[Freeswitch-users] how to solve the error Rejected by acl "domains". Falling back to Digest auth?

Peter Olsson peter.olsson at visionutveckling.se
Tue Jul 3 09:28:29 MSD 2012


Yes, I know. That code does exactly what you want. It's the feature itself that is more questionable...

Personally I don't believe this will ever work, since there are so many possibilities for timing issues for the registration. As MC said earlier on this discussion, you need to rethink if this is something you really want.

When it comes to security this will not, in any way, increase the security for you. If you're unlucky it might do the opposite, leaving the phone registered to the "theif", and leave the "real" user blocked from registering.

Keep your accounts secure, and this shouldn't be needed.

/Peter

________________________________
Från: freeswitch-users-bounces at lists.freeswitch.org [freeswitch-users-bounces at lists.freeswitch.org] för Samira Mh [saami_mh at ymail.com]
Skickat: den 3 juli 2012 05:48
Till: FreeSWITCH Users Help
Ämne: Re: [Freeswitch-users] how to solve the error Rejected by acl "domains". Falling back to Digest auth?

hi Peter,

this feature(max-registrations-per-extension) is embeded in the sofia_reg.c as follow :

............
if (max_registrations_perext > 0 && (sip && sip->sip_contact && (sip->sip_contact->m_expires == NULL || atol(sip->sip_contact->m_expires) > 0))) {
                /* if expires is null still process */
                /* expires == 0 means the phone is going to unregiser, so don't count against max */
                uint32_t count = 0;

                call_id = sip->sip_call_id->i_id;
                switch_assert(call_id);

                sql = switch_mprintf("select count(sip_user) from sip_registrations where sip_user='%q' AND call_id <> '%q'", username, call_id);
                switch_assert(sql != NULL);
                sofia_glue_execute_sql_callback(profile, NULL, sql, sofia_reg_regcount_callback, &count);
                free(sql);

                if (count + 1> max_registrations_perext) {
                        ret = AUTH_FORBIDDEN;
                        if (sofia_test_pflag(profile, PFLAG_LOG_AUTH_FAIL)) {
                                switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING,
                                                                  "SIP auth failure (REGISTER) due to reaching max allowed registrations.  Count: %d\n", count);
                        }
                        goto end;
                }
        }

.............

________________________________
From: Peter Olsson <peter.olsson at visionutveckling.se>
To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
Sent: Monday, July 2, 2012 9:35 PM
Subject: Re: [Freeswitch-users] how to solve the error Rejected by acl "domains". Falling back to Digest auth?

It seems the phone tries to register, even though it is already registered according to FS.

So if you really want to use this method, I think you must do further debugging on the phone...

As mentioned before on this list, I don't think this is a good approach, and since noone had even heard about this variable before, I'm guessing it's not widely used. However, in this particular example, FS is just doing exactly what it has been told to do, only to allow a registration if it doesn't exist already.

/Peter

2 jul 2012 kl. 18:53 skrev "Samira Mh" <saami_mh at ymail.com<mailto:saami_mh at ymail.com><mailto:saami_mh at ymail.com<mailto:saami_mh at ymail.com>>>:

hi guys,
please let me know paste myconfigurations as follow:
1-
vim /usr/local/freeswitch/conf/directory/default/v_212263612400.xml
<include>
  <user id="212263612400">
    <params>
      <param name="password" value="samira"/>
      <param name="vm-password" value="user-choose"/>
      <param name="vm-enabled" value="true"/>
      <param name="max-registrations-per-extension"  value="1"/>

    </params>
    <variables>
      <variable name="toll_allow" value=""/>
      <variable name="accountcode" value=""/>
      <variable name="user_context" value="default"/>
      <variable name="directory-visible" value="true"/>
      <variable name="directory-exten-visible" value="true"/>
      <variable name="limit_max" value="5"/>
      <variable name="sip-force-contact" value="NDLB-connectile-dysfunction"/>
      <variable name="nibble_account" value="20014334"/>
    </variables>
  </user>
</include>

2-vim /usr/local/freeswitch/conf/autoload_configs/acl.conf.xml
<configuration name="acl.conf" description="Network Lists">
<network-lists>

    <list name="domains" default="deny">
      <node type="allow" domain="$${domain}"/>
        </list>

  </network-lists>
</configuration>

*max-registrations-per-extension  =1
when issue the following  command the user is registered so another user with the extension '2122636124' couldn't register simultaneously :
sofia status profile internal  reg

Now what is problem?
every time i want to dial some extensions that is configured in my dialplan the following erroe occure:
2012-07-02 21:02:12.050074 [WARNING] sofia_reg.c:1471 SIP auth challenge (REGISTER) on sofia profile 'internal_private' for [212263612400 at 192.168.10.70<mailto:212263612400 at 192.168.10.70>] from ip 192.168.18.120
2012-07-02 21:02:14.710049 [DEBUG] sofia.c:7904 IP 192.168.18.120 Rejected by acl "domains". Falling back to Digest auth.
2012-07-02 21:02:14.710049 [WARNING] sofia_reg.c:1471 SIP auth challenge (INVITE) on sofia profile 'internal_private' for [00989191949637 at 192.168.10.70<mailto:00989191949637 at 192.168.10.70>] from ip 192.168.18.120
2012-07-02 21:02:14.710049 [DEBUG] sofia.c:7904 IP 192.168.18.120 Rejected by acl "domains". Falling back to Digest auth.
2012-07-02 21:02:14.710049 [WARNING] sofia_reg.c:2607 SIP auth failure (REGISTER) due to reaching max allowed registrations.  Count: 1
2012-07-02 21:02:14.710049 [WARNING] sofia_reg.c:1416 SIP auth failure (INVITE) on sofia profile 'internal_private' for [00989191949637 at 192.168.10.70<mailto:00989191949637 at 192.168.10.70>] from ip 192.168.18.120

so if i remove the line  <param name="max-registrations-per-extension"  value="1"/>  from /usr/local/freeswitch/conf/directory/default/v_212263612400.xml or from within /usr/local/freeswitch/conf/sip_profiles/internal.xml(it is posible to defined either
internal.xml  or /usr/local/freeswitch/conf/directory/default/v_212263612400.xml) the problem solved --with the same settings on vim /usr/local/freeswitch/conf/autoload_configs/acl.conf.xml-- but  simultaneously  registeration per extension couldn't worked properly ,,,

plz help,
what is problem on my settings?



_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org><mailto:consulting at freeswitch.org<mailto:consulting at freeswitch.org>>
http://www.freeswitchsolutions.com


</>

Official FreeSWITCH Sites
http://www.freeswitch.org<http://www.freeswitch.org/>
http://wiki.freeswitch.org<http://wiki.freeswitch.org/>
http://www.cluecon.com<http://www.cluecon.com/>

Join Us At ClueCon - Aug 7-9, 2012

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org><mailto:FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org<http://www.freeswitch.org/>


!DSPAM:4ff1cecc32766478410542!

_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com<http://www.freeswitchsolutions.com/>


</>

Official FreeSWITCH Sites
http://www.freeswitch.org<http://www.freeswitch.org/>
http://wiki.freeswitch.org<http://wiki.freeswitch.org/>
http://www.cluecon.com<http://www.cluecon.com/>

Join Us At ClueCon - Aug 7-9, 2012

FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org<http://www.freeswitch.org/>


!DSPAM:4ff26ae632762054019490!



Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list