Block user from registration

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Block user from registration

Satish Patel
Hi,

We have many users using both registration method and IP auth method to send calls but i wants if they use IP Auth method then we can disable registration method ( just prevention from hacking attack). 

I believe registration is only required for incoming calls to find user location, right? How do i tell opensips don't accept user registration method even opensips challenge for proxy auth. any suggestion? 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Block user from registration

osiris123d
Would you not just do something like this?

If(FriendlyIP && is_method("REGISTER"))
{
                if (t_newtran()) {
                        save("location");
                }

                exit;
}

On Wed, Dec 31, 2014 at 10:22 AM, Satish Patel <[hidden email]> wrote:
Hi,

We have many users using both registration method and IP auth method to send calls but i wants if they use IP Auth method then we can disable registration method ( just prevention from hacking attack). 

I believe registration is only required for incoming calls to find user location, right? How do i tell opensips don't accept user registration method even opensips challenge for proxy auth. any suggestion? 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Block user from registration

Satish Patel
How it will help if i want to allow only IP auth for specific user but not registration auth? How your logic deal with User level?


On Wed, Dec 31, 2014 at 12:22 PM, Duane Larson <[hidden email]> wrote:
Would you not just do something like this?

If(FriendlyIP && is_method("REGISTER"))
{
                if (t_newtran()) {
                        save("location");
                }

                exit;
}

On Wed, Dec 31, 2014 at 10:22 AM, Satish Patel <[hidden email]> wrote:
Hi,

We have many users using both registration method and IP auth method to send calls but i wants if they use IP Auth method then we can disable registration method ( just prevention from hacking attack). 

I believe registration is only required for incoming calls to find user location, right? How do i tell opensips don't accept user registration method even opensips challenge for proxy auth. any suggestion? 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Block user from registration

osiris123d
My logic saves the user that is registering into the location table without challenging them for a password or checking that the user or domain is local to the OpenSIPs instance.  If you are looking for something more you might want to provide more detail.

This would allow fake accounts to register if they are from a friendly IP.

On Wednesday, December 31, 2014, Satish Patel <[hidden email]> wrote:
How it will help if i want to allow only IP auth for specific user but not registration auth? How your logic deal with User level?


On Wed, Dec 31, 2014 at 12:22 PM, Duane Larson <<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;duane.larson@gmail.com&#39;);" target="_blank">duane.larson@...> wrote:
Would you not just do something like this?

If(FriendlyIP && is_method("REGISTER"))
{
                if (t_newtran()) {
                        save("location");
                }

                exit;
}

On Wed, Dec 31, 2014 at 10:22 AM, Satish Patel <<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;satish.txt@gmail.com&#39;);" target="_blank">satish.txt@...> wrote:
Hi,

We have many users using both registration method and IP auth method to send calls but i wants if they use IP Auth method then we can disable registration method ( just prevention from hacking attack). 

I believe registration is only required for incoming calls to find user location, right? How do i tell opensips don't accept user registration method even opensips challenge for proxy auth. any suggestion? 

_______________________________________________
Users mailing list
<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;Users@lists.opensips.org&#39;);" target="_blank">Users@...
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;Users@lists.opensips.org&#39;);" target="_blank">Users@...
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Block user from registration

Ali Pey
You can also consider using the permissions module. If the src IP is there, then you can accept the request, otherwise, drop the message.

Regards,
Ali Pey


On Wed, Dec 31, 2014 at 1:30 PM, Duane Larson <[hidden email]> wrote:
My logic saves the user that is registering into the location table without challenging them for a password or checking that the user or domain is local to the OpenSIPs instance.  If you are looking for something more you might want to provide more detail.

This would allow fake accounts to register if they are from a friendly IP.


On Wednesday, December 31, 2014, Satish Patel <[hidden email]> wrote:
How it will help if i want to allow only IP auth for specific user but not registration auth? How your logic deal with User level?


On Wed, Dec 31, 2014 at 12:22 PM, Duane Larson <[hidden email]> wrote:
Would you not just do something like this?

If(FriendlyIP && is_method("REGISTER"))
{
                if (t_newtran()) {
                        save("location");
                }

                exit;
}

On Wed, Dec 31, 2014 at 10:22 AM, Satish Patel <[hidden email]> wrote:
Hi,

We have many users using both registration method and IP auth method to send calls but i wants if they use IP Auth method then we can disable registration method ( just prevention from hacking attack). 

I believe registration is only required for incoming calls to find user location, right? How do i tell opensips don't accept user registration method even opensips challenge for proxy auth. any suggestion? 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Block user from registration

Satish Patel
In reply to this post by osiris123d
Lets say i have user "A"  using IP base authentication to send call outside using Opensips Proxy. ( Same user has option to Username/Password to register and send calls).

We have developed web GUI to give control control to "customer" so they can enable/disable their registration base method ( Reason we give that control to user because if user has dedicated Public IP then he can disable "Registration" base method so hacker can't exploit their users accounts.

So my Original question is, How or what i should use or configure in Opensips so i can switch on/off user base registration?  ( We only allowing to send calls outside, no inbound calls allowed)

Hope it helps you to understand my scenario, Let me know if i am wrong anywhere in above scenario. 

On Wed, Dec 31, 2014 at 1:30 PM, Duane Larson <[hidden email]> wrote:
My logic saves the user that is registering into the location table without challenging them for a password or checking that the user or domain is local to the OpenSIPs instance.  If you are looking for something more you might want to provide more detail.

This would allow fake accounts to register if they are from a friendly IP.


On Wednesday, December 31, 2014, Satish Patel <[hidden email]> wrote:
How it will help if i want to allow only IP auth for specific user but not registration auth? How your logic deal with User level?


On Wed, Dec 31, 2014 at 12:22 PM, Duane Larson <[hidden email]> wrote:
Would you not just do something like this?

If(FriendlyIP && is_method("REGISTER"))
{
                if (t_newtran()) {
                        save("location");
                }

                exit;
}

On Wed, Dec 31, 2014 at 10:22 AM, Satish Patel <[hidden email]> wrote:
Hi,

We have many users using both registration method and IP auth method to send calls but i wants if they use IP Auth method then we can disable registration method ( just prevention from hacking attack). 

I believe registration is only required for incoming calls to find user location, right? How do i tell opensips don't accept user registration method even opensips challenge for proxy auth. any suggestion? 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Block user from registration

osiris123d
I think I understand now.  I think you would need to set up an AVPops to switch registration/authentication on and off per user

So you might have $avp(AuthSet)

if( $avp(AuthSet) == "n" && is_method("REGISTER"))
{
    save("location");
}


if( $avp(AuthSet) == "n" && is_method("INVITE"))
{
  "don't challenge for password"
  t_relay();
}

Then you would have more if statements to handle REGISTER or INVITE if $avp(AuthSet) equals yes.  The logic here is pretty simple.  Sure it will be more detailed then what I provided.

This way if the user sets their account to not register then your webpage needs to update the avp that is for them to "n" or no.  How ever you want to do it.

Is that what you were looking to accomplish?


On Fri, Jan 2, 2015 at 9:09 AM, Satish Patel <[hidden email]> wrote:
Lets say i have user "A"  using IP base authentication to send call outside using Opensips Proxy. ( Same user has option to Username/Password to register and send calls).

We have developed web GUI to give control control to "customer" so they can enable/disable their registration base method ( Reason we give that control to user because if user has dedicated Public IP then he can disable "Registration" base method so hacker can't exploit their users accounts.

So my Original question is, How or what i should use or configure in Opensips so i can switch on/off user base registration?  ( We only allowing to send calls outside, no inbound calls allowed)

Hope it helps you to understand my scenario, Let me know if i am wrong anywhere in above scenario. 

On Wed, Dec 31, 2014 at 1:30 PM, Duane Larson <[hidden email]> wrote:
My logic saves the user that is registering into the location table without challenging them for a password or checking that the user or domain is local to the OpenSIPs instance.  If you are looking for something more you might want to provide more detail.

This would allow fake accounts to register if they are from a friendly IP.


On Wednesday, December 31, 2014, Satish Patel <[hidden email]> wrote:
How it will help if i want to allow only IP auth for specific user but not registration auth? How your logic deal with User level?


On Wed, Dec 31, 2014 at 12:22 PM, Duane Larson <[hidden email]> wrote:
Would you not just do something like this?

If(FriendlyIP && is_method("REGISTER"))
{
                if (t_newtran()) {
                        save("location");
                }

                exit;
}

On Wed, Dec 31, 2014 at 10:22 AM, Satish Patel <[hidden email]> wrote:
Hi,

We have many users using both registration method and IP auth method to send calls but i wants if they use IP Auth method then we can disable registration method ( just prevention from hacking attack). 

I believe registration is only required for incoming calls to find user location, right? How do i tell opensips don't accept user registration method even opensips challenge for proxy auth. any suggestion? 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Block user from registration

Liviu Chircu
In reply to this post by Satish Patel
If you are strictly doing an IP-based auth using the permissions module, you may define a "Registration Disabled" flag (1/0) within the "context_info" column of the address table.
You can then extract this info in your script when calling check_source_address() and drop REGISTERs if set to "1" [1].

However, to me it seems like your feature is subscriber-oriented. Since a subscriber may have multiple entries in the address table,
I would define the "Registration Disabled" flag as an additional column in the subscriber table, and fetch it using the "load_credentials" modparam.

[1]: http://www.opensips.org/html/docs/modules/2.1.x/permissions.html#id294950
[2]: http://www.opensips.org/html/docs/modules/2.1.x/auth_db.html#id293578

Best regards,
Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com
On 02.01.2015 17:09, Satish Patel wrote:
Lets say i have user "A"  using IP base authentication to send call outside using Opensips Proxy. ( Same user has option to Username/Password to register and send calls).

We have developed web GUI to give control control to "customer" so they can enable/disable their registration base method ( Reason we give that control to user because if user has dedicated Public IP then he can disable "Registration" base method so hacker can't exploit their users accounts.

So my Original question is, How or what i should use or configure in Opensips so i can switch on/off user base registration?  ( We only allowing to send calls outside, no inbound calls allowed)

Hope it helps you to understand my scenario, Let me know if i am wrong anywhere in above scenario. 

On Wed, Dec 31, 2014 at 1:30 PM, Duane Larson <[hidden email]> wrote:
My logic saves the user that is registering into the location table without challenging them for a password or checking that the user or domain is local to the OpenSIPs instance.  If you are looking for something more you might want to provide more detail.

This would allow fake accounts to register if they are from a friendly IP.


On Wednesday, December 31, 2014, Satish Patel <[hidden email]> wrote:
How it will help if i want to allow only IP auth for specific user but not registration auth? How your logic deal with User level?


On Wed, Dec 31, 2014 at 12:22 PM, Duane Larson <[hidden email]> wrote:
Would you not just do something like this?

If(FriendlyIP && is_method("REGISTER"))
{
                if (t_newtran()) {
                        save("location");
                }

                exit;
}

On Wed, Dec 31, 2014 at 10:22 AM, Satish Patel <[hidden email]> wrote:
Hi,

We have many users using both registration method and IP auth method to send calls but i wants if they use IP Auth method then we can disable registration method ( just prevention from hacking attack). 

I believe registration is only required for incoming calls to find user location, right? How do i tell opensips don't accept user registration method even opensips challenge for proxy auth. any suggestion? 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users