[OpenSIPS-Users] Problem with the configuration of permissions module

Bogdan-Andrei Iancu bogdan at opensips.org
Tue Jan 18 14:08:45 CET 2011


Hi Alejandro,

First silly question - are you sure your script logic gets to the 
check_source_address () function ? Try to place an xlog() there to see 
if it gets hit.

You have to take care that the script block you are doing auth is called 
only if the caller (FROM hdr) belong to your domain (the myself test, 
which checks against the listening IPs and aliases). Maybe that block is 
never executed....

Regards,
Bogdan

Alejandro Recarey wrote:
> Hi all,
>
> I have been checking the SIP security of my configuration and am shocked
> to find out that my configuration is currently not working correctly.
>
> I am using OpenSIPS 1.6.2 and the check_source_address function to only
> allow calls from my own domain but it seems that no matter what I write
> to the address table, I can always call! That means that any IP address
> has access to my OpenSIPS server for outbound calls.
>
> Now, I am certain that it must be a problem with my configuration of the
> opensips.cfg file, so any help would be appreciated to find out the
> problem.
>
> I am using the permissions module with the following configuration:
>
> mysql> select * from address;
> +----+-----+---------------+------+------+-------+----------+----------+
> | id | grp | ip            | mask | port | proto | pattern  | context_i|
> +----+-----+---------------+------+------+-------+----------+----------+
> |  1 |   0 | 130.117.93.0  |   25 | 5060 | any   | ^sip:.*$ |          |
> +----+-----+---------------+------+------+-------+----------+----------+
>
> My route table is as follows:
>
> route{
>
>     if (!mf_process_maxfwd_header("10")) {
>         sl_send_reply("483","Too Many Hops");
>         exit;
>     }
>
>     if (has_totag()) {
>         # sequential request withing a dialog should
>         # take the path determined by record-routing
>         if (loose_route()) {
>             if (is_method("BYE")) {
>                 setflag(1); # do accounting ...
>                 setflag(3); # ... even if the transaction fails
>             } else if (is_method("INVITE")) {
>                 # even if in most of the cases is useless, do RR for
>                 # re-INVITEs alos, as some buggy clients do change route set
>                 # during the dialog.
>                 record_route();
>             }
>             # route it out to whatever destination was set by loose_route()
>             # in $du (destination URI).
>             route(1);
>         } else {
>             /* uncomment the following lines if you want to enable presence */
>             ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
>             ##    # in-dialog subscribe requests
>             ##    route(2);
>             ##    exit;
>             ##}
>             if ( is_method("ACK") ) {
>                 if ( t_check_trans() ) {
>                     # non loose-route, but stateful ACK; must be an ACK after
>                     # a 487 or e.g. 404 from upstream server
>                     t_relay();
>                     exit;
>                 } else {
>                     # ACK without matching transaction ->
>                     # ignore and discard
>                     exit;
>                 }
>             }
>             sl_send_reply("404","Not here");
>         }
>         exit;
>     }
>
>     #initial requests
>
>     # CANCEL processing
>     if (is_method("CANCEL"))
>     {
>         if (t_check_trans())
>             t_relay();
>         exit;
>     }
>
>     t_check_trans();
>
>
>     if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
>     {
>         # Here is where I check that the INVITE comes from my servers
>         if(!check_source_address("0")){
>
>             sl_send_reply("403", "Forbidden");
>
>             if (!proxy_authorize("", "subscriber")) {
>                 proxy_challenge("", "0");
>                 exit;
>             }
>             if (!db_check_from()) {
>                 sl_send_reply("403","Forbidden auth ID");
>                 exit;
>             }
>
>             consume_credentials();
>             # caller authenticated
>         }
>     }
>
>     # preloaded route checking
>     if (loose_route()) {
>         xlog("L_ERR",
>         "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
>         if (!is_method("ACK"))
>             sl_send_reply("403","Preload Route denied");
>         exit;
>     }
>
>     # record routing
>     if (!is_method("REGISTER|MESSAGE"))
>         record_route();
>
>     # account only INVITEs
>     if (is_method("INVITE")) {
>         setflag(1); # do accounting
>     }
>
>     if (!uri==myself)
>     {
>         append_hf("P-hint: outbound\r\n");
>
>         # Do not act as an open relay
>         #   only allow requests from handled domains
>         if(from_uri==myself){
>             route(1);
>         }
>         else {
>             sl_send_reply("403", "Not here");
>         }
>     }
>
>     # requests for my domain
>
>     if (is_method("PUBLISH"))
>     {
>         sl_send_reply("503", "Service Unavailable");
>         exit;
>     }
>
>
>     if (is_method("REGISTER"))
>     {
>         # authenticate the REGISTER requests (uncomment to enable auth)
>         if (!www_authorize("", "subscriber"))
>         {
>             www_challenge("", "0");
>             exit;
>         }
>
>         if (!db_check_to())
>         {
>             sl_send_reply("403","Forbidden auth ID");
>             exit;
>         }
>
>         if (!save("location"))
>             sl_reply_error();
>
>         exit;
>     }
>
>     if ($rU==NULL) {
>         # request with no Username in RURI
>         sl_send_reply("484","Address Incomplete");
>         exit;
>     }
>
>     # ROUTING happens here
>  - - - - - - - - -
>     #
>
> route[1] {
>     # for INVITEs enable some additional helper routes
>     if (is_method("INVITE")) {
>         t_on_branch("2");
>         t_on_reply("2");
>         t_on_failure("1");
>     }
>
>     if (!t_relay()) {
>         sl_reply_error();
>     };
>     exit;
> }
>
>
>
>
>
>         # request with no Username in RURI
>         sl_send_reply("484","Address Incomplete");
>         exit;
>     }
>
>
>
>
>
> Thank you in advance, and any explanation of WHERE and WHAT I did wrong
> would be a great help to secure my installation.
>
> Regards,
>
> Alex
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>   


-- 
Bogdan-Andrei Iancu
OpenSIPS Event - expo, conf, social, bootcamp
2 - 4 February 2011, ITExpo, Miami,  USA
OpenSIPS solutions and "know-how"




More information about the Users mailing list