27 Aug
2007
27 Aug
'07
8:34 p.m.
Hi Guys,
Here in my company I have the same problem.
The solution that I adopted was apply the
proxy_authorize function and restrict all incoming
calls. I use openser only for originate calls.
Some tip ?
Cheers,
Torri
----- Original Message -----
From: "Jeferson Prevedello" <jprevedello(a)terra.com.br>
To: "Dan-Cristian Bogos" <dan.bogos(a)gmail.com>
Cc: <users(a)openser.org>
Sent: Monday, August 27, 2007 12:26 PM
Subject: Re: [OpenSER-Users] Unauthorized Calls -
[Openser - X-lite]
Hello DanB,
More a problem ! :-(
I apply the following configuration in my openser.cfg:
if (method=="INVITE")
{
if (!proxy_authorize("",
"subscriber"))
{
proxy_challenge("","0");
exit;
}
};
I perceived that with the configuration above 'only'
registered users can
generate called, however I not receive more called
originated through of
PSTN
or of any branch of PBX. I believe these calls are
deny because the source
(PSTN - Branches) not are registering in the openser
server.
Is possible to apply the configuration above only for
calls 'originated'
from openser ?
Thanks !
Regards
Jeferson
----- Original Message -----
From: "Dan-Cristian Bogos" <dan.bogos(a)gmail.com>
To: "Jeferson Prevedello" <jprevedello(a)terra.com.br>
Cc: <users(a)openser.org>
Sent: Monday, August 27, 2007 8:35 AM
Subject: Re: [OpenSER-Users] Unauthorized Calls -
[Openser - X-lite]
Hello Jeferson,
Your configuration looks a bit messy, if I were
OpenSER I would also
refuse it. :).
I would suggest taking a more standard configuration
(u can find many
examples on this location:
http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/)
and use 1.2 branch of software for start, and
experiment with it into
some lab environment.
It is a bit difficult as a beginner to start directly
experimenting on
a production configuration, perhaps written by
somebody else without
understanding it. You will end up having big issues
when
troubleshooting in production environment.
The tip I gave you would be really easy to implement
it with a block
of few lines, eg:
if (is_method("INVITE")){
if (!proxy_authorize("", "subscriber)) {
proxy_challenge("","0");
exit;
} else if (!check_from()) {
sl_send_reply("403", "Use
From=ID");
exit;
};
};
Documentation for you to understand those lines here:
http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192
Usually, there is a loot of documentation and howtos
in openser wiki,
so I would suggest you having a glance on some titles
which look close
to your needs as a beginner.
http://www.openser.org/dokuwiki/doku.php
Cheers,
DanB
On 8/27/07, Jeferson Prevedello
<jprevedello(a)terra.com.br> wrote:
"field
Password" I
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
Flickr agora em português. Você clica, todo mundo vê.
http://www.flickr.com.br/
Hello DanB,
Thanks!
As DanB´s suggestion, I tried to implement a
mechanism that only allowed
authenticated members make calls, but my
configuration didn´t function.
This is my first project with openser, therefore I
do not have much
experience. If someone know how to help me to
implement this verification,
I
will be very thankful.
Below, my openser.cfg file:
-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
# ----------- global configuration parameters
------------------------
debug=3
fork=yes
log_stderror=no
log_facility=LOG_LOCAL7
# hostname matching an alias will satisfy the
condition uri==myself".
alias=xxx.xxx.xxx.xxx
listen=udp:xxx.xxx.xxx.xxx:5060
# check_via - Turn on or off Via host checking when
forwarding replies.
# Default is no. arcane. looks for discrepancy
between name and
# ip address when forwarding replies.
check_via=yes
# syn_branch - Shall the server use stateful synonym
branches? It is
# faster but not reboot-safe. Default is yes.
syn_branch=yes
# dns - Uses dns to check if it is necessary to add
a "received=" field
# to a via. Default is no.
# rev_dns - Same as dns but use reverse DNS.
dns=no
rev_dns=no
port=5060
children=4
# memlog - Debugging level for final memory
statistics report. Default
# is L_DBG -- memory statistics are dumped only if
debug is set high.
memlog=3
# sip_warning - Should replies include extensive
warnings? By default
# yes, it is good for trouble-shooting.
sip_warning=yes
# fifo - FIFO special file pathname
fifo="/tmp/openser_fifo"
# reply_to_via - A hint to reply modules whether
they should send reply
# to IP advertised in Via. Turned off by default,
which means that
# replies are sent to IP address from which requests
came.
reply_to_via=no
# mhomed -- enable calculation of outbound
interface; useful on
# multihomed servers.
mhomed=0
# ------------------ module loading
----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/lib/openser/modules/mysql.so"
loadmodule "/usr/lib/openser/modules/sl.so"
loadmodule "/usr/lib/openser/modules/tm.so"
loadmodule "/usr/lib/openser/modules/rr.so"
loadmodule "/usr/lib/openser/modules/maxfwd.so"
loadmodule "/usr/lib/openser/modules/usrloc.so"
loadmodule "/usr/lib/openser/modules/registrar.so"
loadmodule "/usr/lib/openser/modules/textops.so"
loadmodule "/usr/lib/openser/modules/nathelper.so"
loadmodule "/usr/lib/openser/modules/acc.so"
loadmodule "/usr/lib/openser/modules/xlog.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/lib/openser/modules/auth.so"
loadmodule "/usr/lib/openser/modules/auth_db.so"
# ----------------- setting module-specific
parameters ---------------
# ------------- usrloc parameters
# 2 enables write-back to persistent mysql storage
for speed
# disable=0, write-through=1
modparam("usrloc", "db_mode", 0)
# minimize write back window - default is 60 seconds
modparam("usrloc", "timer_interval", 30)
# ------------- auth parameters
# Uncomment if you are using auth module
modparam("auth_db", "calculate_ha1", yes)
# If you set "calculate_ha1" parameter to yes (which
true in this
config),
# uncomment also the following parameter)
modparam("auth_db", "password_column", "password")
# ------------- rr parameters
# add value to ;lr param to make some broken UAs
happy
modparam("rr", "enable_full_lr",
1)
# ------------- !! Nathelper
modparam("registrar", "nat_flag", 6)
modparam("nathelper", "natping_interval", 30) # Ping
interval
30 s
modparam("nathelper",
"ping_nated_only", 1) # Ping
only clients behind
NAT
modparam("nathelper", "rtpproxy_sock",
"unix:/var/run/rtpproxy.sock") #
Nathelper with RTPproxy
# ------------- tm parameters
modparam("tm", "fr_timer", 12)
modparam("tm", "fr_inv_timer", 24)
# ------------- acc parameters
modparam("acc", "db_url",
"mysql://openser:openserrw@localhost/openser")
modparam("acc", "db_flag", 2)
modparam("acc", "db_missed_flag", 2)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)
modparam("acc", "log_level", 2) # Set log_level to
2
# Allow no more than 1 contacts per AOR
modparam("registrar", "max_contacts", 3)
# ------------------------- request routing logic
-------------------
# main routing logic
route{
if (!mf_process_maxfwd_header("10"))
{
sl_send_reply("483","Too Many Hops");
exit;
};
if (msg:len >= 2048 )
{
sl_send_reply("513", "Message too big");
exit;
};
# < Acconting >
if (method=="INVITE")
{
log(1, "Generate call - START\n");
setflag(1); /* set for accounting
(the same value as in
log_flag!) */
setflag(2);
};
if (method=="BYE")
{
log (1, "Hung-up \n");
setflag(1);
};
if (method=="CANCEL")
{
log (1, "Lost call \n");
setflag(1);
}
if (!method=="REGISTER")
record_route();
if (nat_uac_test("3"))
{
# Allow RR-ed requests, as these may
indicate that
# a NAT-enabled proxy takes care of
it; unless it is
# a REGISTER
if (method == "REGISTER" || !
search("^Record-Route:"))
{
log(1,"LOG: Someone trying to
register from private
IP,
rewriting\n");
# This will work only for user
agents that support
symmetric
# communication. We tested quite
many of them and
majority is
# smart enough to be symmetric.
In some phones it
takes
a configuration
# option. With Cisco 7960, it is
called
NAT_Enable=Yes,
with kphone it is
# called "symmetric media" and
"symmetric
signalling".
fix_nated_contact(); # Rewrite
contact with source IP
of
signalling
force_rport(); # Add rport
parameter to topmost
Via
setflag(6); # Mark as
NATed
};
};
# subsequent messages withing a dialog should take
the
# path determined by record-routing
if (loose_route())
{
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
};
if (!uri==myself)
{
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following
command
# with proper names and addresses in it)
if (uri==myself)
{
if (method=="REGISTER")
{
# Uncomment this if you want to use digest
authentication
if (!www_authorize("xxx.xxx.xxx.xxx",
"subscriber"))
{
www_challenge("xxx.xxx.xxx.xxx", "0");
return;
};
save("location");
return;
};
lookup("aliases");
if (!uri==myself)
{
append_hf("P-hint: outbound
alias\r\n");
route(1);
return;
};
# Router Cisco if not sip branche
log(1,"LOG: testando se destino-sip e' 418x
...\n");
if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
! ( uri =~ "^sip:4397"))
{
log(1,"LOG: destino-sip not is 418x
.\n");
route(2);
log(1,"LOG: rewriting hostport
yyy.yyy.yyy.yyy:5060...\n");
rewritehostport("yyy.yyy.yyy.yyy:5060");
log(1,"LOG: t_relay...\n");
t_relay();
log(1,"LOG: break...\n");
return;
}
log(1,"LOG: destino-sip 418x, continue
.\n");
# native SIP destinations are handled using our
USRLOC DB
if (!lookup("location"))
{
sl_send_reply("404", "Not Found");
return;
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
#######################################
route[1]
{
# !! Nathelper
if
(uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)"
&&
!search("^Route:"))
{
sl_send_reply("479", "We don't forward
to private
IP
addresses");
return;
};
# if client or server know to be behind a
NAT, enable relay
if (isflagset(6))
{
force_rtp_proxy();
t_on_reply("1");
append_hf("P-Behind-NAT: Yes\r\n");
};
if (!t_relay())
{
sl_reply_error();
return;
};
}
# !! Nathelper
onreply_route[1]
{
# NATed transaction ?
if (isflagset(6) && status =~
"(183)|2[0-9][0-9]")
{
fix_nated_contact();
force_rtp_proxy();
}
else if (nat_uac_test("1"))
{
fix_nated_contact();
};
}
#######################################
route[2] {
### Dial Plan for gateway VoIP ###
# Sao Paulo 11
if ( uri =~ "^sip:9911.*" )
{
log(1,"LOG: destination is 9911x, change
prefix...");
strip(4);
prefix("011");
return;
}
# Error (Number inexistent)
sl_reply_error();
}
-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
Regards
Jeferson
----- Original Message -----
From: "Dan-Cristian Bogos" <dan.bogos(a)gmail.com>
To: "Jeferson Prevedello" <jprevedello(a)terra.com.br>
Cc: <users(a)openser.org>
Sent: Saturday, August 25, 2007 3:06 PM
Subject: Re: [OpenSER-Users] Unauthorized Calls -
[Openser - X-lite]
> Hello Jeferson,
>
> it all depends on your openser.cfg.
> If you put in there that all the INVITE-s should
be authenticated, your
> users will not be able anymore to call without
having a valid user and
> password for your server. Note that by default
openser will not do any
> check for you, in order to keep the flexibility
of
be used in
> different environment setups.
>
> Cheers,
> DanB
>
> On 8/25/07, Jeferson Prevedello
<jprevedello(a)terra.com.br> wrote:
>>
>>
>> Hello,
>>
>> I implemented an environment using to openser +
mysql. The enviroment
>> functions perfectly, however I perceived that
users (branches) not
>> registered in mysql are generating called.
>>
>> I installed the X-lite softphone in my computer
trying to reproduce the
> situation.
>> In the properties of configuration of the X-lite, >> type
>> "trash" as password (wrong password).
>>
>> The display of X-lite showed the following
message: "Registration
>> error:
>> 401
>> - Unauthorized".
>>
>> In the contacts drawer I add a contact (double
click on the new
>> contact),
>> and the call was generate without restriction
(very bad).
Some idea of as I solve this problem?
Thanks
Regards
Jeferson
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
6297
days inactive
6297
days old
0 comments
1 participants
participants (1)
-
Simone Torri