[Spce-user] Stale Nonce Workarround in 4.5.1

Kalen Krueger kalen at npinfo.com
Sat Jan 7 09:13:09 EST 2017


I know this list is best effort, so even 60 seconds of help is appreciate.  I'm not sure what files I need to put the fix in now... I'm second guessing myself.   I thought it was /proxy(or lb)/kamailio.cfg.tt2, but now maybe /proxy(or lb)/kamailio.cfg.custom.tt2?

https://lists.sipwise.com/pipermail/spce-user/2014-January/005712.html

I know this is an old issue, but I had starting problems again after the upgrade to mr3.8.4.    I'm planning on upgrading to mr3.8.8 tonight.

Also, there was some discussion about there being a "workaround" built into 4.5.2?

Kalen Krueger | Technical and Project Manager | kalen at npinfo.com
o: 253.852.1543 | d: 253.479.1321 | m: 206.963.1309
NP Information Systems | www.npinfo.com

-----Original Message-----
From: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] On Behalf Of Kalen Krueger
Sent: Friday, January 6, 2017 12:16 PM
To: Matthias Hohl <matthias.hohl at telematica.at>; 'Alex Lutay' <alutay at sipwise.com>; spce-user at lists.sipwise.com
Subject: Re: [Spce-user] Stale Nonce Workarround in 4.5.1

I upgraded from mr3.7.2 -> mr3.8.4, and the stale nonce workaround I was using no longer appears to be working...

This is what I do with every upgrade... is this correct?

Add the following in /etc/ngcp-config/templates/etc/kamailio/proxy/kamailio.cfg.tt2 to set the "P-NGCP-Stale" variable:

  case -4:
     xlog("L_NOTICE", "Authentication failed, stale nonce - [% logreq -%]\n");
     append_to_reply("P-NGCP-Stale: yes\r\n");

In /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.tt2 test if the "P-NGCP-Stale" variable exists:

  #!ifdef ENABLE_AUTHCHECK
     if((status == "401" || status == "407") && is_present_hf("P-NGCP-Authorization") && !is_present_hf("P-NGCP-Stale"))

Kalen Krueger | Technical and Project Manager | kalen at npinfo.com
o: 253.852.1543 | d: 253.479.1321 | m: 206.963.1309 NP Information Systems | www.npinfo.com


-----Original Message-----
From: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] On Behalf Of Matthias Hohl
Sent: Thursday, September 8, 2016 8:38 AM
To: 'Alex Lutay' <alutay at sipwise.com>; spce-user at lists.sipwise.com
Subject: Re: [Spce-user] Stale Nonce Workarround in 4.5.1

Other Things we doing with customtt files, which would be nice to have the option to edit this in the config.yml file:

1.) Extend the Failover Routing Filter:
# cp /etc/ngcp-config/templates/etc/kamailio/proxy/proxy.cfg.tt2 /etc/ngcp-config/templates/etc/kamailio/proxy/proxy.cfg.customtt.tt2
# nano /etc/ngcp-config/templates/etc/kamailio/proxy/proxy.cfg.customtt.tt2
Suchen nach:
route[ROUTE_FILTER_FAILOVER]
{
xlog("L_INFO", "Filter reply code - [% logreq -%]\n");
if(!t_check_status("408|500|503"))

Und editieren nach:
route[ROUTE_FILTER_FAILOVER]
{
xlog("L_INFO", "Filter reply code - [% logreq -%]\n");
if(!t_check_status("403|408|488|500|502|503|504"))


2. Auto generated passwords without special characters:
# nano /usr/share/perl5/NGCP/Panel/Utils/Subscriber.pm
on lines ~ 188 and 195 (mr 3.8.1) you will find something like this:

    if($c->config->{security}->{password_sip_autogenerate}
    && !$params->{password}) { $params->{password} = String::MkPasswd::mkpasswd(
            -length => $passlen,
            -minnum => 1, -minlower => 1, -minupper => 1, -minspecial => 0,
            -distribute => 1, -fatal => 1,
        );
    }

3.) Fraud Prevention interval
Monatslimit:
# cp /etc/ngcp-config/templates/etc/cron.d/ngcp-fraud-auto-lock.tt2 /etc/ngcp-config/templates/etc/cron.d/ngcp-fraud-auto-lock.customtt.tt2
# nano /etc/ngcp-config/templates/etc/cron.d/ngcp-fraud-auto-lock.customtt.tt2
[% IF !is_db -%]#[% END -%]*/30 * * * *  root  if /usr/sbin/ngcp-check_active -q; then /usr/sbin/ngcp-fraud-auto-lock; fi

Tageslimit:
# cp /etc/ngcp-config/templates/etc/cron.d/ngcp-fraud-daily-lock.tt2 /etc/ngcp-config/templates/etc/cron.d/ngcp-fraud-daily-lock.customtt.tt2
# nano /etc/ngcp-config/templates/etc/cron.d/ngcp-fraud-daily-lock.customtt.tt2
[% IF !is_db -%]#[% END -%]*/5 * * * *  root  if /usr/sbin/ngcp-check_active -q; then /usr/sbin/ngcp-fraud-daily-lock; fi


4.) automated invoice generation and sending # nano /etc/ngcp-config/templates/etc/cron.d/ngcp-invoice-gen.customtt.tt2
Kontrollieren ob die Cronjobs alle mit "#" davor sind.
# 5  3 1 * *   root    perl /usr/share/ngcp-panel/tools/generate_invoices.pl --prevmonth 2>&1 >/dev/null
# 5  3 2 * *   root    perl /usr/share/ngcp-panel/tools/generate_invoices.pl --prevmonth --sendonly 2>&1 >/dev/null




-----Ursprüngliche Nachricht-----
Von: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] Im Auftrag von Alex Lutay
Gesendet: Donnerstag, 8. September 2016 10:20
An: spce-user at lists.sipwise.com
Betreff: Re: [Spce-user] Stale Nonce Workarround in 4.5.1

Dear Matthias,

Can you please share "why" do you need this workaround here.

Also to all: feel free to share the reason of customtt you are using.
We do understand that customtt is an "necessary evil" which creates a lot of the issues during upgrades. So we would like to know the weak parts we have to focus on them one day and allow you work without customtt.

Tnx!

On 09/08/2016 01:37 AM, Matthias Hohl wrote:
...
> the stale nonce work-a-round in 4.5.1 is not possible:
...

--
Alex Lutay
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
https://lists.sipwise.com/listinfo/spce-user
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
https://lists.sipwise.com/listinfo/spce-user

________________________________

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
https://lists.sipwise.com/listinfo/spce-user


More information about the Spce-user mailing list