[OpenSIPS-Users] Opensips security problem

James Mbuthia jmmbuthia at gmail.com
Fri Oct 8 14:58:04 CEST 2010 

Hi,

Am having a problem with someone trying to use my opensips to relay calls.
Below is a snippet of my log file

Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_msg: SIP Request:
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_msg:  method:  <REGISTER>
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_msg:  uri:     <sip:sip.persiantools.com>
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_msg:  version: <SIP/2.0>
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_headers: flags=2
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_via_param: found param type 232, <branch> =
<z9hG4bK29073721>; state=6
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_via_param: found param type 235, <rport> = <n/a>; state=17
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_via: end of header reached, state=5
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_headers: via found, flags=2
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_headers: this is the first via
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:receive_msg: After parse_msg...
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:receive_msg: preparing to run routing scripts...
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_headers: flags=100
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_to: end of header reached, state=10
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_to: display={},
ruri={sip:49102 at sip.persiantools.com<sip%3A49102 at sip.persiantools.com>
}
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:get_hdr_field: <To> [34];
uri=[sip:49102 at sip.persiantools.com<sip%3A49102 at sip.persiantools.com>
]
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:get_hdr_field: to body
[<sip:49102 at sip.persiantools.com<sip%3A49102 at sip.persiantools.com>
>
 ]
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:get_hdr_field: cseq <CSeq>: <22695> <REGISTER>
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:maxfwd:is_maxfwd_present: value = 70
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:uri:has_totag: no totag
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_headers: flags=78
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:tm:t_lookup_request: start searching: hash=51210, isACK=0
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:tm:matching_3261: RFC3261 transaction matching failed
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:tm:t_lookup_request: no transaction found
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:parse_headers: flags=200
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:get_hdr_field: content_length=0
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:get_hdr_field: found end of header
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:rr:find_first_route: No Route headers found
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:rr:loose_route: There is no Route HF
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:grep_sock_info: checking if host==us: 20==13 &&  [
sip.persiantools.com] == [72.55.133$
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:grep_sock_info: checking if port 5060 matches port 5060
Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]:
DBG:core:check_self: host != me



As you can see am getting Register requests from
sip:49102 at sip.persiantools.com <sip%3A49102 at sip.persiantools.com>. What I
wanted to know, how do I block all requests from sip.persiantools.com? Do I
use the userblacklist module? I tried doing that but my problem is that the
database entry requires a prefix, since I want to block all requests from
that specific domain how do I go around it? Or conversely how do I make a
configuration that only allows requests from a specific domain? Any help
would be highly appreaciated.

regards,
James

.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20101008/83539bf4/attachment-0001.htm

More information about the Users mailing list