Hi Guys,

Here in my company I have the same problem.

The solution that I adopted was apply the
proxy_authorize function and restrict all incoming
calls. I use openser only for originate calls.

Some tip ?


----- Original Message ----- 
From: "Jeferson Prevedello" <[EMAIL PROTECTED]>
To: "Dan-Cristian Bogos" <[EMAIL PROTECTED]>
Cc: <users@openser.org>
Sent: Monday, August 27, 2007 12:26 PM
Subject: Re: [OpenSER-Users] Unauthorized Calls -
[Openser - X-lite]

Hello DanB,

More a problem ! :-(

I apply the following configuration in my openser.cfg:

        if (method=="INVITE")
                if (!proxy_authorize("",

I perceived that with the configuration above 'only'
registered users can 
generate called, however I not receive more called
originated through of 
or of any branch of PBX. I believe these calls are
deny because the source 
(PSTN - Branches) not are registering in the openser

Is possible to apply the configuration above only for
calls 'originated' 
from openser ?

Thanks !


----- Original Message ----- 
From: "Dan-Cristian Bogos" <[EMAIL PROTECTED]>
To: "Jeferson Prevedello" <[EMAIL PROTECTED]>
Cc: <users@openser.org>
Sent: Monday, August 27, 2007 8:35 AM
Subject: Re: [OpenSER-Users] Unauthorized Calls -
[Openser - X-lite]

Hello Jeferson,

Your configuration looks a bit messy, if I were
OpenSER I would also
refuse it. :).

I would suggest taking a more standard configuration
(u can find many
examples on this location:
and use 1.2 branch of software for start, and
experiment with it into
some lab environment.
It is a bit difficult as a beginner to start directly
experimenting on
a production configuration, perhaps written by
somebody else without
understanding it. You will end up having big issues
troubleshooting in production environment.

The tip I gave you would be really easy to implement
it with a block
of few lines, eg:

if (is_method("INVITE")){
            if (!proxy_authorize("", "subscriber)) {

            } else if (!check_from()) {
                          sl_send_reply("403", "Use

Documentation for you to understand those lines here:

Usually, there is a loot of documentation and howtos
in openser wiki,
so I would suggest you having a glance on some titles
which look close
to your needs as a beginner.



On 8/27/07, Jeferson Prevedello
> Hello DanB,
> Thanks!
> As DanB´s suggestion, I tried to implement a
mechanism that only allowed
> authenticated members make calls, but my
configuration didn´t function.
> This is my first project with openser, therefore I
do not have much
> experience. If someone know how to help me to
implement this verification, 
> I
> will be very thankful.
> Below, my openser.cfg file:
> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
> # ----------- global configuration parameters
> debug=3
> fork=yes
> log_stderror=no
> log_facility=LOG_LOCAL7
> # hostname matching an alias will satisfy the
condition uri==myself".
> alias=xxx.xxx.xxx.xxx
> listen=udp:xxx.xxx.xxx.xxx:5060
> # check_via - Turn on or off Via host checking when
forwarding replies.
> # Default is no. arcane. looks for discrepancy
between name and
> # ip address when forwarding replies.
> check_via=yes
> # syn_branch - Shall the server use stateful synonym
branches? It is
> # faster but not reboot-safe. Default is yes.
> syn_branch=yes
> # dns - Uses dns to check if it is necessary to add
a "received=" field
> # to a via. Default is no.
> # rev_dns - Same as dns but use reverse DNS.
> dns=no
> rev_dns=no
> port=5060
> children=4
> # memlog - Debugging level for final memory
statistics report. Default
> # is L_DBG -- memory statistics are dumped only if
debug is set high.
>  memlog=3
> # sip_warning - Should replies include extensive
warnings? By default
> # yes, it is good for trouble-shooting.
> sip_warning=yes
> # fifo - FIFO special file pathname
> fifo="/tmp/openser_fifo"
> # reply_to_via - A hint to reply modules whether
they should send reply
> # to IP advertised in Via. Turned off by default,
which means that
> # replies are sent to IP address from which requests
>  reply_to_via=no
> # mhomed -- enable calculation of outbound
interface; useful on
> # multihomed servers.
> mhomed=0
> # ------------------ module loading
> # Uncomment this if you want to use SQL database
> loadmodule "/usr/lib/openser/modules/mysql.so"
> loadmodule "/usr/lib/openser/modules/sl.so"
> loadmodule "/usr/lib/openser/modules/tm.so"
> loadmodule "/usr/lib/openser/modules/rr.so"
> loadmodule "/usr/lib/openser/modules/maxfwd.so"
> loadmodule "/usr/lib/openser/modules/usrloc.so"
> loadmodule "/usr/lib/openser/modules/registrar.so"
> loadmodule "/usr/lib/openser/modules/textops.so"
> loadmodule "/usr/lib/openser/modules/nathelper.so"
> loadmodule "/usr/lib/openser/modules/acc.so"
> loadmodule "/usr/lib/openser/modules/xlog.so"
> # Uncomment this if you want digest authentication
> # mysql.so must be loaded !
> loadmodule "/usr/lib/openser/modules/auth.so"
> loadmodule "/usr/lib/openser/modules/auth_db.so"
> # ----------------- setting module-specific
parameters ---------------
> # ------------- usrloc parameters
> # 2 enables write-back to persistent mysql storage
for speed
> # disable=0, write-through=1
> modparam("usrloc", "db_mode", 0)
> # minimize write back window - default is 60 seconds
> modparam("usrloc", "timer_interval", 30)
> # ------------- auth parameters
> # Uncomment if you are using auth module
> modparam("auth_db", "calculate_ha1", yes)
> # If you set "calculate_ha1" parameter to yes (which
true in this config),
> # uncomment also the following parameter)
> modparam("auth_db", "password_column", "password")
> # ------------- rr parameters
> # add value to ;lr param to make some broken UAs
> modparam("rr", "enable_full_lr", 1)
> # ------------- !! Nathelper
> modparam("registrar", "nat_flag", 6)
> modparam("nathelper", "natping_interval", 30) # Ping
interval 30 s
> modparam("nathelper", "ping_nated_only", 1)   # Ping
only clients behind 
> modparam("nathelper", "rtpproxy_sock",
"unix:/var/run/rtpproxy.sock")   #
> Nathelper with RTPproxy
> # ------------- tm parameters
> modparam("tm", "fr_timer", 12)
> modparam("tm", "fr_inv_timer", 24)
> # -------------  acc parameters
> modparam("acc", "db_url",
"mysql://openser:[EMAIL PROTECTED]/openser")
> modparam("acc", "db_flag", 2)
> modparam("acc", "db_missed_flag", 2)
> modparam("acc", "log_flag", 1)
> modparam("acc", "log_missed_flag", 2)
> modparam("acc", "log_level", 2)   # Set log_level to
> # Allow no more than 1 contacts per AOR
> modparam("registrar", "max_contacts", 3)
> # -------------------------  request routing logic
> # main routing logic
> route{
>  if (!mf_process_maxfwd_header("10"))
>         {
>   sl_send_reply("483","Too Many Hops");
>   exit;
>  };
>  if (msg:len >=  2048 )
>  {
>   sl_send_reply("513", "Message too big");
>   exit;
>  };
>  # < Acconting >
>         if (method=="INVITE")
>  {
>                 log(1, "Generate call - START\n");
>                 setflag(1); /* set for accounting
(the same value as in
> log_flag!) */
>     setflag(2);
>         };
>         if (method=="BYE")
>  {
>                 log (1, "Hung-up \n");
>                 setflag(1);
>         };
>         if (method=="CANCEL")
>  {
>                 log (1, "Lost call \n");
>                 setflag(1);
>  }
>  if (!method=="REGISTER")
>   record_route();
>  if (nat_uac_test("3"))
>  {
>                 # Allow RR-ed requests, as these may
indicate that
>                 # a NAT-enabled proxy takes care of
it; unless it is
>                 # a REGISTER
>                 if (method == "REGISTER" || !
>   {
>                     log(1,"LOG: Someone trying to
register from private 
> IP,
> rewriting\n");
>                     # This will work only for user
agents that support
> symmetric
>                     # communication. We tested quite
many of them and
> majority is
>                     # smart enough to be symmetric.
In some phones it 
> takes
> a configuration
>                     # option. With Cisco 7960, it is
> NAT_Enable=Yes,
> with kphone it is
>                     # called "symmetric media" and
"symmetric signalling".
>                     fix_nated_contact(); # Rewrite
contact with source IP 
> of
> signalling
>                     force_rport();       # Add rport
parameter to topmost
> Via
>                     setflag(6);          # Mark as
>                 };
>         };
>  # subsequent messages withing a dialog should take
>  # path determined by record-routing
>  if (loose_route())
>  {
>     # mark routing logic in request
>     append_hf("P-hint: rr-enforced\r\n");
>     route(1);
>  };
>  if (!uri==myself)
>  {
>     # mark routing logic in request
>     append_hf("P-hint: outbound\r\n");
>     route(1);
>  };
>  # if the request is for other domain use UsrLoc
>  # (in case, it does not work, use the following
>  # with proper names and addresses in it)
>  if (uri==myself)
>  {
>   if (method=="REGISTER")
>   {
>      # Uncomment this if you want to use digest
>      if (!www_authorize("xxx.xxx.xxx.xxx",
>       {
>         www_challenge("xxx.xxx.xxx.xxx", "0");
>         return;
>                    };
>                       save("location");
>         return;
>                 };
>                 lookup("aliases");
>                 if (!uri==myself)
>   {
>                    append_hf("P-hint: outbound
>                    route(1);
>      return;
>                 };
>   # Router Cisco if not sip branche
>          log(1,"LOG: testando se destino-sip e' 418x
>   if ( ! ( uri =~ "^sip:418[1-9].*" ) &&
>        ! ( uri =~ "^sip:4397"))
>   {
>                log(1,"LOG: destino-sip not is 418x
>                route(2);
>                log(1,"LOG: rewriting hostport
>      rewritehostport("yyy.yyy.yyy.yyy:5060");
>                log(1,"LOG: t_relay...\n");
>                t_relay();
>                log(1,"LOG: break...\n");
>         return;
>          }
>             log(1,"LOG: destino-sip  418x, continue
>   # native SIP destinations are handled using our
>   if (!lookup("location"))
>   {
>                sl_send_reply("404", "Not Found");
>         return;
>          };
>  };
>         append_hf("P-hint: usrloc applied\r\n");
>         route(1);
> }
> #######################################
> route[1]
> {
>         # !! Nathelper
>         if
> !search("^Route:"))
>  {
>             sl_send_reply("479", "We don't forward
to private IP
> addresses");
>      return;
>         };
>         # if client or server know to be behind a
NAT, enable relay
>         if (isflagset(6))
>  {
>             force_rtp_proxy();
>      t_on_reply("1");
>             append_hf("P-Behind-NAT: Yes\r\n");
>         };
>      if (!t_relay())
>  {
>             sl_reply_error();
>      return;
>      };
> }
>  # !! Nathelper
>     onreply_route[1]
> {
>      # NATed transaction ?
>      if (isflagset(6) && status =~
>   {
>             fix_nated_contact();
>             force_rtp_proxy();
>       }
>   else if (nat_uac_test("1"))
>   {
>             fix_nated_contact();
>          };
> }
> #######################################
> route[2] {
>   ### Dial Plan for gateway VoIP ###
>   # Sao Paulo 11
>   if ( uri =~ "^sip:9911.*" )
>    {
>    log(1,"LOG: destination is 9911x, change
>    strip(4);
>    prefix("011");
>    return;
>    }
>   # Error (Number inexistent)
>   sl_reply_error();
> }
> -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x -x-x-x-x-x-x-x-x
> Regards
> Jeferson
> ----- Original Message -----
> From: "Dan-Cristian Bogos" <[EMAIL PROTECTED]>
> To: "Jeferson Prevedello" <[EMAIL PROTECTED]>
> Cc: <users@openser.org>
> Sent: Saturday, August 25, 2007 3:06 PM
> Subject: Re: [OpenSER-Users] Unauthorized Calls -
[Openser - X-lite]
> > Hello Jeferson,
> >
> > it all depends on your openser.cfg.
> > If you put in there that all the INVITE-s should
be authenticated, your
> > users will not be able anymore to call without
having a valid user and
> > password for your server. Note that by default
openser will not do any
> > check for you, in order to keep the flexibility of
be used in
> > different environment setups.
> >
> > Cheers,
> > DanB
> >
> > On 8/25/07, Jeferson Prevedello
> >>
> >>
> >> Hello,
> >>
> >> I implemented an environment using to openser +
mysql. The enviroment
> >> functions perfectly, however I perceived that
users (branches) not
> >> registered in mysql are generating called.
> >>
> >> I installed the X-lite softphone in my computer
trying to reproduce the
> >> situation.
> >> In the properties of configuration of the X-lite,
"field Password" I 
> >> type
> >> "trash" as password (wrong password).
> >>
> >> The display of X-lite showed the following
message: "Registration 
> >> error:
> >> 401
> >> - Unauthorized".
> >>
> >> In the contacts drawer I add a contact (double
click on the new 
> >> contact),
> >> and the call was generate without restriction
(very bad).
> >>
> >> Some idea of as I solve this problem?
> >>
> >> Thanks
> >>
> >> Regards
> >> Jeferson
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users@openser.org
> >> http://openser.org/cgi-bin/mailman/listinfo/users
> >>
> >>
> >

Users mailing list

Users mailing list

      Flickr agora em português. Você clica, todo mundo vê.

Users mailing list

Reply via email to