Hello Jeferson, Your configuration looks a bit messy, if I were OpenSER I would also refuse it. :).
I would suggest taking a more standard configuration (u can find many examples on this location: http://openser.svn.sourceforge.net/viewvc/openser/branches/1.2/examples/) and use 1.2 branch of software for start, and experiment with it into some lab environment. It is a bit difficult as a beginner to start directly experimenting on a production configuration, perhaps written by somebody else without understanding it. You will end up having big issues when troubleshooting in production environment. The tip I gave you would be really easy to implement it with a block of few lines, eg: if (is_method("INVITE")){ if (!proxy_authorize("", "subscriber)) { proxy_challenge("","0"); exit; } else if (!check_from()) { sl_send_reply("403", "Use From=ID"); exit; }; }; Documentation for you to understand those lines here: http://www.openser.org/docs/modules/1.2.x/auth_db.html#AEN192 Usually, there is a loot of documentation and howtos in openser wiki, so I would suggest you having a glance on some titles which look close to your needs as a beginner. http://www.openser.org/dokuwiki/doku.php Cheers, DanB On 8/27/07, Jeferson Prevedello <[EMAIL PROTECTED]> wrote: > Hello DanB, > > Thanks! > > As DanB´s suggestion, I tried to implement a mechanism that only allowed > authenticated members make calls, but my configuration didn´t function. > > This is my first project with openser, therefore I do not have much > experience. If someone know how to help me to implement this verification, I > will be very thankful. > > Below, my openser.cfg file: > > -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x > > > # ----------- global configuration parameters ------------------------ > > debug=3 > fork=yes > log_stderror=no > log_facility=LOG_LOCAL7 > > # hostname matching an alias will satisfy the condition uri==myself". > alias=xxx.xxx.xxx.xxx > listen=udp:xxx.xxx.xxx.xxx:5060 > > # check_via - Turn on or off Via host checking when forwarding replies. > # Default is no. arcane. looks for discrepancy between name and > # ip address when forwarding replies. > check_via=yes > > # syn_branch - Shall the server use stateful synonym branches? It is > # faster but not reboot-safe. Default is yes. > syn_branch=yes > > # dns - Uses dns to check if it is necessary to add a "received=" field > # to a via. Default is no. > # rev_dns - Same as dns but use reverse DNS. > dns=no > rev_dns=no > port=5060 > children=4 > > # memlog - Debugging level for final memory statistics report. Default > # is L_DBG -- memory statistics are dumped only if debug is set high. > memlog=3 > > # sip_warning - Should replies include extensive warnings? By default > # yes, it is good for trouble-shooting. > sip_warning=yes > > # fifo - FIFO special file pathname > fifo="/tmp/openser_fifo" > > # reply_to_via - A hint to reply modules whether they should send reply > # to IP advertised in Via. Turned off by default, which means that > # replies are sent to IP address from which requests came. > reply_to_via=no > > # mhomed -- enable calculation of outbound interface; useful on > # multihomed servers. > mhomed=0 > > # ------------------ module loading ---------------------------------- > > # Uncomment this if you want to use SQL database > loadmodule "/usr/lib/openser/modules/mysql.so" > loadmodule "/usr/lib/openser/modules/sl.so" > loadmodule "/usr/lib/openser/modules/tm.so" > loadmodule "/usr/lib/openser/modules/rr.so" > loadmodule "/usr/lib/openser/modules/maxfwd.so" > loadmodule "/usr/lib/openser/modules/usrloc.so" > loadmodule "/usr/lib/openser/modules/registrar.so" > loadmodule "/usr/lib/openser/modules/textops.so" > loadmodule "/usr/lib/openser/modules/nathelper.so" > loadmodule "/usr/lib/openser/modules/acc.so" > loadmodule "/usr/lib/openser/modules/xlog.so" > > # Uncomment this if you want digest authentication > # mysql.so must be loaded ! > loadmodule "/usr/lib/openser/modules/auth.so" > loadmodule "/usr/lib/openser/modules/auth_db.so" > > # ----------------- setting module-specific parameters --------------- > > # ------------- usrloc parameters > > # 2 enables write-back to persistent mysql storage for speed > # disable=0, write-through=1 > modparam("usrloc", "db_mode", 0) > > # minimize write back window - default is 60 seconds > modparam("usrloc", "timer_interval", 30) > > # ------------- auth parameters > > # Uncomment if you are using auth module > modparam("auth_db", "calculate_ha1", yes) > > # If you set "calculate_ha1" parameter to yes (which true in this config), > # uncomment also the following parameter) > modparam("auth_db", "password_column", "password") > > # ------------- rr parameters > > # add value to ;lr param to make some broken UAs happy > modparam("rr", "enable_full_lr", 1) > > # ------------- !! Nathelper > > modparam("registrar", "nat_flag", 6) > modparam("nathelper", "natping_interval", 30) # Ping interval 30 s > modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT > modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock") # > Nathelper with RTPproxy > > # ------------- tm parameters > > modparam("tm", "fr_timer", 12) > modparam("tm", "fr_inv_timer", 24) > > # ------------- acc parameters > > modparam("acc", "db_url", "mysql://openser:[EMAIL PROTECTED]/openser") > modparam("acc", "db_flag", 2) > modparam("acc", "db_missed_flag", 2) > modparam("acc", "log_flag", 1) > modparam("acc", "log_missed_flag", 2) > modparam("acc", "log_level", 2) # Set log_level to 2 > > # Allow no more than 1 contacts per AOR > modparam("registrar", "max_contacts", 3) > > # ------------------------- request routing logic ------------------- > > # main routing logic > > route{ > > if (!mf_process_maxfwd_header("10")) > { > sl_send_reply("483","Too Many Hops"); > exit; > }; > > if (msg:len >= 2048 ) > { > sl_send_reply("513", "Message too big"); > exit; > }; > > # < Acconting > > if (method=="INVITE") > { > log(1, "Generate call - START\n"); > setflag(1); /* set for accounting (the same value as in > log_flag!) */ > setflag(2); > }; > > if (method=="BYE") > { > log (1, "Hung-up \n"); > setflag(1); > }; > > if (method=="CANCEL") > { > log (1, "Lost call \n"); > setflag(1); > } > > if (!method=="REGISTER") > record_route(); > > if (nat_uac_test("3")) > { > # Allow RR-ed requests, as these may indicate that > # a NAT-enabled proxy takes care of it; unless it is > # a REGISTER > > if (method == "REGISTER" || ! search("^Record-Route:")) > { > log(1,"LOG: Someone trying to register from private IP, > rewriting\n"); > > # This will work only for user agents that support > symmetric > # communication. We tested quite many of them and > majority is > # smart enough to be symmetric. In some phones it takes > a configuration > # option. With Cisco 7960, it is called NAT_Enable=Yes, > with kphone it is > # called "symmetric media" and "symmetric signalling". > > fix_nated_contact(); # Rewrite contact with source IP of > signalling > force_rport(); # Add rport parameter to topmost > Via > setflag(6); # Mark as NATed > }; > }; > # subsequent messages withing a dialog should take the > # path determined by record-routing > > if (loose_route()) > { > # mark routing logic in request > append_hf("P-hint: rr-enforced\r\n"); > route(1); > }; > > if (!uri==myself) > { > # mark routing logic in request > append_hf("P-hint: outbound\r\n"); > route(1); > }; > > # if the request is for other domain use UsrLoc > # (in case, it does not work, use the following command > # with proper names and addresses in it) > if (uri==myself) > { > > if (method=="REGISTER") > { > # Uncomment this if you want to use digest authentication > if (!www_authorize("xxx.xxx.xxx.xxx", "subscriber")) > { > www_challenge("xxx.xxx.xxx.xxx", "0"); > return; > }; > save("location"); > return; > }; > > lookup("aliases"); > if (!uri==myself) > { > append_hf("P-hint: outbound alias\r\n"); > route(1); > return; > }; > > # Router Cisco if not sip branche > log(1,"LOG: testando se destino-sip e' 418x ...\n"); > > if ( ! ( uri =~ "^sip:418[1-9].*" ) && > ! ( uri =~ "^sip:4397")) > { > log(1,"LOG: destino-sip not is 418x .\n"); > route(2); > > log(1,"LOG: rewriting hostport yyy.yyy.yyy.yyy:5060...\n"); > rewritehostport("yyy.yyy.yyy.yyy:5060"); > log(1,"LOG: t_relay...\n"); > t_relay(); > > log(1,"LOG: break...\n"); > return; > } > log(1,"LOG: destino-sip 418x, continue .\n"); > > # native SIP destinations are handled using our USRLOC DB > if (!lookup("location")) > { > sl_send_reply("404", "Not Found"); > return; > }; > }; > append_hf("P-hint: usrloc applied\r\n"); > route(1); > } > > ####################################### > > route[1] > { > # !! Nathelper > if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" && > !search("^Route:")) > { > sl_send_reply("479", "We don't forward to private IP > addresses"); > return; > }; > > # if client or server know to be behind a NAT, enable relay > if (isflagset(6)) > { > force_rtp_proxy(); > t_on_reply("1"); > append_hf("P-Behind-NAT: Yes\r\n"); > }; > > if (!t_relay()) > { > sl_reply_error(); > return; > }; > } > # !! Nathelper > onreply_route[1] > { > # NATed transaction ? > if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") > { > fix_nated_contact(); > force_rtp_proxy(); > } > else if (nat_uac_test("1")) > { > fix_nated_contact(); > }; > } > > ####################################### > > route[2] { > > ### Dial Plan for gateway VoIP ### > > # Sao Paulo 11 > if ( uri =~ "^sip:9911.*" ) > { > log(1,"LOG: destination is 9911x, change prefix..."); > strip(4); > prefix("011"); > return; > } > > # Error (Number inexistent) > sl_reply_error(); > > } > > -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x > > Regards > Jeferson > > > > > > ----- Original Message ----- > From: "Dan-Cristian Bogos" <[EMAIL PROTECTED]> > To: "Jeferson Prevedello" <[EMAIL PROTECTED]> > Cc: <users@openser.org> > Sent: Saturday, August 25, 2007 3:06 PM > Subject: Re: [OpenSER-Users] Unauthorized Calls - [Openser - X-lite] > > > > Hello Jeferson, > > > > it all depends on your openser.cfg. > > If you put in there that all the INVITE-s should be authenticated, your > > users will not be able anymore to call without having a valid user and > > password for your server. Note that by default openser will not do any > > check for you, in order to keep the flexibility of be used in > > different environment setups. > > > > Cheers, > > DanB > > > > On 8/25/07, Jeferson Prevedello <[EMAIL PROTECTED]> wrote: > >> > >> > >> Hello, > >> > >> I implemented an environment using to openser + mysql. The enviroment > >> functions perfectly, however I perceived that users (branches) not > >> registered in mysql are generating called. > >> > >> I installed the X-lite softphone in my computer trying to reproduce the > >> situation. > > >> In the properties of configuration of the X-lite, "field Password" I type > >> "trash" as password (wrong password). > >> > >> The display of X-lite showed the following message: "Registration error: > >> 401 > >> - Unauthorized". > >> > >> In the contacts drawer I add a contact (double click on the new contact), > >> and the call was generate without restriction (very bad). > >> > >> Some idea of as I solve this problem? > >> > >> Thanks > >> > >> Regards > >> Jeferson > >> > >> _______________________________________________ > >> Users mailing list > >> Users@openser.org > >> http://openser.org/cgi-bin/mailman/listinfo/users > >> > >> > > > > _______________________________________________ Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
