[OpenSIPS-Users] Opensips security problem

Bogdan-Andrei Iancu bogdan at voice-system.ro
Fri Oct 8 17:10:44 CEST 2010 

Hi James,

use the domain module to list in DB all your local domains and check in 
script if the domain in RURI is local or not. Use
       http://www.opensips.org/html/docs/modules/1.6.x/domain.html#id227177

If the domain is not local, reject the registration

Regards,
Bogdan

James Mbuthia wrote:
> Hi,
>
> Am having a problem with someone trying to use my opensips to relay 
> calls. Below is a snippet of my log file
>
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_msg: SIP Request:
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_msg:  method:  <REGISTER>
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_msg:  uri:     <sip:sip.persiantools.com 
> <http://sip.persiantools.com>>
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_msg:  version: <SIP/2.0>
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_headers: flags=2
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_via_param: found param type 232, <branch> = 
> <z9hG4bK29073721>; state=6
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_via_param: found param type 235, <rport> = <n/a>; state=17
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_via: end of header reached, state=5
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_headers: via found, flags=2
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_headers: this is the first via
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:receive_msg: After parse_msg...
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:receive_msg: preparing to run routing scripts...
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_headers: flags=100
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_to: end of header reached, state=10
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_to: display={}, ruri={sip:49102 at sip.persiantools.com 
> <mailto:sip%3A49102 at sip.persiantools.com>}
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:get_hdr_field: <To> [34]; uri=[sip:49102 at sip.persiantools.com 
> <mailto:sip%3A49102 at sip.persiantools.com>]
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:get_hdr_field: to body [<sip:49102 at sip.persiantools.com 
> <mailto:sip%3A49102 at sip.persiantools.com>>
>  ]
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:get_hdr_field: cseq <CSeq>: <22695> <REGISTER>
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:maxfwd:is_maxfwd_present: value = 70
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:uri:has_totag: no totag
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_headers: flags=78
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:tm:t_lookup_request: start searching: hash=51210, isACK=0
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:tm:matching_3261: RFC3261 transaction matching failed
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:tm:t_lookup_request: no transaction found
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:parse_headers: flags=200
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:get_hdr_field: content_length=0
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:get_hdr_field: found end of header
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:rr:find_first_route: No Route headers found
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:rr:loose_route: There is no Route HF
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:grep_sock_info: checking if host==us: 20==13 && 
>  [sip.persiantools.com <http://sip.persiantools.com>] == [72.55.133$
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:grep_sock_info: checking if port 5060 matches port 5060
> Oct  8 08:50:32 CL-T020-483CL /usr/local/sbin/opensips[4680]: 
> DBG:core:check_self: host != me
>
>
>
> As you can see am getting Register requests 
> from sip:49102 at sip.persiantools.com 
> <mailto:sip%3A49102 at sip.persiantools.com>. What I wanted to know, how 
> do I block all requests from sip.persiantools.com 
> <http://sip.persiantools.com>? Do I use the userblacklist module? I 
> tried doing that but my problem is that the database entry requires a 
> prefix, since I want to block all requests from that specific domain 
> how do I go around it? Or conversely how do I make a configuration 
> that only allows requests from a specific domain? Any help would be 
> highly appreaciated.
>
> regards,
> James
>
> . 
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   


-- 
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
15 - 19 November 2010, Edison, New Jersey, USA
www.voice-system.ro

More information about the Users mailing list