Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration using Asterisk Database" (http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main difference in my setup compared to that one is that I continued use of Kamailio's database.
The problem is as follows:
I decided to put Kamailio and through it Asterisk reachable from internet. I have tried to configure Asterisk so that only calls of registered users would be possible, and they could only call to other registered users or conference rooms and echo test number.
Then I took the following steps:
I ensured that there was no online users with kamctl online. Then I launched MicroSIP (www.microsip.org), but I did not defined account, I simply set the protocol to tls and media encryption to mandatory, because I'm using these.
I called to extension with xxx@my.public.ip.address (where xxx is extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also other domain defined which corresponds to users' domain I am using in Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be open relay:
if (from_uri!=myself && uri!=myself) ...
If I change this for example:
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think that this is not a final solution.
I have not found from log files such information which would have helped me. I have not yet investigated this problem so much that I could tell the logic behind the selection of online user's identity which is used. However, if I make a call to conference room I notice that Asterisk is thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and integrated it with Asterisk 11 (currently 11.10.2). Is there something which has changed in Kamailio, but what I have not changed in my setup which could explain this.
Best,
Teijo
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our domain is A, then call from domain "B to C" is not possible. However, calls from "B or C to A" and "A to B or C" are possible. That is way an unauthorized user gets passed and reaches asterisk. Asterisk accepts it since call is coming from kamailio and tries to route it back to kamailio, where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { * * if (uri!=myself) {* * # neither source nor destination is our user* * } else {* * # source is not our user but destination is our user* * };* *} else {* * if (uri!=myself) {* * # source is our user but destination is not our user* * } else {* * # both source and destination are our users* * };* *};*
Hope this helps.
Thank you.
On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote:
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration using Asterisk Database" (http://kb.asipto.com/ asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main difference in my setup compared to that one is that I continued use of Kamailio's database.
The problem is as follows:
I decided to put Kamailio and through it Asterisk reachable from internet. I have tried to configure Asterisk so that only calls of registered users would be possible, and they could only call to other registered users or conference rooms and echo test number.
Then I took the following steps:
I ensured that there was no online users with kamctl online. Then I launched MicroSIP (www.microsip.org), but I did not defined account, I simply set the protocol to tls and media encryption to mandatory, because I'm using these.
I called to extension with xxx@my.public.ip.address (where xxx is extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also other domain defined which corresponds to users' domain I am using in Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be open relay:
if (from_uri!=myself && uri!=myself) ...
If I change this for example:
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think that this is not a final solution.
I have not found from log files such information which would have helped me. I have not yet investigated this problem so much that I could tell the logic behind the selection of online user's identity which is used. However, if I make a call to conference room I notice that Asterisk is thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and integrated it with Asterisk 11 (currently 11.10.2). Is there something which has changed in Kamailio, but what I have not changed in my setup which could explain this.
Best,
Teijo
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
If one places call, and tell that "my from domain is your Kamailio's IP", call is established, because Asterisk accepts requests from Kamailio. One problem is that it's unpredictable in this case what is the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide accept calls only from my users, I suppose that it can be quite easily done by modifying if statement referred below or at least by applying instructions found here:
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe...
However, I'm somewhat unsure what should I do, if I decide to accept calls from any caller - not only from my users.
Best,
Teijo
12.7.2014 19:36, Muhammad Shahzad kirjoitti:
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our domain is A, then call from domain "B to C" is not possible. However, calls from "B or C to A" and "A to B or C" are possible. That is way an unauthorized user gets passed and reaches asterisk. Asterisk accepts it since call is coming from kamailio and tries to route it back to kamailio, where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
- if (uri!=myself) {*
# neither source nor destination is our user*- } else {*
# source is not our user but destination is our user*- };*
*} else {*
- if (uri!=myself) {*
# source is our user but destination is not our user*- } else {*
# both source and destination are our users*- };*
*};*
Hope this helps.
Thank you.
On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote:
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration using Asterisk Database" (http://kb.asipto.com/ asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main difference in my setup compared to that one is that I continued use of Kamailio's database.
The problem is as follows:
I decided to put Kamailio and through it Asterisk reachable from internet. I have tried to configure Asterisk so that only calls of registered users would be possible, and they could only call to other registered users or conference rooms and echo test number.
Then I took the following steps:
I ensured that there was no online users with kamctl online. Then I launched MicroSIP (www.microsip.org), but I did not defined account, I simply set the protocol to tls and media encryption to mandatory, because I'm using these.
I called to extension with xxx@my.public.ip.address (where xxx is extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also other domain defined which corresponds to users' domain I am using in Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be open relay:
if (from_uri!=myself && uri!=myself) ...
If I change this for example:
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think that this is not a final solution.
I have not found from log files such information which would have helped me. I have not yet investigated this problem so much that I could tell the logic behind the selection of online user's identity which is used. However, if I make a call to conference room I notice that Asterisk is thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and integrated it with Asterisk 11 (currently 11.10.2). Is there something which has changed in Kamailio, but what I have not changed in my setup which could explain this.
Best,
Teijo
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call:
sip:some_extension@my.public.ip.address
call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context.
To get this situation I don't need to define any account information in MicroSIP.
I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
14.7.2014 9:06, g.aloitus@gmail.com kirjoitti:
Hello,
If one places call, and tell that "my from domain is your Kamailio's IP", call is established, because Asterisk accepts requests from Kamailio. One problem is that it's unpredictable in this case what is the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide accept calls only from my users, I suppose that it can be quite easily done by modifying if statement referred below or at least by applying instructions found here:
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe...
However, I'm somewhat unsure what should I do, if I decide to accept calls from any caller - not only from my users.
Best,
Teijo
12.7.2014 19:36, Muhammad Shahzad kirjoitti:
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our domain is A, then call from domain "B to C" is not possible. However, calls from "B or C to A" and "A to B or C" are possible. That is way an unauthorized user gets passed and reaches asterisk. Asterisk accepts it since call is coming from kamailio and tries to route it back to kamailio, where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
- if (uri!=myself) {*
# neither source nor destination is our user*- } else {*
# source is not our user but destination is our user*- };*
*} else {*
- if (uri!=myself) {*
# source is our user but destination is not our user*- } else {*
# both source and destination are our users*- };*
*};*
Hope this helps.
Thank you.
On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote:
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration using Asterisk Database" (http://kb.asipto.com/ asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main difference in my setup compared to that one is that I continued use of Kamailio's database.
The problem is as follows:
I decided to put Kamailio and through it Asterisk reachable from internet. I have tried to configure Asterisk so that only calls of registered users would be possible, and they could only call to other registered users or conference rooms and echo test number.
Then I took the following steps:
I ensured that there was no online users with kamctl online. Then I launched MicroSIP (www.microsip.org), but I did not defined account, I simply set the protocol to tls and media encryption to mandatory, because I'm using these.
I called to extension with xxx@my.public.ip.address (where xxx is extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also other domain defined which corresponds to users' domain I am using in Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be open relay:
if (from_uri!=myself && uri!=myself) ...
If I change this for example:
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think that this is not a final solution.
I have not found from log files such information which would have helped me. I have not yet investigated this problem so much that I could tell the logic behind the selection of online user's identity which is used. However, if I make a call to conference room I notice that Asterisk is thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and integrated it with Asterisk 11 (currently 11.10.2). Is there something which has changed in Kamailio, but what I have not changed in my setup which could explain this.
Best,
Teijo
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk Realtime integration" in Asterisk users mailing list:
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk?
Best,
Teijo
16.7.2014 9:44, g.aloitus@gmail.com kirjoitti:
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call:
sip:some_extension@my.public.ip.address
call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context.
To get this situation I don't need to define any account information in MicroSIP.
I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
14.7.2014 9:06, g.aloitus@gmail.com kirjoitti:
Hello,
If one places call, and tell that "my from domain is your Kamailio's IP", call is established, because Asterisk accepts requests from Kamailio. One problem is that it's unpredictable in this case what is the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide accept calls only from my users, I suppose that it can be quite easily done by modifying if statement referred below or at least by applying instructions found here:
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe...
However, I'm somewhat unsure what should I do, if I decide to accept calls from any caller - not only from my users.
Best,
Teijo
12.7.2014 19:36, Muhammad Shahzad kirjoitti:
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our domain is A, then call from domain "B to C" is not possible. However, calls from "B or C to A" and "A to B or C" are possible. That is way an unauthorized user gets passed and reaches asterisk. Asterisk accepts it since call is coming from kamailio and tries to route it back to kamailio, where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
- if (uri!=myself) {*
# neither source nor destination is our user*- } else {*
# source is not our user but destination is our user*- };*
*} else {*
- if (uri!=myself) {*
# source is our user but destination is not our user*- } else {*
# both source and destination are our users*- };*
*};*
Hope this helps.
Thank you.
On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote:
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration using Asterisk Database" (http://kb.asipto.com/ asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main difference in my setup compared to that one is that I continued use of Kamailio's database.
The problem is as follows:
I decided to put Kamailio and through it Asterisk reachable from internet. I have tried to configure Asterisk so that only calls of registered users would be possible, and they could only call to other registered users or conference rooms and echo test number.
Then I took the following steps:
I ensured that there was no online users with kamctl online. Then I launched MicroSIP (www.microsip.org), but I did not defined account, I simply set the protocol to tls and media encryption to mandatory, because I'm using these.
I called to extension with xxx@my.public.ip.address (where xxx is extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also other domain defined which corresponds to users' domain I am using in Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be open relay:
if (from_uri!=myself && uri!=myself) ...
If I change this for example:
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think that this is not a final solution.
I have not found from log files such information which would have helped me. I have not yet investigated this problem so much that I could tell the logic behind the selection of online user's identity which is used. However, if I make a call to conference room I notice that Asterisk is thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and integrated it with Asterisk 11 (currently 11.10.2). Is there something which has changed in Kamailio, but what I have not changed in my setup which could explain this.
Best,
Teijo
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
Hello,
Try allow allowguest=no in sip.conf [general] context and create a peer for kamailio in sip.comf
Regards Cibin
On 17-Jul-2014, at 12:52 pm, g.aloitus@gmail.com wrote:
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk Realtime integration" in Asterisk users mailing list:
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk?
Best,
Teijo
16.7.2014 9:44, g.aloitus@gmail.com kirjoitti:
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call:
sip:some_extension@my.public.ip.address
call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context.
To get this situation I don't need to define any account information in MicroSIP.
I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
14.7.2014 9:06, g.aloitus@gmail.com kirjoitti:
Hello,
If one places call, and tell that "my from domain is your Kamailio's IP", call is established, because Asterisk accepts requests from Kamailio. One problem is that it's unpredictable in this case what is the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide accept calls only from my users, I suppose that it can be quite easily done by modifying if statement referred below or at least by applying instructions found here:
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe...
However, I'm somewhat unsure what should I do, if I decide to accept calls from any caller - not only from my users.
Best,
Teijo
12.7.2014 19:36, Muhammad Shahzad kirjoitti:
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our domain is A, then call from domain "B to C" is not possible. However, calls from "B or C to A" and "A to B or C" are possible. That is way an unauthorized user gets passed and reaches asterisk. Asterisk accepts it since call is coming from kamailio and tries to route it back to kamailio, where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
- if (uri!=myself) {*
# neither source nor destination is our user*- } else {*
# source is not our user but destination is our user*- };*
*} else {*
- if (uri!=myself) {*
# source is our user but destination is not our user*- } else {*
# both source and destination are our users*- };*
*};*
Hope this helps.
Thank you.
On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote:
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration using Asterisk Database" (http://kb.asipto.com/ asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main difference in my setup compared to that one is that I continued use of Kamailio's database.
The problem is as follows:
I decided to put Kamailio and through it Asterisk reachable from internet. I have tried to configure Asterisk so that only calls of registered users would be possible, and they could only call to other registered users or conference rooms and echo test number.
Then I took the following steps:
I ensured that there was no online users with kamctl online. Then I launched MicroSIP (www.microsip.org), but I did not defined account, I simply set the protocol to tls and media encryption to mandatory, because I'm using these.
I called to extension with xxx@my.public.ip.address (where xxx is extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also other domain defined which corresponds to users' domain I am using in Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be open relay:
if (from_uri!=myself && uri!=myself) ...
If I change this for example:
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think that this is not a final solution.
I have not found from log files such information which would have helped me. I have not yet investigated this problem so much that I could tell the logic behind the selection of online user's identity which is used. However, if I make a call to conference room I notice that Asterisk is thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and integrated it with Asterisk 11 (currently 11.10.2). Is there something which has changed in Kamailio, but what I have not changed in my setup which could explain this.
Best,
Teijo
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
Try allow allowguest=no in sip.conf [general] context and create a peer for kamailio in sip.comf
Regards Cibin
On 17-Jul-2014, at 12:52 pm, g.aloitus@gmail.com wrote:
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk Realtime integration" in Asterisk users mailing list:
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk?
Best,
Teijo
16.7.2014 9:44, g.aloitus@gmail.com kirjoitti:
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call:
sip:some_extension@my.public.ip.address
call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context.
To get this situation I don't need to define any account information in MicroSIP.
I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
14.7.2014 9:06, g.aloitus@gmail.com kirjoitti:
Hello,
If one places call, and tell that "my from domain is your Kamailio's IP", call is established, because Asterisk accepts requests from Kamailio. One problem is that it's unpredictable in this case what is the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide accept calls only from my users, I suppose that it can be quite easily done by modifying if statement referred below or at least by applying instructions found here:
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe...
However, I'm somewhat unsure what should I do, if I decide to accept calls from any caller - not only from my users.
Best,
Teijo
12.7.2014 19:36, Muhammad Shahzad kirjoitti:
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our domain is A, then call from domain "B to C" is not possible. However, calls from "B or C to A" and "A to B or C" are possible. That is way an unauthorized user gets passed and reaches asterisk. Asterisk accepts it since call is coming from kamailio and tries to route it back to kamailio, where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
- if (uri!=myself) {*
# neither source nor destination is our user*- } else {*
# source is not our user but destination is our user*- };*
*} else {*
- if (uri!=myself) {*
# source is our user but destination is not our user*- } else {*
# both source and destination are our users*- };*
*};*
Hope this helps.
Thank you.
On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote:
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration using Asterisk Database" (http://kb.asipto.com/ asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main difference in my setup compared to that one is that I continued use of Kamailio's database.
The problem is as follows:
I decided to put Kamailio and through it Asterisk reachable from internet. I have tried to configure Asterisk so that only calls of registered users would be possible, and they could only call to other registered users or conference rooms and echo test number.
Then I took the following steps:
I ensured that there was no online users with kamctl online. Then I launched MicroSIP (www.microsip.org), but I did not defined account, I simply set the protocol to tls and media encryption to mandatory, because I'm using these.
I called to extension with xxx@my.public.ip.address (where xxx is extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also other domain defined which corresponds to users' domain I am using in Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be open relay:
if (from_uri!=myself && uri!=myself) ...
If I change this for example:
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think that this is not a final solution.
I have not found from log files such information which would have helped me. I have not yet investigated this problem so much that I could tell the logic behind the selection of online user's identity which is used. However, if I make a call to conference room I notice that Asterisk is thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and integrated it with Asterisk 11 (currently 11.10.2). Is there something which has changed in Kamailio, but what I have not changed in my setup which could explain this.
Best,
Teijo
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
I have:
allowguest=no contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not.
Best,
Teijo
17.7.2014 10:48, Cibin Paul kirjoitti:
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf
Regards Cibin
On 17-Jul-2014, at 12:52 pm, g.aloitus@gmail.com mailto:g.aloitus@gmail.com wrote:
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk Realtime integration" in Asterisk users mailing list:
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk?
Best,
Teijo
16.7.2014 9:44, g.aloitus@gmail.com mailto:g.aloitus@gmail.com kirjoitti:
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call:
sip:some_extension@my.public.ip.address
call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context.
To get this situation I don't need to define any account information in MicroSIP.
I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
14.7.2014 9:06, g.aloitus@gmail.com mailto:g.aloitus@gmail.com kirjoitti:
Hello,
If one places call, and tell that "my from domain is your Kamailio's IP", call is established, because Asterisk accepts requests from Kamailio. One problem is that it's unpredictable in this case what is the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide accept calls only from my users, I suppose that it can be quite easily done by modifying if statement referred below or at least by applying instructions found here:
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe...
However, I'm somewhat unsure what should I do, if I decide to accept calls from any caller - not only from my users.
Best,
Teijo
12.7.2014 19:36, Muhammad Shahzad kirjoitti:
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our domain is A, then call from domain "B to C" is not possible. However, calls from "B or C to A" and "A to B or C" are possible. That is way an unauthorized user gets passed and reaches asterisk. Asterisk accepts it since call is coming from kamailio and tries to route it back to kamailio, where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
- if (uri!=myself) {*
# neither source nor destination is our user*- } else {*
# source is not our user but destination is our user*- };*
*} else {*
- if (uri!=myself) {*
# source is our user but destination is not our user*- } else {*
# both source and destination are our users*- };*
*};*
Hope this helps.
Thank you.
On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote:
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration using Asterisk Database" (http://kb.asipto.com/ asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main difference in my setup compared to that one is that I continued use of Kamailio's database.
The problem is as follows:
I decided to put Kamailio and through it Asterisk reachable from internet. I have tried to configure Asterisk so that only calls of registered users would be possible, and they could only call to other registered users or conference rooms and echo test number.
Then I took the following steps:
I ensured that there was no online users with kamctl online. Then I launched MicroSIP (www.microsip.org), but I did not defined account, I simply set the protocol to tls and media encryption to mandatory, because I'm using these.
I called to extension with xxx@my.public.ip.address (where xxx is extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also other domain defined which corresponds to users' domain I am using in Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be open relay:
if (from_uri!=myself && uri!=myself) ...
If I change this for example:
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think that this is not a final solution.
I have not found from log files such information which would have helped me. I have not yet investigated this problem so much that I could tell the logic behind the selection of online user's identity which is used. However, if I make a call to conference room I notice that Asterisk is thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and integrated it with Asterisk 11 (currently 11.10.2). Is there something which has changed in Kamailio, but what I have not changed in my setup which could explain this.
Best,
Teijo
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org mailto:sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
Well, this is still problem for me.
Best,
Teijo
17.7.2014 11:22, g.aloitus@gmail.com kirjoitti:
Hello,
I have:
allowguest=no contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not.
Best,
Teijo
17.7.2014 10:48, Cibin Paul kirjoitti:
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf
Regards Cibin
17.7.2014 10:22, g.aloitus@gmail.com kirjoitti:
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk Realtime integration" in Asterisk users mailing list:
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk?
Best,
Teijo
16.7.2014 9:44, g.aloitus@gmail.com kirjoitti:
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call:
sip:some_extension@my.public.ip.address
call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context.
To get this situation I don't need to define any account information in MicroSIP.
I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
14.7.2014 9:06, g.aloitus@gmail.com kirjoitti:
Hello,
If one places call, and tell that "my from domain is your Kamailio's IP", call is established, because Asterisk accepts requests from Kamailio. One problem is that it's unpredictable in this case what is the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide accept calls only from my users, I suppose that it can be quite easily done by modifying if statement referred below or at least by applying instructions found here:
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe...
However, I'm somewhat unsure what should I do, if I decide to accept calls from any caller - not only from my users.
Best,
Teijo
12.7.2014 19:36, Muhammad Shahzad kirjoitti:
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our domain is A, then call from domain "B to C" is not possible. However, calls from "B or C to A" and "A to B or C" are possible. That is way an unauthorized user gets passed and reaches asterisk. Asterisk accepts it since call is coming from kamailio and tries to route it back to kamailio, where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
- if (uri!=myself) {*
# neither source nor destination is our user*- } else {*
# source is not our user but destination is our user*- };*
*} else {*
- if (uri!=myself) {*
# source is our user but destination is not our user*- } else {*
# both source and destination are our users*- };*
*};*
Hope this helps.
Thank you.
On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote:
> Hello, > > I'm using Kamailio version 4.1.4+precise (amd64). > > I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime > Integration > using Asterisk Database" (http://kb.asipto.com/ > asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main > difference in my setup compared to that one is that I continued use of > Kamailio's database. > > The problem is as follows: > > I decided to put Kamailio and through it Asterisk reachable from > internet. > I have tried to configure Asterisk so that only calls of registered > users > would be possible, and they could only call to other registered > users or > conference rooms and echo test number. > > Then I took the following steps: > > I ensured that there was no online users with kamctl online. Then I > launched MicroSIP (www.microsip.org), but I did not defined account, I > simply set the protocol to tls and media encryption to mandatory, > because > I'm using these. > > I called to extension with xxx@my.public.ip.address (where xxx is > extension) getting "unauthorized". And that was what I wanted. > > But if there is online users, calls go through, and incoming call is > coming from Asterisk (in syslog I can find out that > src_user=asterisk). > > Kamailio and Asterisk are listening the same IP address, but different > port. I have refused connections to the Asterisk's port with iptables. > > I have defined my public IP address as domain in sip.conf. There is > also > other domain defined which corresponds to users' domain I am using in > Kamailio's database. > > In kamailio.cfg there is if statement which prevents Kamailio not > to be > open relay: > > if (from_uri!=myself && uri!=myself) > ... > > If I change this for example: > > if (from_uri!=myself || uri!=myself) > > I get what I want this time: no calls from outside, but I somewhat > think > that this is not a final solution. > > I have not found from log files such information which would have > helped > me. I have not yet investigated this problem so much that I could > tell the > logic behind the selection of online user's identity which is used. > However, if I make a call to conference room I notice that Asterisk is > thinking that one of online users has joined the conference. > > If I can recall correctly, I started with Kamailio version 3.2, and > integrated it with Asterisk 11 (currently 11.10.2). Is there something > which has changed in Kamailio, but what I have not changed in my setup > which could explain this. > > Best, > > Teijo > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing > list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > > > Tämä viestin rungon osa siirretään pyydettäessä.
Hello,
Can you elaborate on your issue. who is handling registration and how is the call flow?
Regards Cibin
On 19-Jul-2014, at 4:34 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
Well, this is still problem for me.
Best,
Teijo
17.7.2014 11:22, g.aloitus@gmail.com kirjoitti:
Hello,
I have:
allowguest=no contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not.
Best,
Teijo
17.7.2014 10:48, Cibin Paul kirjoitti:
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf
Regards Cibin
17.7.2014 10:22, g.aloitus@gmail.com kirjoitti:
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk Realtime integration" in Asterisk users mailing list:
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk?
Best,
Teijo
16.7.2014 9:44, g.aloitus@gmail.com kirjoitti:
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call:
sip:some_extension@my.public.ip.address
call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context.
To get this situation I don't need to define any account information in MicroSIP.
I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
14.7.2014 9:06, g.aloitus@gmail.com kirjoitti:
Hello,
If one places call, and tell that "my from domain is your Kamailio's IP", call is established, because Asterisk accepts requests from Kamailio. One problem is that it's unpredictable in this case what is the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide accept calls only from my users, I suppose that it can be quite easily done by modifying if statement referred below or at least by applying instructions found here:
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe...
However, I'm somewhat unsure what should I do, if I decide to accept calls from any caller - not only from my users.
Best,
Teijo
12.7.2014 19:36, Muhammad Shahzad kirjoitti: > Well, this > > *if (from_uri!=myself && uri!=myself)* > > Means neither source nor destination is our user. Which implies that > if our > domain is A, then call from domain "B to C" is not possible. However, > calls > from "B or C to A" and "A to B or C" are possible. That is way an > unauthorized user gets passed and reaches asterisk. Asterisk accepts it > since call is coming from kamailio and tries to route it back to > kamailio, > where kamailio finds user online and thus it goes through. > > You should really break down this, > > *if (from_uri!=myself && uri!=myself)* > > into something like this for clarity, > > > *if (from_uri!=myself) { * > * if (uri!=myself) {* > * # neither source nor destination is our user* > * } else {* > * # source is not our user but destination is our user* > * };* > *} else {* > * if (uri!=myself) {* > * # source is our user but destination is not our user* > * } else {* > * # both source and destination are our users* > * };* > *};* > > Hope this helps. > > Thank you. > > > > > On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote: > >> Hello, >> >> I'm using Kamailio version 4.1.4+precise (amd64). >> >> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime >> Integration >> using Asterisk Database" (http://kb.asipto.com/ >> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main >> difference in my setup compared to that one is that I continued use of >> Kamailio's database. >> >> The problem is as follows: >> >> I decided to put Kamailio and through it Asterisk reachable from >> internet. >> I have tried to configure Asterisk so that only calls of registered >> users >> would be possible, and they could only call to other registered >> users or >> conference rooms and echo test number. >> >> Then I took the following steps: >> >> I ensured that there was no online users with kamctl online. Then I >> launched MicroSIP (www.microsip.org), but I did not defined account, I >> simply set the protocol to tls and media encryption to mandatory, >> because >> I'm using these. >> >> I called to extension with xxx@my.public.ip.address (where xxx is >> extension) getting "unauthorized". And that was what I wanted. >> >> But if there is online users, calls go through, and incoming call is >> coming from Asterisk (in syslog I can find out that >> src_user=asterisk). >> >> Kamailio and Asterisk are listening the same IP address, but different >> port. I have refused connections to the Asterisk's port with iptables. >> >> I have defined my public IP address as domain in sip.conf. There is >> also >> other domain defined which corresponds to users' domain I am using in >> Kamailio's database. >> >> In kamailio.cfg there is if statement which prevents Kamailio not >> to be >> open relay: >> >> if (from_uri!=myself && uri!=myself) >> ... >> >> If I change this for example: >> >> if (from_uri!=myself || uri!=myself) >> >> I get what I want this time: no calls from outside, but I somewhat >> think >> that this is not a final solution. >> >> I have not found from log files such information which would have >> helped >> me. I have not yet investigated this problem so much that I could >> tell the >> logic behind the selection of online user's identity which is used. >> However, if I make a call to conference room I notice that Asterisk is >> thinking that one of online users has joined the conference. >> >> If I can recall correctly, I started with Kamailio version 3.2, and >> integrated it with Asterisk 11 (currently 11.10.2). Is there something >> which has changed in Kamailio, but what I have not changed in my setup >> which could explain this. >> >> Best, >> >> Teijo >> >> _______________________________________________ >> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing >> list >> sr-users@lists.sip-router.org >> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >> >> >> >> Tämä viestin rungon osa siirretään pyydettäessä.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
The problem are unauthenticated calls - calls from somebody from outside to my server. Kamailio accepts these calls, because destination is my server. This happen if somebody calls to some_extension@my.public.ip.address. My public IP refers to the address both Kamailio and Asterisk are listening to. This is not problem if there are no online friends/peers in Asterisk, because then incoming call goes to context I have defined for incoming calls. But if there are online friends/peers in Asterisk, calls goes to online friend's/peer's context. I think this happens because one of the methods Asterisk decides to put incoming calls to given context is IP address. Now all the calls come from Kamailio - ie. from the same IP. I think that when Asterisk is considering what to do with incoming call, it detects that there is registration(s) from Kamailio's IP, and concludes that this incoming call belongs to thiskinds of peer's context, and this causes problem. Likely Asterisk put it to the peer's context who has in the first place in its registered peers list.
I do not know what to do for this in Asterisk. I think - but I'm not sure at all - that refusing to forward such calls to Asterisk whose domain is Kamailio's IP - could solve this. But if this would be the solution, I do not know what I should do in Kamailio. Well, I suppose that if statement in kamailio.cfg:
# if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself)
is the place where I should do modification, but what the modified if statement should exactly be, I am not sure.
Best,
Teijo
19.7.2014 14:16, Cibin Paul kirjoitti:
Hello,
Can you elaborate on your issue. who is handling registration and how is the call flow?
Regards Cibin
On 19-Jul-2014, at 4:34 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
Well, this is still problem for me.
Best,
Teijo
17.7.2014 11:22, g.aloitus@gmail.com kirjoitti:
Hello,
I have:
allowguest=no contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not.
Best,
Teijo
17.7.2014 10:48, Cibin Paul kirjoitti:
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf
Regards Cibin
17.7.2014 10:22, g.aloitus@gmail.com kirjoitti:
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk Realtime integration" in Asterisk users mailing list:
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk?
Best,
Teijo
16.7.2014 9:44, g.aloitus@gmail.com kirjoitti:
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call:
sip:some_extension@my.public.ip.address
call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context.
To get this situation I don't need to define any account information in MicroSIP.
I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
14.7.2014 9:06, g.aloitus@gmail.com kirjoitti: > Hello, > > If one places call, and tell that "my from domain is your Kamailio's > IP", call is established, because Asterisk accepts requests from > Kamailio. One problem is that it's unpredictable in this case what is > the context where thiskind of call is handled by Asterisk. > > This situation requires that I change something in my setup. If I decide > accept calls only from my users, I suppose that it can be quite easily > done by modifying if statement referred below or at least by applying > instructions found here: > > http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe... > > > > > However, I'm somewhat unsure what should I do, if I decide to accept > calls from any caller - not only from my users. > > Best, > > Teijo > > 12.7.2014 19:36, Muhammad Shahzad kirjoitti: >> Well, this >> >> *if (from_uri!=myself && uri!=myself)* >> >> Means neither source nor destination is our user. Which implies that >> if our >> domain is A, then call from domain "B to C" is not possible. However, >> calls >> from "B or C to A" and "A to B or C" are possible. That is way an >> unauthorized user gets passed and reaches asterisk. Asterisk accepts it >> since call is coming from kamailio and tries to route it back to >> kamailio, >> where kamailio finds user online and thus it goes through. >> >> You should really break down this, >> >> *if (from_uri!=myself && uri!=myself)* >> >> into something like this for clarity, >> >> >> *if (from_uri!=myself) { * >> * if (uri!=myself) {* >> * # neither source nor destination is our user* >> * } else {* >> * # source is not our user but destination is our user* >> * };* >> *} else {* >> * if (uri!=myself) {* >> * # source is our user but destination is not our user* >> * } else {* >> * # both source and destination are our users* >> * };* >> *};* >> >> Hope this helps. >> >> Thank you. >> >> >> >> >> On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote: >> >>> Hello, >>> >>> I'm using Kamailio version 4.1.4+precise (amd64). >>> >>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime >>> Integration >>> using Asterisk Database" (http://kb.asipto.com/ >>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main >>> difference in my setup compared to that one is that I continued use of >>> Kamailio's database. >>> >>> The problem is as follows: >>> >>> I decided to put Kamailio and through it Asterisk reachable from >>> internet. >>> I have tried to configure Asterisk so that only calls of registered >>> users >>> would be possible, and they could only call to other registered >>> users or >>> conference rooms and echo test number. >>> >>> Then I took the following steps: >>> >>> I ensured that there was no online users with kamctl online. Then I >>> launched MicroSIP (www.microsip.org), but I did not defined account, I >>> simply set the protocol to tls and media encryption to mandatory, >>> because >>> I'm using these. >>> >>> I called to extension with xxx@my.public.ip.address (where xxx is >>> extension) getting "unauthorized". And that was what I wanted. >>> >>> But if there is online users, calls go through, and incoming call is >>> coming from Asterisk (in syslog I can find out that >>> src_user=asterisk). >>> >>> Kamailio and Asterisk are listening the same IP address, but different >>> port. I have refused connections to the Asterisk's port with iptables. >>> >>> I have defined my public IP address as domain in sip.conf. There is >>> also >>> other domain defined which corresponds to users' domain I am using in >>> Kamailio's database. >>> >>> In kamailio.cfg there is if statement which prevents Kamailio not >>> to be >>> open relay: >>> >>> if (from_uri!=myself && uri!=myself) >>> ... >>> >>> If I change this for example: >>> >>> if (from_uri!=myself || uri!=myself) >>> >>> I get what I want this time: no calls from outside, but I somewhat >>> think >>> that this is not a final solution. >>> >>> I have not found from log files such information which would have >>> helped >>> me. I have not yet investigated this problem so much that I could >>> tell the >>> logic behind the selection of online user's identity which is used. >>> However, if I make a call to conference room I notice that Asterisk is >>> thinking that one of online users has joined the conference. >>> >>> If I can recall correctly, I started with Kamailio version 3.2, and >>> integrated it with Asterisk 11 (currently 11.10.2). Is there something >>> which has changed in Kamailio, but what I have not changed in my setup >>> which could explain this. >>> >>> Best, >>> >>> Teijo >>> >>> _______________________________________________ >>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing >>> list >>> sr-users@lists.sip-router.org >>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>> >>> >>> >>> Tämä viestin rungon osa siirretään pyydettäessä.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
Let me understand this. You have an extension 4000 which is online. If some one which is not even a registered user calls the extension 4000 using 4000@your.public.ip.address, the call will get connected. Correct if I am wrong. As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call.
Regards Cibin
On 19-Jul-2014, at 5:30 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
The problem are unauthenticated calls - calls from somebody from outside to my server. Kamailio accepts these calls, because destination is my server. This happen if somebody calls to some_extension@my.public.ip.address. My public IP refers to the address both Kamailio and Asterisk are listening to. This is not problem if there are no online friends/peers in Asterisk, because then incoming call goes to context I have defined for incoming calls. But if there are online friends/peers in Asterisk, calls goes to online friend's/peer's context. I think this happens because one of the methods Asterisk decides to put incoming calls to given context is IP address. Now all the calls come from Kamailio - ie. from the same IP. I think that when Asterisk is considering what to do with incoming call, it detects that there is registration(s) from Kamailio's IP, and concludes that this incoming call belongs to thiskinds of peer's context, and this causes problem. Likely Asterisk put it to the peer's context who has in the first place in its registered peers list.
I do not know what to do for this in Asterisk. I think - but I'm not sure at all - that refusing to forward such calls to Asterisk whose domain is Kamailio's IP - could solve this. But if this would be the solution, I do not know what I should do in Kamailio. Well, I suppose that if statement in kamailio.cfg:
# if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself)
is the place where I should do modification, but what the modified if statement should exactly be, I am not sure.
Best,
Teijo
19.7.2014 14:16, Cibin Paul kirjoitti:
Hello,
Can you elaborate on your issue. who is handling registration and how is the call flow?
Regards Cibin
On 19-Jul-2014, at 4:34 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
Well, this is still problem for me.
Best,
Teijo
17.7.2014 11:22, g.aloitus@gmail.com kirjoitti:
Hello,
I have:
allowguest=no contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not.
Best,
Teijo
17.7.2014 10:48, Cibin Paul kirjoitti:
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf
Regards Cibin
17.7.2014 10:22, g.aloitus@gmail.com kirjoitti:
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk Realtime integration" in Asterisk users mailing list:
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk?
Best,
Teijo
16.7.2014 9:44, g.aloitus@gmail.com kirjoitti: > Hello, > > Has anybody any solution or suggestion? > > If I for example launch MicroSIP (no doubt it could be some other SIP > client), and simply call: > > sip:some_extension@my.public.ip.address > > call is established, if there is online user/users. Naturally this > incoming call should be handled by Asterisk in context where I have > defined unauthorized calls are handled, but in stead, the call goes > online user's context. > > To get this situation I don't need to define any account information in > MicroSIP. > > I have not set passwords for users in Asterisk to avoid double > authorization. May this cause the behavior? I have not set default user > or from user in my peer definitions. I am not registering Kamailio to > Asterisk - I mean I have no peer definition for Kamailio in sip.conf. > > I do not know what direction to go to. I would be happy, if I should not > go to the trial and error path so any help is welcome. > > Thanks in advance, > > Teijo > > > 14.7.2014 9:06, g.aloitus@gmail.com kirjoitti: >> Hello, >> >> If one places call, and tell that "my from domain is your Kamailio's >> IP", call is established, because Asterisk accepts requests from >> Kamailio. One problem is that it's unpredictable in this case what is >> the context where thiskind of call is handled by Asterisk. >> >> This situation requires that I change something in my setup. If I decide >> accept calls only from my users, I suppose that it can be quite easily >> done by modifying if statement referred below or at least by applying >> instructions found here: >> >> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe... >> >> >> >> >> However, I'm somewhat unsure what should I do, if I decide to accept >> calls from any caller - not only from my users. >> >> Best, >> >> Teijo >> >> 12.7.2014 19:36, Muhammad Shahzad kirjoitti: >>> Well, this >>> >>> *if (from_uri!=myself && uri!=myself)* >>> >>> Means neither source nor destination is our user. Which implies that >>> if our >>> domain is A, then call from domain "B to C" is not possible. However, >>> calls >>> from "B or C to A" and "A to B or C" are possible. That is way an >>> unauthorized user gets passed and reaches asterisk. Asterisk accepts it >>> since call is coming from kamailio and tries to route it back to >>> kamailio, >>> where kamailio finds user online and thus it goes through. >>> >>> You should really break down this, >>> >>> *if (from_uri!=myself && uri!=myself)* >>> >>> into something like this for clarity, >>> >>> >>> *if (from_uri!=myself) { * >>> * if (uri!=myself) {* >>> * # neither source nor destination is our user* >>> * } else {* >>> * # source is not our user but destination is our user* >>> * };* >>> *} else {* >>> * if (uri!=myself) {* >>> * # source is our user but destination is not our user* >>> * } else {* >>> * # both source and destination are our users* >>> * };* >>> *};* >>> >>> Hope this helps. >>> >>> Thank you. >>> >>> >>> >>> >>> On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote: >>> >>>> Hello, >>>> >>>> I'm using Kamailio version 4.1.4+precise (amd64). >>>> >>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime >>>> Integration >>>> using Asterisk Database" (http://kb.asipto.com/ >>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main >>>> difference in my setup compared to that one is that I continued use of >>>> Kamailio's database. >>>> >>>> The problem is as follows: >>>> >>>> I decided to put Kamailio and through it Asterisk reachable from >>>> internet. >>>> I have tried to configure Asterisk so that only calls of registered >>>> users >>>> would be possible, and they could only call to other registered >>>> users or >>>> conference rooms and echo test number. >>>> >>>> Then I took the following steps: >>>> >>>> I ensured that there was no online users with kamctl online. Then I >>>> launched MicroSIP (www.microsip.org), but I did not defined account, I >>>> simply set the protocol to tls and media encryption to mandatory, >>>> because >>>> I'm using these. >>>> >>>> I called to extension with xxx@my.public.ip.address (where xxx is >>>> extension) getting "unauthorized". And that was what I wanted. >>>> >>>> But if there is online users, calls go through, and incoming call is >>>> coming from Asterisk (in syslog I can find out that >>>> src_user=asterisk). >>>> >>>> Kamailio and Asterisk are listening the same IP address, but different >>>> port. I have refused connections to the Asterisk's port with iptables. >>>> >>>> I have defined my public IP address as domain in sip.conf. There is >>>> also >>>> other domain defined which corresponds to users' domain I am using in >>>> Kamailio's database. >>>> >>>> In kamailio.cfg there is if statement which prevents Kamailio not >>>> to be >>>> open relay: >>>> >>>> if (from_uri!=myself && uri!=myself) >>>> ... >>>> >>>> If I change this for example: >>>> >>>> if (from_uri!=myself || uri!=myself) >>>> >>>> I get what I want this time: no calls from outside, but I somewhat >>>> think >>>> that this is not a final solution. >>>> >>>> I have not found from log files such information which would have >>>> helped >>>> me. I have not yet investigated this problem so much that I could >>>> tell the >>>> logic behind the selection of online user's identity which is used. >>>> However, if I make a call to conference room I notice that Asterisk is >>>> thinking that one of online users has joined the conference. >>>> >>>> If I can recall correctly, I started with Kamailio version 3.2, and >>>> integrated it with Asterisk 11 (currently 11.10.2). Is there something >>>> which has changed in Kamailio, but what I have not changed in my setup >>>> which could explain this. >>>> >>>> Best, >>>> >>>> Teijo >>>> >>>> _______________________________________________ >>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing >>>> list >>>> sr-users@lists.sip-router.org >>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>>> >>>> >>>> >>>> Tämä viestin rungon osa siirretään pyydettäessä.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Yes, you are correct. But let's say that user A is online. Now somebody from somewhere calls sip:5000@my.public.ip.address. What happens is as follows: Suppose that 5000 is extension which should only has limited access, for example users A and B have this extension in their contexts. Now however, when A is online, any unauthenticated call is handled in A's context so anybody could get A's privileges.
Best,
Teijo
19.7.2014 15:30, Cibin Paul kirjoitti:
Hello,
Let me understand this. You have an extension 4000 which is online. If some one which is not even a registered user calls the extension 4000 using 4000@your.public.ip.address, the call will get connected. Correct if I am wrong. As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call.
Regards Cibin
On 19-Jul-2014, at 5:30 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
The problem are unauthenticated calls - calls from somebody from outside to my server. Kamailio accepts these calls, because destination is my server. This happen if somebody calls to some_extension@my.public.ip.address. My public IP refers to the address both Kamailio and Asterisk are listening to. This is not problem if there are no online friends/peers in Asterisk, because then incoming call goes to context I have defined for incoming calls. But if there are online friends/peers in Asterisk, calls goes to online friend's/peer's context. I think this happens because one of the methods Asterisk decides to put incoming calls to given context is IP address. Now all the calls come from Kamailio - ie. from the same IP. I think that when Asterisk is considering what to do with incoming call, it detects that there is registration(s) from Kamailio's IP, and concludes that this incoming call belongs to thiskinds of peer's context, and this causes problem. Likely Asterisk put it to the peer's context who has in the first place in its registered peers list.
I do not know what to do for this in Asterisk. I think - but I'm not sure at all - that refusing to forward such calls to Asterisk whose domain is Kamailio's IP - could solve this. But if this would be the solution, I do not know what I should do in Kamailio. Well, I suppose that if statement in kamailio.cfg:
# if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself)
is the place where I should do modification, but what the modified if statement should exactly be, I am not sure.
Best,
Teijo
19.7.2014 14:16, Cibin Paul kirjoitti:
Hello,
Can you elaborate on your issue. who is handling registration and how is the call flow?
Regards Cibin
On 19-Jul-2014, at 4:34 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
Well, this is still problem for me.
Best,
Teijo
17.7.2014 11:22, g.aloitus@gmail.com kirjoitti:
Hello,
I have:
allowguest=no contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not.
Best,
Teijo
17.7.2014 10:48, Cibin Paul kirjoitti:
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf
Regards Cibin
17.7.2014 10:22, g.aloitus@gmail.com kirjoitti: > Hello, > > There is a message "Possible Security issue with Kamailio - Asterisk > Realtime integration" in Asterisk users mailing list: > > http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html > > I think the problem I have is somewhat similar. > > Should I suppose that there is a security risk in Kamailio - Asterisk > realtime integration, and if this is a case what I can do to eliminate > this risk? > > Best, > > Teijo > > 16.7.2014 9:44, g.aloitus@gmail.com kirjoitti: >> Hello, >> >> Has anybody any solution or suggestion? >> >> If I for example launch MicroSIP (no doubt it could be some other SIP >> client), and simply call: >> >> sip:some_extension@my.public.ip.address >> >> call is established, if there is online user/users. Naturally this >> incoming call should be handled by Asterisk in context where I have >> defined unauthorized calls are handled, but in stead, the call goes >> online user's context. >> >> To get this situation I don't need to define any account information in >> MicroSIP. >> >> I have not set passwords for users in Asterisk to avoid double >> authorization. May this cause the behavior? I have not set default user >> or from user in my peer definitions. I am not registering Kamailio to >> Asterisk - I mean I have no peer definition for Kamailio in sip.conf. >> >> I do not know what direction to go to. I would be happy, if I should not >> go to the trial and error path so any help is welcome. >> >> Thanks in advance, >> >> Teijo >> >> >> 14.7.2014 9:06, g.aloitus@gmail.com kirjoitti: >>> Hello, >>> >>> If one places call, and tell that "my from domain is your Kamailio's >>> IP", call is established, because Asterisk accepts requests from >>> Kamailio. One problem is that it's unpredictable in this case what is >>> the context where thiskind of call is handled by Asterisk. >>> >>> This situation requires that I change something in my setup. If I decide >>> accept calls only from my users, I suppose that it can be quite easily >>> done by modifying if statement referred below or at least by applying >>> instructions found here: >>> >>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe... >>> >>> >>> >>> >>> However, I'm somewhat unsure what should I do, if I decide to accept >>> calls from any caller - not only from my users. >>> >>> Best, >>> >>> Teijo >>> >>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti: >>>> Well, this >>>> >>>> *if (from_uri!=myself && uri!=myself)* >>>> >>>> Means neither source nor destination is our user. Which implies that >>>> if our >>>> domain is A, then call from domain "B to C" is not possible. However, >>>> calls >>>> from "B or C to A" and "A to B or C" are possible. That is way an >>>> unauthorized user gets passed and reaches asterisk. Asterisk accepts it >>>> since call is coming from kamailio and tries to route it back to >>>> kamailio, >>>> where kamailio finds user online and thus it goes through. >>>> >>>> You should really break down this, >>>> >>>> *if (from_uri!=myself && uri!=myself)* >>>> >>>> into something like this for clarity, >>>> >>>> >>>> *if (from_uri!=myself) { * >>>> * if (uri!=myself) {* >>>> * # neither source nor destination is our user* >>>> * } else {* >>>> * # source is not our user but destination is our user* >>>> * };* >>>> *} else {* >>>> * if (uri!=myself) {* >>>> * # source is our user but destination is not our user* >>>> * } else {* >>>> * # both source and destination are our users* >>>> * };* >>>> *};* >>>> >>>> Hope this helps. >>>> >>>> Thank you. >>>> >>>> >>>> >>>> >>>> On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote: >>>> >>>>> Hello, >>>>> >>>>> I'm using Kamailio version 4.1.4+precise (amd64). >>>>> >>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime >>>>> Integration >>>>> using Asterisk Database" (http://kb.asipto.com/ >>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main >>>>> difference in my setup compared to that one is that I continued use of >>>>> Kamailio's database. >>>>> >>>>> The problem is as follows: >>>>> >>>>> I decided to put Kamailio and through it Asterisk reachable from >>>>> internet. >>>>> I have tried to configure Asterisk so that only calls of registered >>>>> users >>>>> would be possible, and they could only call to other registered >>>>> users or >>>>> conference rooms and echo test number. >>>>> >>>>> Then I took the following steps: >>>>> >>>>> I ensured that there was no online users with kamctl online. Then I >>>>> launched MicroSIP (www.microsip.org), but I did not defined account, I >>>>> simply set the protocol to tls and media encryption to mandatory, >>>>> because >>>>> I'm using these. >>>>> >>>>> I called to extension with xxx@my.public.ip.address (where xxx is >>>>> extension) getting "unauthorized". And that was what I wanted. >>>>> >>>>> But if there is online users, calls go through, and incoming call is >>>>> coming from Asterisk (in syslog I can find out that >>>>> src_user=asterisk). >>>>> >>>>> Kamailio and Asterisk are listening the same IP address, but different >>>>> port. I have refused connections to the Asterisk's port with iptables. >>>>> >>>>> I have defined my public IP address as domain in sip.conf. There is >>>>> also >>>>> other domain defined which corresponds to users' domain I am using in >>>>> Kamailio's database. >>>>> >>>>> In kamailio.cfg there is if statement which prevents Kamailio not >>>>> to be >>>>> open relay: >>>>> >>>>> if (from_uri!=myself && uri!=myself) >>>>> ... >>>>> >>>>> If I change this for example: >>>>> >>>>> if (from_uri!=myself || uri!=myself) >>>>> >>>>> I get what I want this time: no calls from outside, but I somewhat >>>>> think >>>>> that this is not a final solution. >>>>> >>>>> I have not found from log files such information which would have >>>>> helped >>>>> me. I have not yet investigated this problem so much that I could >>>>> tell the >>>>> logic behind the selection of online user's identity which is used. >>>>> However, if I make a call to conference room I notice that Asterisk is >>>>> thinking that one of online users has joined the conference. >>>>> >>>>> If I can recall correctly, I started with Kamailio version 3.2, and >>>>> integrated it with Asterisk 11 (currently 11.10.2). Is there something >>>>> which has changed in Kamailio, but what I have not changed in my setup >>>>> which could explain this. >>>>> >>>>> Best, >>>>> >>>>> Teijo >>>>> >>>>> _______________________________________________ >>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing >>>>> list >>>>> sr-users@lists.sip-router.org >>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>>>> >>>>> >>>>> >>>>> Tämä viestin rungon osa siirretään pyydettäessä.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
Is this part of your setup to allow anyone to call any extension, but handle this unauthenticated calls in a different context? If so, will the following entry works for you?
Create a peer of kamailio in sip.conf [kamailio] Type=peer Host=kamailio ip Port= kamailio port . . . context= some context where all calls should be handled.
In extensions.conf
[context] exten => _X.,1, GotoIf([condition for checking call authentication]?:auth:unauth) Same = n(auth),Goto(context of authenticated call) Same = n(unauth),Goto(context of unauthenticated call) . . .
Cibin
On 19-Jul-2014, at 7:20 pm, Teijo Burman g.aloitus@gmail.com wrote:
Yes, you are correct. But let's say that user A is online. Now somebody from somewhere calls sip:5000@my.public.ip.address. What happens is as follows: Suppose that 5000 is extension which should only has limited access, for example users A and B have this extension in their contexts. Now however, when A is online, any unauthenticated call is handled in A's context so anybody could get A's privileges.
Best,
Teijo
19.7.2014 15:30, Cibin Paul kirjoitti:
Hello,
Let me understand this. You have an extension 4000 which is online. If some one which is not even a registered user calls the extension 4000 using 4000@your.public.ip.address, the call will get connected. Correct if I am wrong. As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call.
Regards Cibin
On 19-Jul-2014, at 5:30 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
The problem are unauthenticated calls - calls from somebody from outside to my server. Kamailio accepts these calls, because destination is my server. This happen if somebody calls to some_extension@my.public.ip.address. My public IP refers to the address both Kamailio and Asterisk are listening to. This is not problem if there are no online friends/peers in Asterisk, because then incoming call goes to context I have defined for incoming calls. But if there are online friends/peers in Asterisk, calls goes to online friend's/peer's context. I think this happens because one of the methods Asterisk decides to put incoming calls to given context is IP address. Now all the calls come from Kamailio - ie. from the same IP. I think that when Asterisk is considering what to do with incoming call, it detects that there is registration(s) from Kamailio's IP, and concludes that this incoming call belongs to thiskinds of peer's context, and this causes problem. Likely Asterisk put it to the peer's context who has in the first place in its registered peers list.
I do not know what to do for this in Asterisk. I think - but I'm not sure at all - that refusing to forward such calls to Asterisk whose domain is Kamailio's IP - could solve this. But if this would be the solution, I do not know what I should do in Kamailio. Well, I suppose that if statement in kamailio.cfg:
# if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself)
is the place where I should do modification, but what the modified if statement should exactly be, I am not sure.
Best,
Teijo
19.7.2014 14:16, Cibin Paul kirjoitti:
Hello,
Can you elaborate on your issue. who is handling registration and how is the call flow?
Regards Cibin
On 19-Jul-2014, at 4:34 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
Well, this is still problem for me.
Best,
Teijo
17.7.2014 11:22, g.aloitus@gmail.com kirjoitti:
Hello,
I have:
allowguest=no contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not.
Best,
Teijo
17.7.2014 10:48, Cibin Paul kirjoitti: > Hello, > > Try allow* allowguest=no *in sip.conf [general] context and create a > peer for kamailio in sip.comf > > > Regards > Cibin > > > > 17.7.2014 10:22, g.aloitus@gmail.com kirjoitti: >> Hello, >> >> There is a message "Possible Security issue with Kamailio - Asterisk >> Realtime integration" in Asterisk users mailing list: >> >> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html >> >> I think the problem I have is somewhat similar. >> >> Should I suppose that there is a security risk in Kamailio - Asterisk >> realtime integration, and if this is a case what I can do to eliminate >> this risk? >> >> Best, >> >> Teijo >> >> 16.7.2014 9:44, g.aloitus@gmail.com kirjoitti: >>> Hello, >>> >>> Has anybody any solution or suggestion? >>> >>> If I for example launch MicroSIP (no doubt it could be some other SIP >>> client), and simply call: >>> >>> sip:some_extension@my.public.ip.address >>> >>> call is established, if there is online user/users. Naturally this >>> incoming call should be handled by Asterisk in context where I have >>> defined unauthorized calls are handled, but in stead, the call goes >>> online user's context. >>> >>> To get this situation I don't need to define any account information in >>> MicroSIP. >>> >>> I have not set passwords for users in Asterisk to avoid double >>> authorization. May this cause the behavior? I have not set default user >>> or from user in my peer definitions. I am not registering Kamailio to >>> Asterisk - I mean I have no peer definition for Kamailio in sip.conf. >>> >>> I do not know what direction to go to. I would be happy, if I should not >>> go to the trial and error path so any help is welcome. >>> >>> Thanks in advance, >>> >>> Teijo >>> >>> >>> 14.7.2014 9:06, g.aloitus@gmail.com kirjoitti: >>>> Hello, >>>> >>>> If one places call, and tell that "my from domain is your Kamailio's >>>> IP", call is established, because Asterisk accepts requests from >>>> Kamailio. One problem is that it's unpredictable in this case what is >>>> the context where thiskind of call is handled by Asterisk. >>>> >>>> This situation requires that I change something in my setup. If I decide >>>> accept calls only from my users, I suppose that it can be quite easily >>>> done by modifying if statement referred below or at least by applying >>>> instructions found here: >>>> >>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe... >>>> >>>> >>>> >>>> >>>> However, I'm somewhat unsure what should I do, if I decide to accept >>>> calls from any caller - not only from my users. >>>> >>>> Best, >>>> >>>> Teijo >>>> >>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti: >>>>> Well, this >>>>> >>>>> *if (from_uri!=myself && uri!=myself)* >>>>> >>>>> Means neither source nor destination is our user. Which implies that >>>>> if our >>>>> domain is A, then call from domain "B to C" is not possible. However, >>>>> calls >>>>> from "B or C to A" and "A to B or C" are possible. That is way an >>>>> unauthorized user gets passed and reaches asterisk. Asterisk accepts it >>>>> since call is coming from kamailio and tries to route it back to >>>>> kamailio, >>>>> where kamailio finds user online and thus it goes through. >>>>> >>>>> You should really break down this, >>>>> >>>>> *if (from_uri!=myself && uri!=myself)* >>>>> >>>>> into something like this for clarity, >>>>> >>>>> >>>>> *if (from_uri!=myself) { * >>>>> * if (uri!=myself) {* >>>>> * # neither source nor destination is our user* >>>>> * } else {* >>>>> * # source is not our user but destination is our user* >>>>> * };* >>>>> *} else {* >>>>> * if (uri!=myself) {* >>>>> * # source is our user but destination is not our user* >>>>> * } else {* >>>>> * # both source and destination are our users* >>>>> * };* >>>>> *};* >>>>> >>>>> Hope this helps. >>>>> >>>>> Thank you. >>>>> >>>>> >>>>> >>>>> >>>>>> On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote: >>>>>> >>>>>> Hello, >>>>>> >>>>>> I'm using Kamailio version 4.1.4+precise (amd64). >>>>>> >>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime >>>>>> Integration >>>>>> using Asterisk Database" (http://kb.asipto.com/ >>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main >>>>>> difference in my setup compared to that one is that I continued use of >>>>>> Kamailio's database. >>>>>> >>>>>> The problem is as follows: >>>>>> >>>>>> I decided to put Kamailio and through it Asterisk reachable from >>>>>> internet. >>>>>> I have tried to configure Asterisk so that only calls of registered >>>>>> users >>>>>> would be possible, and they could only call to other registered >>>>>> users or >>>>>> conference rooms and echo test number. >>>>>> >>>>>> Then I took the following steps: >>>>>> >>>>>> I ensured that there was no online users with kamctl online. Then I >>>>>> launched MicroSIP (www.microsip.org), but I did not defined account, I >>>>>> simply set the protocol to tls and media encryption to mandatory, >>>>>> because >>>>>> I'm using these. >>>>>> >>>>>> I called to extension with xxx@my.public.ip.address (where xxx is >>>>>> extension) getting "unauthorized". And that was what I wanted. >>>>>> >>>>>> But if there is online users, calls go through, and incoming call is >>>>>> coming from Asterisk (in syslog I can find out that >>>>>> src_user=asterisk). >>>>>> >>>>>> Kamailio and Asterisk are listening the same IP address, but different >>>>>> port. I have refused connections to the Asterisk's port with iptables. >>>>>> >>>>>> I have defined my public IP address as domain in sip.conf. There is >>>>>> also >>>>>> other domain defined which corresponds to users' domain I am using in >>>>>> Kamailio's database. >>>>>> >>>>>> In kamailio.cfg there is if statement which prevents Kamailio not >>>>>> to be >>>>>> open relay: >>>>>> >>>>>> if (from_uri!=myself && uri!=myself) >>>>>> ... >>>>>> >>>>>> If I change this for example: >>>>>> >>>>>> if (from_uri!=myself || uri!=myself) >>>>>> >>>>>> I get what I want this time: no calls from outside, but I somewhat >>>>>> think >>>>>> that this is not a final solution. >>>>>> >>>>>> I have not found from log files such information which would have >>>>>> helped >>>>>> me. I have not yet investigated this problem so much that I could >>>>>> tell the >>>>>> logic behind the selection of online user's identity which is used. >>>>>> However, if I make a call to conference room I notice that Asterisk is >>>>>> thinking that one of online users has joined the conference. >>>>>> >>>>>> If I can recall correctly, I started with Kamailio version 3.2, and >>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is there something >>>>>> which has changed in Kamailio, but what I have not changed in my setup >>>>>> which could explain this. >>>>>> >>>>>> Best, >>>>>> >>>>>> Teijo >>>>>> >>>>>> _______________________________________________ >>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing >>>>>> list >>>>>> sr-users@lists.sip-router.org >>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>>>>> >>>>>> >>>>>> >>>>>> Tämä viestin rungon osa siirretään pyydettäessä.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
I'd like to allow calls to my users from anyone, but I'd like to have control over those calls so that I could suppose that they go tocontext I want - let's say that that context would be unauth. But as said, this is not the case currently.
Sorry, but I cannot figure out what condition for checking call authentication could be.
As I wrote in my first post, I have followed this tutorial:
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
for Kamailio - Asterisk realtime integration. Only exception I have is that I use Kamailio's database for user authentication, and that I have no Asterisk database.
Best,
Teijo
19.7.2014 17:36, Cibin Paul kirjoitti:
Hello,
Is this part of your setup to allow anyone to call any extension, but handle this unauthenticated calls in a different context? If so, will the following entry works for you?
Create a peer of kamailio in sip.conf [kamailio] Type=peer Host=kamailio ip Port= kamailio port . . . context= some context where all calls should be handled.
In extensions.conf
[context] exten => _X.,1, GotoIf([condition for checking call authentication]?:auth:unauth) Same = n(auth),Goto(context of authenticated call) Same = n(unauth),Goto(context of unauthenticated call) . . .
Cibin
On 19-Jul-2014, at 7:20 pm, Teijo Burman g.aloitus@gmail.com wrote:
Yes, you are correct. But let's say that user A is online. Now somebody from somewhere calls sip:5000@my.public.ip.address. What happens is as follows: Suppose that 5000 is extension which should only has limited access, for example users A and B have this extension in their contexts. Now however, when A is online, any unauthenticated call is handled in A's context so anybody could get A's privileges.
Best,
Teijo
19.7.2014 15:30, Cibin Paul kirjoitti:
Hello,
Let me understand this. You have an extension 4000 which is online. If some one which is not even a registered user calls the extension 4000 using 4000@your.public.ip.address, the call will get connected. Correct if I am wrong. As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call.
Regards Cibin
On 19-Jul-2014, at 5:30 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
The problem are unauthenticated calls - calls from somebody from outside to my server. Kamailio accepts these calls, because destination is my server. This happen if somebody calls to some_extension@my.public.ip.address. My public IP refers to the address both Kamailio and Asterisk are listening to. This is not problem if there are no online friends/peers in Asterisk, because then incoming call goes to context I have defined for incoming calls. But if there are online friends/peers in Asterisk, calls goes to online friend's/peer's context. I think this happens because one of the methods Asterisk decides to put incoming calls to given context is IP address. Now all the calls come from Kamailio - ie. from the same IP. I think that when Asterisk is considering what to do with incoming call, it detects that there is registration(s) from Kamailio's IP, and concludes that this incoming call belongs to thiskinds of peer's context, and this causes problem. Likely Asterisk put it to th
e peer's context who has in the first place in its registered peers list.
I do not know what to do for this in Asterisk. I think - but I'm not sure at all - that refusing to forward such calls to Asterisk whose domain is Kamailio's IP - could solve this. But if this would be the solution, I do not know what I should do in Kamailio. Well, I suppose that if statement in kamailio.cfg:
# if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself)is the place where I should do modification, but what the modified if statement should exactly be, I am not sure.
Best,
Teijo
19.7.2014 14:16, Cibin Paul kirjoitti:
Hello,
Can you elaborate on your issue. who is handling registration and how is the call flow?
Regards Cibin
On 19-Jul-2014, at 4:34 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
Well, this is still problem for me.
Best,
Teijo
17.7.2014 11:22, g.aloitus@gmail.com kirjoitti: > Hello, > > I have: > > allowguest=no > contactpermit=kamailio.ip.addr.ess > > I also have tried the approach that I have peer kamailio, but then all > calls seems to go to to the context defined for kamailio peer. I do not > know how I could in that case handle individual calls - for example > determine if given phone can call to given number or not. > > Best, > > Teijo > > 17.7.2014 10:48, Cibin Paul kirjoitti: >> Hello, >> >> Try allow* allowguest=no *in sip.conf [general] context and create a >> peer for kamailio in sip.comf >> >> >> Regards >> Cibin >> >> >> >> 17.7.2014 10:22, g.aloitus@gmail.com kirjoitti: >>> Hello, >>> >>> There is a message "Possible Security issue with Kamailio - Asterisk >>> Realtime integration" in Asterisk users mailing list: >>> >>> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html >>> >>> I think the problem I have is somewhat similar. >>> >>> Should I suppose that there is a security risk in Kamailio - Asterisk >>> realtime integration, and if this is a case what I can do to eliminate >>> this risk? >>> >>> Best, >>> >>> Teijo >>> >>> 16.7.2014 9:44, g.aloitus@gmail.com kirjoitti: >>>> Hello, >>>> >>>> Has anybody any solution or suggestion? >>>> >>>> If I for example launch MicroSIP (no doubt it could be some other SIP >>>> client), and simply call: >>>> >>>> sip:some_extension@my.public.ip.address >>>> >>>> call is established, if there is online user/users. Naturally this >>>> incoming call should be handled by Asterisk in context where I have >>>> defined unauthorized calls are handled, but in stead, the call goes >>>> online user's context. >>>> >>>> To get this situation I don't need to define any account information in >>>> MicroSIP. >>>> >>>> I have not set passwords for users in Asterisk to avoid double >>>> authorization. May this cause the behavior? I have not set default user >>>> or from user in my peer definitions. I am not registering Kamailio to >>>> Asterisk - I mean I have no peer definition for Kamailio in sip.conf. >>>> >>>> I do not know what direction to go to. I would be happy, if I should not >>>> go to the trial and error path so any help is welcome. >>>> >>>> Thanks in advance, >>>> >>>> Teijo >>>> >>>> >>>> 14.7.2014 9:06, g.aloitus@gmail.com kirjoitti: >>>>> Hello, >>>>> >>>>> If one places call, and tell that "my from domain is your Kamailio's >>>>> IP", call is established, because Asterisk accepts requests from >>>>> Kamailio. One problem is that it's unpredictable in this case what is >>>>> the context where thiskind of call is handled by Asterisk. >>>>> >>>>> This situation requires that I change something in my setup. If I decide >>>>> accept calls only from my users, I suppose that it can be quite easily >>>>> done by modifying if statement referred below or at least by applying >>>>> instructions found here: >>>>> >>>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe... >>>>> >>>>> >>>>> >>>>> >>>>> However, I'm somewhat unsure what should I do, if I decide to accept >>>>> calls from any caller - not only from my users. >>>>> >>>>> Best, >>>>> >>>>> Teijo >>>>> >>>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti: >>>>>> Well, this >>>>>> >>>>>> *if (from_uri!=myself && uri!=myself)* >>>>>> >>>>>> Means neither source nor destination is our user. Which implies that >>>>>> if our >>>>>> domain is A, then call from domain "B to C" is not possible. However, >>>>>> calls >>>>>> from "B or C to A" and "A to B or C" are possible. That is way an >>>>>> unauthorized user gets passed and reaches asterisk. Asterisk accepts it >>>>>> since call is coming from kamailio and tries to route it back to >>>>>> kamailio, >>>>>> where kamailio finds user online and thus it goes through. >>>>>> >>>>>> You should really break down this, >>>>>> >>>>>> *if (from_uri!=myself && uri!=myself)* >>>>>> >>>>>> into something like this for clarity, >>>>>> >>>>>> >>>>>> *if (from_uri!=myself) { * >>>>>> * if (uri!=myself) {* >>>>>> * # neither source nor destination is our user* >>>>>> * } else {* >>>>>> * # source is not our user but destination is our user* >>>>>> * };* >>>>>> *} else {* >>>>>> * if (uri!=myself) {* >>>>>> * # source is our user but destination is not our user* >>>>>> * } else {* >>>>>> * # both source and destination are our users* >>>>>> * };* >>>>>> *};* >>>>>> >>>>>> Hope this helps. >>>>>> >>>>>> Thank you. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote: >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I'm using Kamailio version 4.1.4+precise (amd64). >>>>>>> >>>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime >>>>>>> Integration >>>>>>> using Asterisk Database" (http://kb.asipto.com/ >>>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main >>>>>>> difference in my setup compared to that one is that I continued use of >>>>>>> Kamailio's database. >>>>>>> >>>>>>> The problem is as follows: >>>>>>> >>>>>>> I decided to put Kamailio and through it Asterisk reachable from >>>>>>> internet. >>>>>>> I have tried to configure Asterisk so that only calls of registered >>>>>>> users >>>>>>> would be possible, and they could only call to other registered >>>>>>> users or >>>>>>> conference rooms and echo test number. >>>>>>> >>>>>>> Then I took the following steps: >>>>>>> >>>>>>> I ensured that there was no online users with kamctl online. Then I >>>>>>> launched MicroSIP (www.microsip.org), but I did not defined account, I >>>>>>> simply set the protocol to tls and media encryption to mandatory, >>>>>>> because >>>>>>> I'm using these. >>>>>>> >>>>>>> I called to extension with xxx@my.public.ip.address (where xxx is >>>>>>> extension) getting "unauthorized". And that was what I wanted. >>>>>>> >>>>>>> But if there is online users, calls go through, and incoming call is >>>>>>> coming from Asterisk (in syslog I can find out that >>>>>>> src_user=asterisk). >>>>>>> >>>>>>> Kamailio and Asterisk are listening the same IP address, but different >>>>>>> port. I have refused connections to the Asterisk's port with iptables. >>>>>>> >>>>>>> I have defined my public IP address as domain in sip.conf. There is >>>>>>> also >>>>>>> other domain defined which corresponds to users' domain I am using in >>>>>>> Kamailio's database. >>>>>>> >>>>>>> In kamailio.cfg there is if statement which prevents Kamailio not >>>>>>> to be >>>>>>> open relay: >>>>>>> >>>>>>> if (from_uri!=myself && uri!=myself) >>>>>>> ... >>>>>>> >>>>>>> If I change this for example: >>>>>>> >>>>>>> if (from_uri!=myself || uri!=myself) >>>>>>> >>>>>>> I get what I want this time: no calls from outside, but I somewhat >>>>>>> think >>>>>>> that this is not a final solution. >>>>>>> >>>>>>> I have not found from log files such information which would have >>>>>>> helped >>>>>>> me. I have not yet investigated this problem so much that I could >>>>>>> tell the >>>>>>> logic behind the selection of online user's identity which is used. >>>>>>> However, if I make a call to conference room I notice that Asterisk is >>>>>>> thinking that one of online users has joined the conference. >>>>>>> >>>>>>> If I can recall correctly, I started with Kamailio version 3.2, and >>>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is there something >>>>>>> which has changed in Kamailio, but what I have not changed in my setup >>>>>>> which could explain this. >>>>>>> >>>>>>> Best, >>>>>>> >>>>>>> Teijo >>>>>>> >>>>>>> _______________________________________________ >>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing >>>>>>> list >>>>>>> sr-users@lists.sip-router.org >>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> Tämä viestin rungon osa siirretään pyydettäessä.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
This problem seems not to happen when Kamailio is not in use.
I'd like to handle registrations etc. in Kamailio, but I do not know how to do it without suffering from this problem.
Best,
Teijo
19.7.2014 21:12, Teijo kirjoitti:
Hello,
I'd like to allow calls to my users from anyone, but I'd like to have control over those calls so that I could suppose that they go tocontext I want - let's say that that context would be unauth. But as said, this is not the case currently.
Sorry, but I cannot figure out what condition for checking call authentication could be.
As I wrote in my first post, I have followed this tutorial:
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
for Kamailio - Asterisk realtime integration. Only exception I have is that I use Kamailio's database for user authentication, and that I have no Asterisk database.
Best,
Teijo
19.7.2014 17:36, Cibin Paul kirjoitti:
Hello,
Is this part of your setup to allow anyone to call any extension, but handle this unauthenticated calls in a different context? If so, will the following entry works for you?
Create a peer of kamailio in sip.conf [kamailio] Type=peer Host=kamailio ip Port= kamailio port . . . context= some context where all calls should be handled.
In extensions.conf
[context] exten => _X.,1, GotoIf([condition for checking call authentication]?:auth:unauth) Same = n(auth),Goto(context of authenticated call) Same = n(unauth),Goto(context of unauthenticated call) . . .
Cibin
On 19-Jul-2014, at 7:20 pm, Teijo Burman g.aloitus@gmail.com wrote:
Yes, you are correct. But let's say that user A is online. Now somebody from somewhere calls sip:5000@my.public.ip.address. What happens is as follows: Suppose that 5000 is extension which should only has limited access, for example users A and B have this extension in their contexts. Now however, when A is online, any unauthenticated call is handled in A's context so anybody could get A's privileges.
Best,
Teijo
19.7.2014 15:30, Cibin Paul kirjoitti:
Hello,
Let me understand this. You have an extension 4000 which is online. If some one which is not even a registered user calls the extension 4000 using 4000@your.public.ip.address, the call will get connected. Correct if I am wrong. As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call.
Regards Cibin
On 19-Jul-2014, at 5:30 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
The problem are unauthenticated calls - calls from somebody from outside to my server. Kamailio accepts these calls, because destination is my server. This happen if somebody calls to some_extension@my.public.ip.address. My public IP refers to the address both Kamailio and Asterisk are listening to. This is not problem if there are no online friends/peers in Asterisk, because then incoming call goes to context I have defined for incoming calls. But if there are online friends/peers in Asterisk, calls goes to online friend's/peer's context. I think this happens because one of the methods Asterisk decides to put incoming calls to given context is IP address. Now all the calls come from Kamailio - ie. from the same IP. I think that when Asterisk is considering what to do with incoming call, it detects that there is registration(s) from Kamailio's IP, and concludes that this incoming call belongs to thiskinds of peer's context, and this causes problem. Likely Asterisk put it to th
e peer's context who has in the first place in its registered peers list.
I do not know what to do for this in Asterisk. I think - but I'm not sure at all - that refusing to forward such calls to Asterisk whose domain is Kamailio's IP - could solve this. But if this would be the solution, I do not know what I should do in Kamailio. Well, I suppose that if statement in kamailio.cfg:
# if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself)is the place where I should do modification, but what the modified if statement should exactly be, I am not sure.
Best,
Teijo
19.7.2014 14:16, Cibin Paul kirjoitti:
Hello,
Can you elaborate on your issue. who is handling registration and how is the call flow?
Regards Cibin
> On 19-Jul-2014, at 4:34 pm, Teijo g.aloitus@gmail.com wrote: > > Hello, > > Well, this is still problem for me. > > Best, > > Teijo > > 17.7.2014 11:22, g.aloitus@gmail.com kirjoitti: >> Hello, >> >> I have: >> >> allowguest=no >> contactpermit=kamailio.ip.addr.ess >> >> I also have tried the approach that I have peer kamailio, but >> then all >> calls seems to go to to the context defined for kamailio peer. I >> do not >> know how I could in that case handle individual calls - for example >> determine if given phone can call to given number or not. >> >> Best, >> >> Teijo >> >> 17.7.2014 10:48, Cibin Paul kirjoitti: >>> Hello, >>> >>> Try allow* allowguest=no *in sip.conf [general] context and >>> create a >>> peer for kamailio in sip.comf >>> >>> >>> Regards >>> Cibin >>> >>> >>> >>> 17.7.2014 10:22, g.aloitus@gmail.com kirjoitti: >>>> Hello, >>>> >>>> There is a message "Possible Security issue with Kamailio - >>>> Asterisk >>>> Realtime integration" in Asterisk users mailing list: >>>> >>>> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html >>>> >>>> >>>> I think the problem I have is somewhat similar. >>>> >>>> Should I suppose that there is a security risk in Kamailio - >>>> Asterisk >>>> realtime integration, and if this is a case what I can do to >>>> eliminate >>>> this risk? >>>> >>>> Best, >>>> >>>> Teijo >>>> >>>> 16.7.2014 9:44, g.aloitus@gmail.com kirjoitti: >>>>> Hello, >>>>> >>>>> Has anybody any solution or suggestion? >>>>> >>>>> If I for example launch MicroSIP (no doubt it could be some >>>>> other SIP >>>>> client), and simply call: >>>>> >>>>> sip:some_extension@my.public.ip.address >>>>> >>>>> call is established, if there is online user/users. Naturally >>>>> this >>>>> incoming call should be handled by Asterisk in context where >>>>> I have >>>>> defined unauthorized calls are handled, but in stead, the >>>>> call goes >>>>> online user's context. >>>>> >>>>> To get this situation I don't need to define any account >>>>> information in >>>>> MicroSIP. >>>>> >>>>> I have not set passwords for users in Asterisk to avoid double >>>>> authorization. May this cause the behavior? I have not set >>>>> default user >>>>> or from user in my peer definitions. I am not registering >>>>> Kamailio to >>>>> Asterisk - I mean I have no peer definition for Kamailio in >>>>> sip.conf. >>>>> >>>>> I do not know what direction to go to. I would be happy, if I >>>>> should not >>>>> go to the trial and error path so any help is welcome. >>>>> >>>>> Thanks in advance, >>>>> >>>>> Teijo >>>>> >>>>> >>>>> 14.7.2014 9:06, g.aloitus@gmail.com kirjoitti: >>>>>> Hello, >>>>>> >>>>>> If one places call, and tell that "my from domain is your >>>>>> Kamailio's >>>>>> IP", call is established, because Asterisk accepts requests >>>>>> from >>>>>> Kamailio. One problem is that it's unpredictable in this >>>>>> case what is >>>>>> the context where thiskind of call is handled by Asterisk. >>>>>> >>>>>> This situation requires that I change something in my setup. >>>>>> If I decide >>>>>> accept calls only from my users, I suppose that it can be >>>>>> quite easily >>>>>> done by modifying if statement referred below or at least by >>>>>> applying >>>>>> instructions found here: >>>>>> >>>>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe... >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> However, I'm somewhat unsure what should I do, if I decide >>>>>> to accept >>>>>> calls from any caller - not only from my users. >>>>>> >>>>>> Best, >>>>>> >>>>>> Teijo >>>>>> >>>>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti: >>>>>>> Well, this >>>>>>> >>>>>>> *if (from_uri!=myself && uri!=myself)* >>>>>>> >>>>>>> Means neither source nor destination is our user. Which >>>>>>> implies that >>>>>>> if our >>>>>>> domain is A, then call from domain "B to C" is not >>>>>>> possible. However, >>>>>>> calls >>>>>>> from "B or C to A" and "A to B or C" are possible. That is >>>>>>> way an >>>>>>> unauthorized user gets passed and reaches asterisk. >>>>>>> Asterisk accepts it >>>>>>> since call is coming from kamailio and tries to route it >>>>>>> back to >>>>>>> kamailio, >>>>>>> where kamailio finds user online and thus it goes through. >>>>>>> >>>>>>> You should really break down this, >>>>>>> >>>>>>> *if (from_uri!=myself && uri!=myself)* >>>>>>> >>>>>>> into something like this for clarity, >>>>>>> >>>>>>> >>>>>>> *if (from_uri!=myself) { * >>>>>>> * if (uri!=myself) {* >>>>>>> * # neither source nor destination is our user* >>>>>>> * } else {* >>>>>>> * # source is not our user but destination is our user* >>>>>>> * };* >>>>>>> *} else {* >>>>>>> * if (uri!=myself) {* >>>>>>> * # source is our user but destination is not our user* >>>>>>> * } else {* >>>>>>> * # both source and destination are our users* >>>>>>> * };* >>>>>>> *};* >>>>>>> >>>>>>> Hope this helps. >>>>>>> >>>>>>> Thank you. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote: >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> I'm using Kamailio version 4.1.4+precise (amd64). >>>>>>>> >>>>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime >>>>>>>> Integration >>>>>>>> using Asterisk Database" (http://kb.asipto.com/ >>>>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). >>>>>>>> One main >>>>>>>> difference in my setup compared to that one is that I >>>>>>>> continued use of >>>>>>>> Kamailio's database. >>>>>>>> >>>>>>>> The problem is as follows: >>>>>>>> >>>>>>>> I decided to put Kamailio and through it Asterisk >>>>>>>> reachable from >>>>>>>> internet. >>>>>>>> I have tried to configure Asterisk so that only calls of >>>>>>>> registered >>>>>>>> users >>>>>>>> would be possible, and they could only call to other >>>>>>>> registered >>>>>>>> users or >>>>>>>> conference rooms and echo test number. >>>>>>>> >>>>>>>> Then I took the following steps: >>>>>>>> >>>>>>>> I ensured that there was no online users with kamctl >>>>>>>> online. Then I >>>>>>>> launched MicroSIP (www.microsip.org), but I did not >>>>>>>> defined account, I >>>>>>>> simply set the protocol to tls and media encryption to >>>>>>>> mandatory, >>>>>>>> because >>>>>>>> I'm using these. >>>>>>>> >>>>>>>> I called to extension with xxx@my.public.ip.address (where >>>>>>>> xxx is >>>>>>>> extension) getting "unauthorized". And that was what I >>>>>>>> wanted. >>>>>>>> >>>>>>>> But if there is online users, calls go through, and >>>>>>>> incoming call is >>>>>>>> coming from Asterisk (in syslog I can find out that >>>>>>>> src_user=asterisk). >>>>>>>> >>>>>>>> Kamailio and Asterisk are listening the same IP address, >>>>>>>> but different >>>>>>>> port. I have refused connections to the Asterisk's port >>>>>>>> with iptables. >>>>>>>> >>>>>>>> I have defined my public IP address as domain in sip.conf. >>>>>>>> There is >>>>>>>> also >>>>>>>> other domain defined which corresponds to users' domain I >>>>>>>> am using in >>>>>>>> Kamailio's database. >>>>>>>> >>>>>>>> In kamailio.cfg there is if statement which prevents >>>>>>>> Kamailio not >>>>>>>> to be >>>>>>>> open relay: >>>>>>>> >>>>>>>> if (from_uri!=myself && uri!=myself) >>>>>>>> ... >>>>>>>> >>>>>>>> If I change this for example: >>>>>>>> >>>>>>>> if (from_uri!=myself || uri!=myself) >>>>>>>> >>>>>>>> I get what I want this time: no calls from outside, but I >>>>>>>> somewhat >>>>>>>> think >>>>>>>> that this is not a final solution. >>>>>>>> >>>>>>>> I have not found from log files such information which >>>>>>>> would have >>>>>>>> helped >>>>>>>> me. I have not yet investigated this problem so much that >>>>>>>> I could >>>>>>>> tell the >>>>>>>> logic behind the selection of online user's identity which >>>>>>>> is used. >>>>>>>> However, if I make a call to conference room I notice that >>>>>>>> Asterisk is >>>>>>>> thinking that one of online users has joined the conference. >>>>>>>> >>>>>>>> If I can recall correctly, I started with Kamailio version >>>>>>>> 3.2, and >>>>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is >>>>>>>> there something >>>>>>>> which has changed in Kamailio, but what I have not changed >>>>>>>> in my setup >>>>>>>> which could explain this. >>>>>>>> >>>>>>>> Best, >>>>>>>> >>>>>>>> Teijo >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users >>>>>>>> mailing >>>>>>>> list >>>>>>>> sr-users@lists.sip-router.org >>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Tämä viestin rungon osa siirretään pyydettäessä. > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users > mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
If you want to check call authentication, you can perform the following.
CASE 1: Outside caller initiating a call to a user with the callerid set to a valid username(callerid) in Kamailio
You will get the IP address from which the call is originated using ${SIPURI}. Basically you have to strip the ip address from ${SIPURI}. You can compare the same with the ip in location table of kamailio. If same, the call is from a registered user, otherwise some one is using the same callerid as of a registered user which you can send to a different context.
CASE 2: CALLERID not set or a different pattern other than your users
In this case you can straight away send the call to a different context.
You can check this condition using an AGI.
Regards Cibin
On 20-Jul-2014, at 5:53 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
This problem seems not to happen when Kamailio is not in use.
I'd like to handle registrations etc. in Kamailio, but I do not know how to do it without suffering from this problem.
Best,
Teijo
19.7.2014 21:12, Teijo kirjoitti:
Hello,
I'd like to allow calls to my users from anyone, but I'd like to have control over those calls so that I could suppose that they go tocontext I want - let's say that that context would be unauth. But as said, this is not the case currently.
Sorry, but I cannot figure out what condition for checking call authentication could be.
As I wrote in my first post, I have followed this tutorial:
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
for Kamailio - Asterisk realtime integration. Only exception I have is that I use Kamailio's database for user authentication, and that I have no Asterisk database.
Best,
Teijo
19.7.2014 17:36, Cibin Paul kirjoitti:
Hello,
Is this part of your setup to allow anyone to call any extension, but handle this unauthenticated calls in a different context? If so, will the following entry works for you?
Create a peer of kamailio in sip.conf [kamailio] Type=peer Host=kamailio ip Port= kamailio port . . . context= some context where all calls should be handled.
In extensions.conf
[context] exten => _X.,1, GotoIf([condition for checking call authentication]?:auth:unauth) Same = n(auth),Goto(context of authenticated call) Same = n(unauth),Goto(context of unauthenticated call) . . .
Cibin
On 19-Jul-2014, at 7:20 pm, Teijo Burman g.aloitus@gmail.com wrote:
Yes, you are correct. But let's say that user A is online. Now somebody from somewhere calls sip:5000@my.public.ip.address. What happens is as follows: Suppose that 5000 is extension which should only has limited access, for example users A and B have this extension in their contexts. Now however, when A is online, any unauthenticated call is handled in A's context so anybody could get A's privileges.
Best,
Teijo
19.7.2014 15:30, Cibin Paul kirjoitti:
Hello,
Let me understand this. You have an extension 4000 which is online. If some one which is not even a registered user calls the extension 4000 using 4000@your.public.ip.address, the call will get connected. Correct if I am wrong. As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call.
Regards Cibin
On 19-Jul-2014, at 5:30 pm, Teijo g.aloitus@gmail.com wrote:
Hello,
The problem are unauthenticated calls - calls from somebody from outside to my server. Kamailio accepts these calls, because destination is my server. This happen if somebody calls to some_extension@my.public.ip.address. My public IP refers to the address both Kamailio and Asterisk are listening to. This is not problem if there are no online friends/peers in Asterisk, because then incoming call goes to context I have defined for incoming calls. But if there are online friends/peers in Asterisk, calls goes to online friend's/peer's context. I think this happens because one of the methods Asterisk decides to put incoming calls to given context is IP address. Now all the calls come from Kamailio - ie. from the same IP. I think that when Asterisk is considering what to do with incoming call, it detects that there is registration(s) from Kamailio's IP, and concludes that this incoming call belongs to thiskinds of peer's context, and this causes problem. Likely Asterisk put it to th
e peer's context who has in the first place in its registered peers list.
I do not know what to do for this in Asterisk. I think - but I'm not sure at all - that refusing to forward such calls to Asterisk whose domain is Kamailio's IP - could solve this. But if this would be the solution, I do not know what I should do in Kamailio. Well, I suppose that if statement in kamailio.cfg:
# if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself && uri!=myself)
is the place where I should do modification, but what the modified if statement should exactly be, I am not sure.
Best,
Teijo
19.7.2014 14:16, Cibin Paul kirjoitti: > Hello, > > Can you elaborate on your issue. who is handling registration and > how is the call flow? > > Regards > Cibin > > >> On 19-Jul-2014, at 4:34 pm, Teijo g.aloitus@gmail.com wrote: >> >> Hello, >> >> Well, this is still problem for me. >> >> Best, >> >> Teijo >> >> 17.7.2014 11:22, g.aloitus@gmail.com kirjoitti: >>> Hello, >>> >>> I have: >>> >>> allowguest=no >>> contactpermit=kamailio.ip.addr.ess >>> >>> I also have tried the approach that I have peer kamailio, but >>> then all >>> calls seems to go to to the context defined for kamailio peer. I >>> do not >>> know how I could in that case handle individual calls - for example >>> determine if given phone can call to given number or not. >>> >>> Best, >>> >>> Teijo >>> >>> 17.7.2014 10:48, Cibin Paul kirjoitti: >>>> Hello, >>>> >>>> Try allow* allowguest=no *in sip.conf [general] context and >>>> create a >>>> peer for kamailio in sip.comf >>>> >>>> >>>> Regards >>>> Cibin >>>> >>>> >>>> >>>> 17.7.2014 10:22, g.aloitus@gmail.com kirjoitti: >>>>> Hello, >>>>> >>>>> There is a message "Possible Security issue with Kamailio - >>>>> Asterisk >>>>> Realtime integration" in Asterisk users mailing list: >>>>> >>>>> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html >>>>> >>>>> >>>>> I think the problem I have is somewhat similar. >>>>> >>>>> Should I suppose that there is a security risk in Kamailio - >>>>> Asterisk >>>>> realtime integration, and if this is a case what I can do to >>>>> eliminate >>>>> this risk? >>>>> >>>>> Best, >>>>> >>>>> Teijo >>>>> >>>>> 16.7.2014 9:44, g.aloitus@gmail.com kirjoitti: >>>>>> Hello, >>>>>> >>>>>> Has anybody any solution or suggestion? >>>>>> >>>>>> If I for example launch MicroSIP (no doubt it could be some >>>>>> other SIP >>>>>> client), and simply call: >>>>>> >>>>>> sip:some_extension@my.public.ip.address >>>>>> >>>>>> call is established, if there is online user/users. Naturally >>>>>> this >>>>>> incoming call should be handled by Asterisk in context where >>>>>> I have >>>>>> defined unauthorized calls are handled, but in stead, the >>>>>> call goes >>>>>> online user's context. >>>>>> >>>>>> To get this situation I don't need to define any account >>>>>> information in >>>>>> MicroSIP. >>>>>> >>>>>> I have not set passwords for users in Asterisk to avoid double >>>>>> authorization. May this cause the behavior? I have not set >>>>>> default user >>>>>> or from user in my peer definitions. I am not registering >>>>>> Kamailio to >>>>>> Asterisk - I mean I have no peer definition for Kamailio in >>>>>> sip.conf. >>>>>> >>>>>> I do not know what direction to go to. I would be happy, if I >>>>>> should not >>>>>> go to the trial and error path so any help is welcome. >>>>>> >>>>>> Thanks in advance, >>>>>> >>>>>> Teijo >>>>>> >>>>>> >>>>>> 14.7.2014 9:06, g.aloitus@gmail.com kirjoitti: >>>>>>> Hello, >>>>>>> >>>>>>> If one places call, and tell that "my from domain is your >>>>>>> Kamailio's >>>>>>> IP", call is established, because Asterisk accepts requests >>>>>>> from >>>>>>> Kamailio. One problem is that it's unpredictable in this >>>>>>> case what is >>>>>>> the context where thiskind of call is handled by Asterisk. >>>>>>> >>>>>>> This situation requires that I change something in my setup. >>>>>>> If I decide >>>>>>> accept calls only from my users, I suppose that it can be >>>>>>> quite easily >>>>>>> done by modifying if statement referred below or at least by >>>>>>> applying >>>>>>> instructions found here: >>>>>>> >>>>>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registe... >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> However, I'm somewhat unsure what should I do, if I decide >>>>>>> to accept >>>>>>> calls from any caller - not only from my users. >>>>>>> >>>>>>> Best, >>>>>>> >>>>>>> Teijo >>>>>>> >>>>>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti: >>>>>>>> Well, this >>>>>>>> >>>>>>>> *if (from_uri!=myself && uri!=myself)* >>>>>>>> >>>>>>>> Means neither source nor destination is our user. Which >>>>>>>> implies that >>>>>>>> if our >>>>>>>> domain is A, then call from domain "B to C" is not >>>>>>>> possible. However, >>>>>>>> calls >>>>>>>> from "B or C to A" and "A to B or C" are possible. That is >>>>>>>> way an >>>>>>>> unauthorized user gets passed and reaches asterisk. >>>>>>>> Asterisk accepts it >>>>>>>> since call is coming from kamailio and tries to route it >>>>>>>> back to >>>>>>>> kamailio, >>>>>>>> where kamailio finds user online and thus it goes through. >>>>>>>> >>>>>>>> You should really break down this, >>>>>>>> >>>>>>>> *if (from_uri!=myself && uri!=myself)* >>>>>>>> >>>>>>>> into something like this for clarity, >>>>>>>> >>>>>>>> >>>>>>>> *if (from_uri!=myself) { * >>>>>>>> * if (uri!=myself) {* >>>>>>>> * # neither source nor destination is our user* >>>>>>>> * } else {* >>>>>>>> * # source is not our user but destination is our user* >>>>>>>> * };* >>>>>>>> *} else {* >>>>>>>> * if (uri!=myself) {* >>>>>>>> * # source is our user but destination is not our user* >>>>>>>> * } else {* >>>>>>>> * # both source and destination are our users* >>>>>>>> * };* >>>>>>>> *};* >>>>>>>> >>>>>>>> Hope this helps. >>>>>>>> >>>>>>>> Thank you. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Fri, Jul 11, 2014 at 5:36 PM, g.aloitus@gmail.com wrote: >>>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I'm using Kamailio version 4.1.4+precise (amd64). >>>>>>>>> >>>>>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime >>>>>>>>> Integration >>>>>>>>> using Asterisk Database" (http://kb.asipto.com/ >>>>>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). >>>>>>>>> One main >>>>>>>>> difference in my setup compared to that one is that I >>>>>>>>> continued use of >>>>>>>>> Kamailio's database. >>>>>>>>> >>>>>>>>> The problem is as follows: >>>>>>>>> >>>>>>>>> I decided to put Kamailio and through it Asterisk >>>>>>>>> reachable from >>>>>>>>> internet. >>>>>>>>> I have tried to configure Asterisk so that only calls of >>>>>>>>> registered >>>>>>>>> users >>>>>>>>> would be possible, and they could only call to other >>>>>>>>> registered >>>>>>>>> users or >>>>>>>>> conference rooms and echo test number. >>>>>>>>> >>>>>>>>> Then I took the following steps: >>>>>>>>> >>>>>>>>> I ensured that there was no online users with kamctl >>>>>>>>> online. Then I >>>>>>>>> launched MicroSIP (www.microsip.org), but I did not >>>>>>>>> defined account, I >>>>>>>>> simply set the protocol to tls and media encryption to >>>>>>>>> mandatory, >>>>>>>>> because >>>>>>>>> I'm using these. >>>>>>>>> >>>>>>>>> I called to extension with xxx@my.public.ip.address (where >>>>>>>>> xxx is >>>>>>>>> extension) getting "unauthorized". And that was what I >>>>>>>>> wanted. >>>>>>>>> >>>>>>>>> But if there is online users, calls go through, and >>>>>>>>> incoming call is >>>>>>>>> coming from Asterisk (in syslog I can find out that >>>>>>>>> src_user=asterisk). >>>>>>>>> >>>>>>>>> Kamailio and Asterisk are listening the same IP address, >>>>>>>>> but different >>>>>>>>> port. I have refused connections to the Asterisk's port >>>>>>>>> with iptables. >>>>>>>>> >>>>>>>>> I have defined my public IP address as domain in sip.conf. >>>>>>>>> There is >>>>>>>>> also >>>>>>>>> other domain defined which corresponds to users' domain I >>>>>>>>> am using in >>>>>>>>> Kamailio's database. >>>>>>>>> >>>>>>>>> In kamailio.cfg there is if statement which prevents >>>>>>>>> Kamailio not >>>>>>>>> to be >>>>>>>>> open relay: >>>>>>>>> >>>>>>>>> if (from_uri!=myself && uri!=myself) >>>>>>>>> ... >>>>>>>>> >>>>>>>>> If I change this for example: >>>>>>>>> >>>>>>>>> if (from_uri!=myself || uri!=myself) >>>>>>>>> >>>>>>>>> I get what I want this time: no calls from outside, but I >>>>>>>>> somewhat >>>>>>>>> think >>>>>>>>> that this is not a final solution. >>>>>>>>> >>>>>>>>> I have not found from log files such information which >>>>>>>>> would have >>>>>>>>> helped >>>>>>>>> me. I have not yet investigated this problem so much that >>>>>>>>> I could >>>>>>>>> tell the >>>>>>>>> logic behind the selection of online user's identity which >>>>>>>>> is used. >>>>>>>>> However, if I make a call to conference room I notice that >>>>>>>>> Asterisk is >>>>>>>>> thinking that one of online users has joined the conference. >>>>>>>>> >>>>>>>>> If I can recall correctly, I started with Kamailio version >>>>>>>>> 3.2, and >>>>>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is >>>>>>>>> there something >>>>>>>>> which has changed in Kamailio, but what I have not changed >>>>>>>>> in my setup >>>>>>>>> which could explain this. >>>>>>>>> >>>>>>>>> Best, >>>>>>>>> >>>>>>>>> Teijo >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users >>>>>>>>> mailing >>>>>>>>> list >>>>>>>>> sr-users@lists.sip-router.org >>>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Tämä viestin rungon osa siirretään pyydettäessä. >> >> _______________________________________________ >> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users >> mailing list >> sr-users@lists.sip-router.org >> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing > list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On Monday 21 July 2014 17:39:30 Cibin Paul wrote:
You will get the IP address from which the call is originated using ${SIPURI}. Basically you have to strip the ip address from ${SIPURI}. You can compare the same with the ip in location table of kamailio.
OT: SIPURI is parsed/constructed from the INVITE. CHANNEL(recvip) will give you the ip addr of the remote socket.
Thank you both for your replies which made me to get more familiar with Asterisk's features/possibilities.
Is there something I could do with Kamailio to manage the problem?
Best,
Teijo
21.7.2014 20:01, Daniel Tryba kirjoitti:
On Monday 21 July 2014 17:39:30 Cibin Paul wrote:
You will get the IP address from which the call is originated using ${SIPURI}. Basically you have to strip the ip address from ${SIPURI}. You can compare the same with the ip in location table of kamailio.
OT: SIPURI is parsed/constructed from the INVITE. CHANNEL(recvip) will give you the ip addr of the remote socket.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Cibin Paul -
Daniel Tryba -
g.aloitus@gmail.com -
Muhammad Shahzad -
Teijo
-
Teijo Burman