Hi Alejandro,
First silly question - are you sure your script logic gets to the
check_source_address () function ? Try to place an xlog() there to see
if it gets hit.
You have to take care that the script block you are doing auth is called
only if the caller (FROM hdr) belong to your domain (the myself test,
which checks against the listening IPs and aliases). Maybe that block is
never executed....
Regards,
Bogdan
Alejandro Recarey wrote:
Hi all,
I have been checking the SIP security of my configuration and am shocked
to find out that my configuration is currently not working correctly.
I am using OpenSIPS 1.6.2 and the check_source_address function to only
allow calls from my own domain but it seems that no matter what I write
to the address table, I can always call! That means that any IP address
has access to my OpenSIPS server for outbound calls.
Now, I am certain that it must be a problem with my configuration of the
opensips.cfg file, so any help would be appreciated to find out the
problem.
I am using the permissions module with the following configuration:
mysql> select * from address;
+----+-----+---------------+------+------+-------+----------+----------+
| id | grp | ip | mask | port | proto | pattern | context_i|
+----+-----+---------------+------+------+-------+----------+----------+
| 1 | 0 | 130.117.93.0 | 25 | 5060 | any | ^sip:.*$ | |
+----+-----+---------------+------+------+-------+----------+----------+
My route table is as follows:
route{
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
}
if (has_totag()) {
# sequential request withing a dialog should
# take the path determined by record-routing
if (loose_route()) {
if (is_method("BYE")) {
setflag(1); # do accounting ...
setflag(3); # ... even if the transaction fails
} else if (is_method("INVITE")) {
# even if in most of the cases is useless, do RR for
# re-INVITEs alos, as some buggy clients do change route set
# during the dialog.
record_route();
}
# route it out to whatever destination was set by loose_route()
# in $du (destination URI).
route(1);
} else {
/* uncomment the following lines if you want to enable presence */
##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
## # in-dialog subscribe requests
## route(2);
## exit;
##}
if ( is_method("ACK") ) {
if ( t_check_trans() ) {
# non loose-route, but stateful ACK; must be an ACK after
# a 487 or e.g. 404 from upstream server
t_relay();
exit;
} else {
# ACK without matching transaction ->
# ignore and discard
exit;
}
}
sl_send_reply("404","Not here");
}
exit;
}
#initial requests
# CANCEL processing
if (is_method("CANCEL"))
{
if (t_check_trans())
t_relay();
exit;
}
t_check_trans();
if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
{
# Here is where I check that the INVITE comes from my servers
if(!check_source_address("0")){
sl_send_reply("403", "Forbidden");
if (!proxy_authorize("", "subscriber")) {
proxy_challenge("", "0");
exit;
}
if (!db_check_from()) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
consume_credentials();
# caller authenticated
}
}
# preloaded route checking
if (loose_route()) {
xlog("L_ERR",
"Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
if (!is_method("ACK"))
sl_send_reply("403","Preload Route denied");
exit;
}
# record routing
if (!is_method("REGISTER|MESSAGE"))
record_route();
# account only INVITEs
if (is_method("INVITE")) {
setflag(1); # do accounting
}
if (!uri==myself)
{
append_hf("P-hint: outbound\r\n");
# Do not act as an open relay
# only allow requests from handled domains
if(from_uri==myself){
route(1);
}
else {
sl_send_reply("403", "Not here");
}
}
# requests for my domain
if (is_method("PUBLISH"))
{
sl_send_reply("503", "Service Unavailable");
exit;
}
if (is_method("REGISTER"))
{
# authenticate the REGISTER requests (uncomment to enable auth)
if (!www_authorize("", "subscriber"))
{
www_challenge("", "0");
exit;
}
if (!db_check_to())
{
sl_send_reply("403","Forbidden auth ID");
exit;
}
if (!save("location"))
sl_reply_error();
exit;
}
if ($rU==NULL) {
# request with no Username in RURI
sl_send_reply("484","Address Incomplete");
exit;
}
# ROUTING happens here
- - - - - - - - -
#
route[1] {
# for INVITEs enable some additional helper routes
if (is_method("INVITE")) {
t_on_branch("2");
t_on_reply("2");
t_on_failure("1");
}
if (!t_relay()) {
sl_reply_error();
};
exit;
}
# request with no Username in RURI
sl_send_reply("484","Address Incomplete");
exit;
}
Thank you in advance, and any explanation of WHERE and WHAT I did wrong
would be a great help to secure my installation.
Regards,
Alex
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Bogdan-Andrei Iancu
OpenSIPS Event - expo, conf, social, bootcamp
2 - 4 February 2011, ITExpo, Miami, USA
OpenSIPS solutions and "know-how"
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
