[OpenSIPS-Users] Pike question about flood attack
As per documentation pike module can be implemented manual as well as automatic. The way I understand it manual mode will not monitor (Not even queue) packets for which pike_check_req() is not called and it gives performance advantage as we can skip this call for trusted IPs. First of all is my understanding correct? Or each request packet will be queued but we will know if a source IP exceeds threshold only when we call pike_check_req()? Second thing is what about replies, is there any way to monitor in manual mode? I really like automatic mode but only am trying to avoid it because I do not want trusted sources to be monitored. ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] URGENT - Check auth before INVITE
Thanks Jeff, I do have Database and proxy_authorize setup and users are able to authenticate but some request i have seen directly sending INVITE and proxy_authorize() not sending 407 proxy challange, does it possible . If any non-REGISTER request will process by following snippet so if someone trying to send direct INVITE then it will process in following block and proxy_authorize will send 407 challenge. but i have seen some request directly going into INVITE snippet without going through proxy_authorize(). so i was thinking why not use one more check in INVITE snippet to make sure user is authenticated. if ( !(is_method(REGISTER) ) ) { if (is_from_local()) { # authenticate if from local subscriber # authenticate all initial non-REGISTER request that pretend to be # generated by local subscriber (domain from FROM URI is local) if (!check_source_address(2)) { if (!proxy_authorize(, subscriber)) { proxy_challenge(, 0); exit; } consume_credentials(); # caller authenticated } } else { # if caller is not local, then called number must be local if (!is_uri_host_local()) { send_reply(403,Rely forbidden); exit; } } ... ... # To FreeSWITCH if (is_method(INVITE)) { if ( uri=~^sip:[1-9][0-9]{10,15}@.*) { route(to_dispatcher); exit; }; } On Thu, Feb 19, 2015 at 1:29 PM, Jeff Pyle jp...@fidelityvoice.com wrote: Satish, There are many documented examples of how/when to authorize calls in OpenSIPS. Take a look at the pstn.cfg file included in the examples directory of the source. You'll see the proxy_authorize() function around line 96. That, with some module and database configuration, will get on the right path. - Jeff On Thu, Feb 19, 2015 at 12:08 PM, Satish Patel satish@gmail.com wrote: I am using opensips 1.11 but i have seen wired issue, How i can check auth before process INVITE packet? I have following code, I have seen if i send only INVITE packet using SIPP it is processing that call, I want it check AUTH before processing INVITE packet how can we do that? # To FreeSWITCH if (is_method(INVITE)) { if ( uri=~^sip:[1-9][0-9]{10,15}@.*) { xlog(call with X-customer: $Au === Freeswitch\n); append_hf(X-customer: $Au\r\n); append_hf(X-SRIPP: $si:$sp\r\n); route(to_dispatcher); exit; }; } ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] HowTo add my company certificate to opensips
Hi, We have generated a key and cert file using GoDaddy service, i want to use this certificate in opensips. the question is can i and how? Thanks, Snabel ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] [OpenSIPS-News] [TRAINING] OpenSIPS eBootcamp - first 2015 session
Heads-up, tomorrow is the last registration day ! Best regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer http://www.opensips-solutions.com On 10.12.2014 11:37, Bogdan-Andrei Iancu wrote: Hi all, The first 2015 eBootcamp session is scheduled to start on 23rd of February. This will be the last one covering OpenSIPS version 1.11 . What is the content and who should attend ? Please read all about it here : http://www.opensips.org/Support/EBootcamp For more information and registration, email us : ebootcamp at opensips dot org Please note the class is limited to 20 students and first in, first served ! Best regards, ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Pike question about flood attack
The automatic mode is much more efficient. It triggers in pre-recieve callbacks before any message parsing is even done. In automatic mode you would simply say if(ip==trusted){drop;} in your pike route block. Automatic mode will also trigger on replies. Basically - you should use automatic mode and not be concerned about the performance as it is definitely faster than manual mode. -Eric On 02/19/2015 01:49 AM, John Nash wrote: As per documentation pike module can be implemented manual as well as automatic. The way I understand it manual mode will not monitor (Not even queue) packets for which pike_check_req() is not called and it gives performance advantage as we can skip this call for trusted IPs. First of all is my understanding correct? Or each request packet will be queued but we will know if a source IP exceeds threshold only when we call pike_check_req()? Second thing is what about replies, is there any way to monitor in manual mode? I really like automatic mode but only am trying to avoid it because I do not want trusted sources to be monitored. ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] URGENT - Check auth before INVITE
Satish, There are many documented examples of how/when to authorize calls in OpenSIPS. Take a look at the pstn.cfg file included in the examples directory of the source. You'll see the proxy_authorize() function around line 96. That, with some module and database configuration, will get on the right path. - Jeff On Thu, Feb 19, 2015 at 12:08 PM, Satish Patel satish@gmail.com wrote: I am using opensips 1.11 but i have seen wired issue, How i can check auth before process INVITE packet? I have following code, I have seen if i send only INVITE packet using SIPP it is processing that call, I want it check AUTH before processing INVITE packet how can we do that? # To FreeSWITCH if (is_method(INVITE)) { if ( uri=~^sip:[1-9][0-9]{10,15}@.*) { xlog(call with X-customer: $Au === Freeswitch\n); append_hf(X-customer: $Au\r\n); append_hf(X-SRIPP: $si:$sp\r\n); route(to_dispatcher); exit; }; } ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Stop INVITE from uknown source
Guys! please advice me! On Fri, Feb 13, 2015 at 10:07 AM, Satish Patel satish@gmail.com wrote: I have question about how to stop INVITE coming from unknown source or not subscribed user. I have opensips front end proxy and Freeswitch PSTN But recently i have seeing some calls coming from unknown source and method is INVITE so it is sending direct INVITE to opensips and opensips forwarding them to Freeswitch, How do i tell opensip if INVITE from non-registered user then drop it. As you see in Freeswitch section, if you see INVITE forward it to Freeswitch, How do i check INVITE is authenticated or not? This is what i have in cfg. if (is_from_local()) { # authenticate if from local subscriber # authenticate all initial non-REGISTER request that pretend to be # generated by local subscriber (domain from FROM URI is local) if (!check_source_address(2)) { if (!proxy_authorize(, subscriber)) { proxy_challenge(, 0); exit; } consume_credentials(); # caller authenticated } } else { # if caller is not local, then called number must be local if (!is_uri_host_local()) { send_reply(403,Rely forbidden); exit; } } } # To FreeSWITCH if (is_method(INVITE)) { if ( uri=~^sip:[1-9][0-9]{10,15}@.*) { xlog(Sending call to === Freeswitch\n); route(to_dispatcher); exit; }; } ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] Compression module
* Hello all, I'm glad to announce the new openSIPS compression module. This module is able to achieve deflate and gzip compression/decompression and also SIP message compaction. One common issue we are facing when using SIP over UDP is message fragmentation, because there is no way to reassemble the original packet. The only way we can prevent fragmentation is to reduce the size of the message. One use case is when you have multiple OpenSips proxies, which internally communicate using UDP, but outside the SBCs use TCP. You definitely do not want fragmentation, as you won’t be able to rebuild the original message when TCP will be used when it leaves the proxies. The compression module gives you the means to reduce the size of the message, by using the following features: * message body and the header compression * unnecessary headers removal * header name reduction to RFC compact form (such as 'v' for 'Via'); we support a limited set of compact headers from RFC 3261 and RFC 4028 (complete list at [2]) * unnecessary attribute lines removal from the sdp body which represent default values You don't have to worry about the time when you do the compression in the script, because it is being done just before the message is being sent, so any message body changes you might have done are not affected by this module. The module, for the moment, supports both gzip and deflate formats. We are also planning to develop new compression algorithms, depending on the community’s needs. Another thing future users might find useful, is the performance tests we have done using different SIP message headers and bodies. You can find details about this here [3]. Using the data over there you should understand what scenarios apply to the compression function. You can find a full compression module tutorial on [4] and documentation [1], which will help you understand better how to use the module and give you a better picture about the scenarios in which you should use this module. The module is alpha, it needs real scenarios testing, so we look forward to receiving useful feedback and help from you. Best regards, Ionut Ionita [1] http://www.opensips.org/html/docs/modules/2.1.x/compression.htm [2] http://www.opensips.org/html/docs/modules/2.1.x/compression.html#id293508 [3] http://www.opensips.org/html/docs/modules/2.1.x/compression.html#id293739 [4] http://www.opensips.org/Documentation/Tutorials-Compression-2-1* ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] B2BUA: how to prevent 'To' header from being modified
Hi, I have the following scenario: UA1 B2BUA1 (top hiding) REGISTRAR --- B2BUA2 (top hiding) - UA2 My problem is that the 'To' header sent out in request from (say) UA1 is modified B2BUA2. How can I prevent this from happening? I am on OpenSIPS 1.11. Thanks, Anshuman ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] URGENT - Check auth before INVITE
I am using opensips 1.11 but i have seen wired issue, How i can check auth before process INVITE packet? I have following code, I have seen if i send only INVITE packet using SIPP it is processing that call, I want it check AUTH before processing INVITE packet how can we do that? # To FreeSWITCH if (is_method(INVITE)) { if ( uri=~^sip:[1-9][0-9]{10,15}@.*) { xlog(call with X-customer: $Au === Freeswitch\n); append_hf(X-customer: $Au\r\n); append_hf(X-SRIPP: $si:$sp\r\n); route(to_dispatcher); exit; }; } ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] sip code 487 and log_next_state_dlg: bogus event 4 in state 5
Hello Guys, im getting this critical message on my opensips, but i see that this message just appear with the binary replication activated, is this expected ? Feb 19 07:34:12 sipproxy01 /usr/sbin/opensips[13762]: CRITICAL:dialog:log_next_state_dlg: bogus event 4 in state 5 for dlg 0x7fb6de3922b0 [1887:354100080] with clid '37e9a2df45cc258436f4cb351e60832b@172.30.1.15:5060' and tags 'as33b7ba8a' 'as40351bae' Feb 19 07:34:12 sipproxy01 /usr/sbin/opensips[13762]: DBG:dialog:next_state_dlg: dialog 0x7fb6de3922b0 changed from state 5 to state 5, due event 4 Feb 19 07:34:12 sipproxy01 /usr/sbin/opensips[13762]: DBG:tm:cleanup_uac_timers: RETR/FR timers reset ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users