Hi Vincent,
Welcome with the first post.
Just a wild guess about your issue - the detection of what SIP domains
are to be locally handled. For example, in your pastebin, like 249 you
have the block for doing user authentication and authorization. And the
logic there is : if the caller belongs to a local SIP domain, do auth -
fine; but if the caller is not local, the call is allowed if the callee
SIP domain is local. So if some foo caller is calling
sip:DID@your_sip_domain, your configuration will allow the call to go
further in the script (as it is targeting a local domain of yours).
And later, like 354 you do diversion to PSTN, but without checking who
the caller is (a local or foreign domain, which was auth'ed or not). Do
you see the issue?
Fixes are:
a) on the 267 `else` branch (if the caller is not local), do all the
time the 403 reply, disregarding what the called number is. So you will
accept only calls from your users.
or
b) when doing the PSTN diversion at 354 line, check if the caller is a
local user, to be sure PSTN calls are available only for your own users.
Add `is_from_local()` to the condition there.
Best regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS eBootcamp
https://www.opensips.org/Training/Bootcamp
On 1/18/22 3:23 PM, Vincent Swart wrote:
First post!
So yesterday I installed the latest from Debian 10 repo and the latest
cp web app using a method similar to powerpbxdotorg howto.
I had 5060 open in my firewall, two user phones configured with strong
passwords, and a gateway with IP auth for termination.
Within 10 minutes calls were being placed via unauthenticated invites
I think.
I used the residential config script with a minor beginner destination
number pattern match difference:
https://pastebin.com/GPrMcWYK <https://pastebin.com/GPrMcWYK>
if ($rU=~"^[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+$") {
#if (dp_translate(10,"$rU/$rU") ) {
#strip(1);
The opensips log has a lot of this in it all the time:
Jan 17 15:56:04 dsip1 /usr/sbin/opensips[24971]:
CRITICAL:db_mysql:wrapper_single_mysql_stmt_execute: driver error
(1048): Column 'to_tag' cannot be null
Jan 17 15:56:04 dsip1 /usr/sbin/opensips[24971]:
ERROR:acc:acc_db_request: failed to insert into acc table
The illicit calls start in the log like this:
https://pastebin.com/mCNXqK7T <https://pastebin.com/mCNXqK7T>
I can post the full log but it will take some time to sanitize.
Sip call ID links in CDR viewer show this: "Sorry , sip trace for this
call is unavailable."
There are also only 0 durations on all legs however they incurred
duration and billing on termination.
I'm fairly certain the calls were not placed via the user phone
accounts because of strong passwords.
My next steps are to disable the gateway and packet capture on the
interface to investigate illicit invites.
Where do I even start investigating how unauthenticated invites were
placed and prevent it in the opensips config?
Any suggestions would be greatly appreciated.
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
