[OpenSIPS-Users] Authentication using Username, Password, IP address or Just IP address

Bogdan-Andrei Iancu bogdan at opensips.org
Mon Feb 10 09:58:02 CET 2014 

Hello,

I would strongly advice you to use the address table in conjunction with 
check_address() or check_source_address(). See:
http://www.opensips.org/html/docs/modules/1.10.x/permissions.html#sec-address-permissions
http://www.opensips.org/html/docs/modules/1.10.x/permissions.html#id294509

It works via DB (easy to provision), it it cached, has a reload 
function, etc - several advantages.

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 10.02.2014 06:35, Alectronic wrote:
> Hi,
>
> Thanks for pointing me in the right direction with the permission module. I
> have setup the modules and added information to the hosts.allow & host.deny
> files (in the case of the hosts.deny it is ALL : ALL and only seem to have
> block my SSH connection) but call are still flowing I'm guessing I need to
> add detail into the address table but I not sure or do I need to use
> allow_routing(allow_file,deny_file)? Below is the current config for
> register and authenticate and the newly added modules.
>
> loadmodule "permissions.so"
> modparam("permissions", "default_allow_file", "/etc/hosts.allow")
> modparam("permissions", "default_deny_file", "/etc/hosts.deny")
> modparam("permissions", "check_all_branches", 0)
> modparam("permissions", "allow_suffix", ".allow")
> modparam("permissions", "deny_suffix", ".deny")
> modparam("permissions", "db_url",
> "mysql://opensips:test@localhost/opensips")
> modparam("permissions", "address_table", "address")
> modparam("permissions", "grp_col", "grp")
> modparam("permissions", "ip_col", "ip")
> modparam("permissions", "mask_col", "mask")
> modparam("permissions", "port_col", "port")
> modparam("permissions", "proto_col", "proto")
> #modparam("permissions", "pattern_col", "pattern") /*opensips doesn't like
> this modparam. possible bug? Error information at the bottom*/
> modparam("permissions", "info_col", "context_info")
>
> #is the IP address whitelisted?
>          if (allow_routing()) {
>                  xlog("IP Allow Routing");
>          }
> #Check to see if the endpoint can authenticate / Register with
> username/password
>          else {
>                  xlog("authentication required for call from $si");
>                  if (!is_method("REGISTER")) {
>                          # EC - auth
>                          if (!proxy_authorize("", "subscriber")) {
>                                  xlog("proxy challenge!");
>                                  proxy_challenge("", "0");  # Realm will be
> autogenerated
>                                  exit;
>                          }
>                          if (!db_check_from()) {
>                               xlog("forbidden!");
>                               sl_send_reply("403","Forbidden auth ID");
>                               exit;
>                          }
>                          consume_credentials();
>                  } else {
>                          if (!www_authorize("", "subscriber")) {
>                                  xlog("www challenge!");
>                                  www_challenge("", "0");  # Realm will be
> autogenerated
>                                  exit;
>                          }
>
>                          if (!db_check_from()) {
>                               xlog("forbidden!");
>                               sl_send_reply("403","Forbidden auth ID");
>                               exit;
>                          }
>
>                          if (!save("location")) {
>                                  xlog("failed to save location!");
>                                  sl_reply_error();
>                          }
>
>
>                          xlog("registered - $from");
>                          exit;
>                  }
>          }
>
>
> When this finally works would this be how it works?
> If its in the .allow file = Just requires IP to make call
> if its in the .deny file = blocks calls
> if it not in either files = has to authenticate with username/password
>
>
>
> I also had a error when setting up the permission module it didn't like
> "modparam("permissions", "pattern_col", "pattern")" Below is the error
> message I got from the log file.
>
> Feb 10 15:20:34 AdaptivOpenSips opensips: ERROR:core:set_mod_param_regex:
> parameter <pattern_col> not found in module <permissions>
> Feb 10 15:20:34 AdaptivOpenSips opensips: CRITICAL:core:yyerror: parse error
> in config file /etc/opensips/opensips.cfg, line 216, column 20-21: Parameter
> <pattern_col> not found in module <permissions> - can't set
> Feb 10 15:20:34 AdaptivOpenSips opensips: ERROR:core:main: bad config file
> (1 errors)
>
> It looks like this module parameters is not available
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> View this message in context: http://opensips-open-sip-server.1449251.n2.nabble.com/Re-Authentication-using-Username-Password-IP-address-or-Just-IP-address-tp7589529p7589531.html
> Sent from the OpenSIPS - Users mailing list archive at Nabble.com.
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>

More information about the Users mailing list