", "password_column", "password")
# ------------- rr parameters
# add value to ;lr param to make some broken UAs
happy
modparam("rr", "enable_full_lr", 1)
# ------------- !! Nathelper
modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping
interval 30 s
modparam("nathelper", "ping_nated_only", 1) # Ping
only clients behind
NAT modparam("nathelper", "rtpproxy_sock",
"unix:/var/run/rtpproxy.sock") #
Nathelper with RTPproxy
# ------------- tm parameters
modparam("tm", "fr_timer", 12) modparam("tm", "fr_inv_timer", 24)
# ------------- acc parameters
modparam("acc", "db_url",
"mysql://openser:openserrw@localhost/openser")
modparam("acc", "db_flag", 2) modparam("acc", "db_missed_flag", 2) modparam("acc", "log_flag", 1) modparam("acc", "log_missed_flag", 2) modparam("acc", "log_level", 2) # Set log_level to
2
# Allow no more than 1 contacts per AOR modparam("registrar", "max_contacts", 3)
# ------------------------- request routing logic
-------------------
# main routing logic
route{
if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; };
if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; };
# < Acconting > if (method=="INVITE") { log(1, "Generate call - START\n"); setflag(1); /* set for accounting
(the same value as in
log_flag!) */ setflag(2); };
if (method=="BYE"){ log (1, "Hung-up \n"); setflag(1); };
if (method=="CANCEL"){ log (1, "Lost call \n"); setflag(1); }
if (!method=="REGISTER") record_route();
if (nat_uac_test("3")) { # Allow RR-ed requests, as these may
indicate that
# a NAT-enabled proxy takes care of
it; unless it is
# a REGISTER if (method == "REGISTER" || !
search("^Record-Route:"))
{ log(1,"LOG: Someone trying to
register from private
IP, rewriting\n");
# This will work only for user
agents that support
symmetric # communication. We tested quite
many of them and
majority is # smart enough to be symmetric.
In some phones it
takes a configuration # option. With Cisco 7960, it is
called
NAT_Enable=Yes, with kphone it is # called "symmetric media" and
"symmetric signalling".
fix_nated_contact(); # Rewrite
contact with source IP
of signalling force_rport(); # Add rport
parameter to topmost
Via setflag(6); # Mark as
NATed
}; };# subsequent messages withing a dialog should take
the
# path determined by record-routing
if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); };
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); };
# if the request is for other domain use UsrLoc # (in case, it does not work, use the following
command
# with proper names and addresses in it) if (uri==myself) {
if (method=="REGISTER") { # Uncomment this if you want to use digest
authentication
if (!www_authorize("xxx.xxx.xxx.xxx",
"subscriber"))
{ www_challenge("xxx.xxx.xxx.xxx", "0"); return; }; save("location"); return; }; lookup("aliases"); if (!uri==myself){ append_hf("P-hint: outbound
alias\r\n");
route(1); return; };# Router Cisco if not sip branche log(1,"LOG: testando se destino-sip e' 418x
...\n");
if ( ! ( uri =~ "^sip:418[1-9].*" ) && ! ( uri =~ "^sip:4397")) { log(1,"LOG: destino-sip not is 418x
.\n");
route(2); log(1,"LOG: rewriting hostport
yyy.yyy.yyy.yyy:5060...\n");
rewritehostport("yyy.yyy.yyy.yyy:5060"); log(1,"LOG: t_relay...\n"); t_relay(); log(1,"LOG: break...\n"); return; } log(1,"LOG: destino-sip 418x, continue
.\n");
# native SIP destinations are handled using our
USRLOC DB
if (!lookup("location")) { sl_send_reply("404", "Not Found"); return; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); }
#######################################
route[1] { # !! Nathelper if
(uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" &&
!search("^Route:")) { sl_send_reply("479", "We don't forward
to private IP
addresses"); return; };
# if client or server know to be behind a
NAT, enable relay
if (isflagset(6)){ force_rtp_proxy(); t_on_reply("1"); append_hf("P-Behind-NAT: Yes\r\n"); };
if (!t_relay()){ sl_reply_error(); return; }; } # !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~
"(183)|2[0-9][0-9]")
{ fix_nated_contact(); force_rtp_proxy(); } else if (nat_uac_test("1")) { fix_nated_contact(); }; }
#######################################
route[2] {
### Dial Plan for gateway VoIP ###
# Sao Paulo 11 if ( uri =~ "^sip:9911.*" ) { log(1,"LOG: destination is 9911x, change
prefix...");
strip(4); prefix("011"); return; }
# Error (Number inexistent) sl_reply_error();
}
-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
Regards Jeferson
----- Original Message ----- From: "Dan-Cristian Bogos" dan.bogos@gmail.com To: "Jeferson Prevedello" jprevedello@terra.com.br Cc: users@openser.org Sent: Saturday, August 25, 2007 3:06 PM Subject: Re: [OpenSER-Users] Unauthorized Calls -
[Openser - X-lite]
Hello Jeferson,
it all depends on your openser.cfg. If you put in there that all the INVITE-s should
be authenticated, your
users will not be able anymore to call without
having a valid user and
password for your server. Note that by default
openser will not do any
check for you, in order to keep the flexibility of
be used in
different environment setups.
Cheers, DanB
On 8/25/07, Jeferson Prevedello
jprevedello@terra.com.br wrote:
Hello,
I implemented an environment using to openser +
mysql. The enviroment
functions perfectly, however I perceived that
users (branches) not
registered in mysql are generating called.
I installed the X-lite softphone in my computer
trying to reproduce the
situation.
In the properties of configuration of the X-lite,
"field Password" I
type "trash" as password (wrong password).
The display of X-lite showed the following
message: "Registration
error: 401
- Unauthorized".
In the contacts drawer I add a contact (double
click on the new
contact), and the call was generate without restriction
(very bad).
Some idea of as I solve this problem?
Thanks
Regards Jeferson
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________ Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________ Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Flickr agora em português. Você clica, todo mundo vê. http://www.flickr.com.br/
-
Simone Torri