Hello,
This problem seems not to happen when Kamailio is not in use.
I'd like to handle registrations etc. in Kamailio, but I do not know how
to do it without suffering from this problem.
Best,
Teijo
19.7.2014 21:12, Teijo kirjoitti:
Hello,
I'd like to allow calls to my users from anyone, but I'd like to have
control over those calls so that I could suppose that they go tocontext
I want - let's say that that context would be unauth. But as said, this
is not the case currently.
Sorry, but I cannot figure out what condition for checking call
authentication could be.
As I wrote in my first post, I have followed this tutorial:
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
for Kamailio - Asterisk realtime integration. Only exception I have is
that I use Kamailio's database for user authentication, and that I have
no Asterisk database.
Best,
Teijo
19.7.2014 17:36, Cibin Paul kirjoitti:
Hello,
Is this part of your setup to allow anyone to call any extension, but
handle this unauthenticated calls in a different context? If so, will
the following entry works for you?
Create a peer of kamailio in sip.conf
[kamailio]
Type=peer
Host=kamailio ip
Port= kamailio port
.
.
.
context= some context where all calls should be handled.
In extensions.conf
[context]
exten => _X.,1, GotoIf([condition for checking call
authentication]?:auth:unauth)
Same = n(auth),Goto(context of authenticated call)
Same = n(unauth),Goto(context of unauthenticated call)
.
.
.
Cibin
> On 19-Jul-2014, at 7:20 pm, Teijo Burman <g.aloitus(a)gmail.com> wrote:
>
> Yes, you are correct. But let's say that user A is online. Now
> somebody from somewhere calls sip:5000@my.public.ip.address. What
> happens is as follows: Suppose that 5000 is extension which should
> only has limited access, for example users A and B have this
> extension in their contexts. Now however, when A is online, any
> unauthenticated call is handled in A's context so anybody could get
> A's privileges.
>
> Best,
>
> Teijo
>
> 19.7.2014 15:30, Cibin Paul kirjoitti:
>> Hello,
>>
>> Let me understand this. You have an extension 4000 which is online.
>> If some one which is not even a registered user calls the extension
>> 4000 using 4000(a)your.public.ip.address, the call will get connected.
>> Correct if I am wrong.
>> As far as I understand , you have configured this box as a PBX where
>> only registered users can communicate. If that is the case, can you
>> do a lookup in location table wether the originating caller is
>> actually online? By this you can check wether the originating call
>> is from a valid source. If not, Hangup the call.
>>
>> Regards
>> Cibin
>>
>>
>>> On 19-Jul-2014, at 5:30 pm, Teijo <g.aloitus(a)gmail.com> wrote:
>>>
>>> Hello,
>>>
>>> The problem are unauthenticated calls - calls from somebody from
>>> outside to my server. Kamailio accepts these calls, because
>>> destination is my server. This happen if somebody calls to
>>> some_extension(a)my.public.ip.address. My public IP refers to the
>>> address both Kamailio and Asterisk are listening to. This is not
>>> problem if there are no online friends/peers in Asterisk, because
>>> then incoming call goes to context I have defined for incoming
>>> calls. But if there are online friends/peers in Asterisk, calls
>>> goes to online friend's/peer's context. I think this happens
>>> because one of the methods Asterisk decides to put incoming calls
>>> to given context is IP address. Now all the calls come from
>>> Kamailio - ie. from the same IP. I think that when Asterisk is
>>> considering what to do with incoming call, it detects that there is
>>> registration(s) from Kamailio's IP, and concludes that this
>>> incoming call belongs to thiskinds of peer's context, and this
>>> causes problem. Likely Asterisk put it to th
e peer's context who
has in the first place in its registered peers list.
>>>>
>>>> I do not know what to do for this in Asterisk. I think - but I'm
>>>> not sure at all - that refusing to forward such calls to Asterisk
>>>> whose domain is Kamailio's IP - could solve this. But if this would
>>>> be the solution, I do not know what I should do in Kamailio. Well,
>>>> I suppose that if statement in kamailio.cfg:
>>>>
>>>> # if caller is not local subscriber, then check if it calls
>>>> # a local destination, otherwise deny, not an open relay here
>>>> if (from_uri!=myself && uri!=myself)
>>>>
>>>> is the place where I should do modification, but what the modified
>>>> if statement should exactly be, I am not sure.
>>>>
>>>> Best,
>>>>
>>>> Teijo
>>>>
>>>> 19.7.2014 14:16, Cibin Paul kirjoitti:
>>>>> Hello,
>>>>>
>>>>> Can you elaborate on your issue. who is handling registration and
>>>>> how is the call flow?
>>>>>
>>>>> Regards
>>>>> Cibin
>>>>>
>>>>>
>>>>>> On 19-Jul-2014, at 4:34 pm, Teijo <g.aloitus(a)gmail.com>
wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> Well, this is still problem for me.
>>>>>>
>>>>>> Best,
>>>>>>
>>>>>> Teijo
>>>>>>
>>>>>> 17.7.2014 11:22, g.aloitus(a)gmail.com kirjoitti:
>>>>>>> Hello,
>>>>>>>
>>>>>>> I have:
>>>>>>>
>>>>>>> allowguest=no
>>>>>>> contactpermit=kamailio.ip.addr.ess
>>>>>>>
>>>>>>> I also have tried the approach that I have peer kamailio,
but
>>>>>>> then all
>>>>>>> calls seems to go to to the context defined for kamailio
peer. I
>>>>>>> do not
>>>>>>> know how I could in that case handle individual calls - for
example
>>>>>>> determine if given phone can call to given number or not.
>>>>>>>
>>>>>>> Best,
>>>>>>>
>>>>>>> Teijo
>>>>>>>
>>>>>>> 17.7.2014 10:48, Cibin Paul kirjoitti:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> Try allow* allowguest=no *in sip.conf [general] context
and
>>>>>>>> create a
>>>>>>>> peer for kamailio in sip.comf
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Cibin
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 17.7.2014 10:22, g.aloitus(a)gmail.com kirjoitti:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> There is a message "Possible Security issue with
Kamailio -
>>>>>>>>> Asterisk
>>>>>>>>> Realtime integration" in Asterisk users mailing
list:
>>>>>>>>>
>>>>>>>>>
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I think the problem I have is somewhat similar.
>>>>>>>>>
>>>>>>>>> Should I suppose that there is a security risk in
Kamailio -
>>>>>>>>> Asterisk
>>>>>>>>> realtime integration, and if this is a case what I
can do to
>>>>>>>>> eliminate
>>>>>>>>> this risk?
>>>>>>>>>
>>>>>>>>> Best,
>>>>>>>>>
>>>>>>>>> Teijo
>>>>>>>>>
>>>>>>>>> 16.7.2014 9:44, g.aloitus(a)gmail.com kirjoitti:
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> Has anybody any solution or suggestion?
>>>>>>>>>>
>>>>>>>>>> If I for example launch MicroSIP (no doubt it
could be some
>>>>>>>>>> other SIP
>>>>>>>>>> client), and simply call:
>>>>>>>>>>
>>>>>>>>>> sip:some_extension@my.public.ip.address
>>>>>>>>>>
>>>>>>>>>> call is established, if there is online
user/users. Naturally
>>>>>>>>>> this
>>>>>>>>>> incoming call should be handled by Asterisk in
context where
>>>>>>>>>> I have
>>>>>>>>>> defined unauthorized calls are handled, but in
stead, the
>>>>>>>>>> call goes
>>>>>>>>>> online user's context.
>>>>>>>>>>
>>>>>>>>>> To get this situation I don't need to define
any account
>>>>>>>>>> information in
>>>>>>>>>> MicroSIP.
>>>>>>>>>>
>>>>>>>>>> I have not set passwords for users in Asterisk to
avoid double
>>>>>>>>>> authorization. May this cause the behavior? I
have not set
>>>>>>>>>> default user
>>>>>>>>>> or from user in my peer definitions. I am not
registering
>>>>>>>>>> Kamailio to
>>>>>>>>>> Asterisk - I mean I have no peer definition for
Kamailio in
>>>>>>>>>> sip.conf.
>>>>>>>>>>
>>>>>>>>>> I do not know what direction to go to. I would be
happy, if I
>>>>>>>>>> should not
>>>>>>>>>> go to the trial and error path so any help is
welcome.
>>>>>>>>>>
>>>>>>>>>> Thanks in advance,
>>>>>>>>>>
>>>>>>>>>> Teijo
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 14.7.2014 9:06, g.aloitus(a)gmail.com kirjoitti:
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> If one places call, and tell that "my
from domain is your
>>>>>>>>>>> Kamailio's
>>>>>>>>>>> IP", call is established, because
Asterisk accepts requests
>>>>>>>>>>> from
>>>>>>>>>>> Kamailio. One problem is that it's
unpredictable in this
>>>>>>>>>>> case what is
>>>>>>>>>>> the context where thiskind of call is handled
by Asterisk.
>>>>>>>>>>>
>>>>>>>>>>> This situation requires that I change
something in my setup.
>>>>>>>>>>> If I decide
>>>>>>>>>>> accept calls only from my users, I suppose
that it can be
>>>>>>>>>>> quite easily
>>>>>>>>>>> done by modifying if statement referred below
or at least by
>>>>>>>>>>> applying
>>>>>>>>>>> instructions found here:
>>>>>>>>>>>
>>>>>>>>>>>
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-regist…
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> However, I'm somewhat unsure what should
I do, if I decide
>>>>>>>>>>> to accept
>>>>>>>>>>> calls from any caller - not only from my
users.
>>>>>>>>>>>
>>>>>>>>>>> Best,
>>>>>>>>>>>
>>>>>>>>>>> Teijo
>>>>>>>>>>>
>>>>>>>>>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti:
>>>>>>>>>>>> Well, this
>>>>>>>>>>>>
>>>>>>>>>>>> *if (from_uri!=myself &&
uri!=myself)*
>>>>>>>>>>>>
>>>>>>>>>>>> Means neither source nor destination is
our user. Which
>>>>>>>>>>>> implies that
>>>>>>>>>>>> if our
>>>>>>>>>>>> domain is A, then call from domain
"B to C" is not
>>>>>>>>>>>> possible. However,
>>>>>>>>>>>> calls
>>>>>>>>>>>> from "B or C to A" and "A
to B or C" are possible. That is
>>>>>>>>>>>> way an
>>>>>>>>>>>> unauthorized user gets passed and reaches
asterisk.
>>>>>>>>>>>> Asterisk accepts it
>>>>>>>>>>>> since call is coming from kamailio and
tries to route it
>>>>>>>>>>>> back to
>>>>>>>>>>>> kamailio,
>>>>>>>>>>>> where kamailio finds user online and thus
it goes through.
>>>>>>>>>>>>
>>>>>>>>>>>> You should really break down this,
>>>>>>>>>>>>
>>>>>>>>>>>> *if (from_uri!=myself &&
uri!=myself)*
>>>>>>>>>>>>
>>>>>>>>>>>> into something like this for clarity,
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> *if (from_uri!=myself) { *
>>>>>>>>>>>> * if (uri!=myself) {*
>>>>>>>>>>>> * # neither source nor destination
is our user*
>>>>>>>>>>>> * } else {*
>>>>>>>>>>>> * # source is not our user but
destination is our user*
>>>>>>>>>>>> * };*
>>>>>>>>>>>> *} else {*
>>>>>>>>>>>> * if (uri!=myself) {*
>>>>>>>>>>>> * # source is our user but
destination is not our user*
>>>>>>>>>>>> * } else {*
>>>>>>>>>>>> * # both source and destination are
our users*
>>>>>>>>>>>> * };*
>>>>>>>>>>>> *};*
>>>>>>>>>>>>
>>>>>>>>>>>> Hope this helps.
>>>>>>>>>>>>
>>>>>>>>>>>> Thank you.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> On Fri, Jul 11, 2014 at 5:36 PM,
<g.aloitus(a)gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'm using Kamailio version
4.1.4+precise (amd64).
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have followed "Kamailio 4.0.x
and Asterisk 11.3.0 Realtime
>>>>>>>>>>>>> Integration
>>>>>>>>>>>>> using Asterisk Database"
(
http://kb.asipto.com/
>>>>>>>>>>>>>
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb).
>>>>>>>>>>>>> One main
>>>>>>>>>>>>> difference in my setup compared to
that one is that I
>>>>>>>>>>>>> continued use of
>>>>>>>>>>>>> Kamailio's database.
>>>>>>>>>>>>>
>>>>>>>>>>>>> The problem is as follows:
>>>>>>>>>>>>>
>>>>>>>>>>>>> I decided to put Kamailio and through
it Asterisk
>>>>>>>>>>>>> reachable from
>>>>>>>>>>>>> internet.
>>>>>>>>>>>>> I have tried to configure Asterisk so
that only calls of
>>>>>>>>>>>>> registered
>>>>>>>>>>>>> users
>>>>>>>>>>>>> would be possible, and they could
only call to other
>>>>>>>>>>>>> registered
>>>>>>>>>>>>> users or
>>>>>>>>>>>>> conference rooms and echo test
number.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Then I took the following steps:
>>>>>>>>>>>>>
>>>>>>>>>>>>> I ensured that there was no online
users with kamctl
>>>>>>>>>>>>> online. Then I
>>>>>>>>>>>>> launched MicroSIP (
www.microsip.org),
but I did not
>>>>>>>>>>>>> defined account, I
>>>>>>>>>>>>> simply set the protocol to tls and
media encryption to
>>>>>>>>>>>>> mandatory,
>>>>>>>>>>>>> because
>>>>>>>>>>>>> I'm using these.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I called to extension with
xxx(a)my.public.ip.address (where
>>>>>>>>>>>>> xxx is
>>>>>>>>>>>>> extension) getting
"unauthorized". And that was what I
>>>>>>>>>>>>> wanted.
>>>>>>>>>>>>>
>>>>>>>>>>>>> But if there is online users, calls
go through, and
>>>>>>>>>>>>> incoming call is
>>>>>>>>>>>>> coming from Asterisk (in syslog I can
find out that
>>>>>>>>>>>>> src_user=asterisk).
>>>>>>>>>>>>>
>>>>>>>>>>>>> Kamailio and Asterisk are listening
the same IP address,
>>>>>>>>>>>>> but different
>>>>>>>>>>>>> port. I have refused connections to
the Asterisk's port
>>>>>>>>>>>>> with iptables.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have defined my public IP address
as domain in sip.conf.
>>>>>>>>>>>>> There is
>>>>>>>>>>>>> also
>>>>>>>>>>>>> other domain defined which
corresponds to users' domain I
>>>>>>>>>>>>> am using in
>>>>>>>>>>>>> Kamailio's database.
>>>>>>>>>>>>>
>>>>>>>>>>>>> In kamailio.cfg there is if statement
which prevents
>>>>>>>>>>>>> Kamailio not
>>>>>>>>>>>>> to be
>>>>>>>>>>>>> open relay:
>>>>>>>>>>>>>
>>>>>>>>>>>>> if (from_uri!=myself &&
uri!=myself)
>>>>>>>>>>>>> ...
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I change this for example:
>>>>>>>>>>>>>
>>>>>>>>>>>>> if (from_uri!=myself || uri!=myself)
>>>>>>>>>>>>>
>>>>>>>>>>>>> I get what I want this time: no calls
from outside, but I
>>>>>>>>>>>>> somewhat
>>>>>>>>>>>>> think
>>>>>>>>>>>>> that this is not a final solution.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have not found from log files such
information which
>>>>>>>>>>>>> would have
>>>>>>>>>>>>> helped
>>>>>>>>>>>>> me. I have not yet investigated this
problem so much that
>>>>>>>>>>>>> I could
>>>>>>>>>>>>> tell the
>>>>>>>>>>>>> logic behind the selection of online
user's identity which
>>>>>>>>>>>>> is used.
>>>>>>>>>>>>> However, if I make a call to
conference room I notice that
>>>>>>>>>>>>> Asterisk is
>>>>>>>>>>>>> thinking that one of online users has
joined the conference.
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I can recall correctly, I started
with Kamailio version
>>>>>>>>>>>>> 3.2, and
>>>>>>>>>>>>> integrated it with Asterisk 11
(currently 11.10.2). Is
>>>>>>>>>>>>> there something
>>>>>>>>>>>>> which has changed in Kamailio, but
what I have not changed
>>>>>>>>>>>>> in my setup
>>>>>>>>>>>>> which could explain this.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Best,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Teijo
>>>>>>>>>>>>>
>>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>>> SIP Express Router (SER) and Kamailio
(OpenSER) - sr-users
>>>>>>>>>>>>> mailing
>>>>>>>>>>>>> list
>>>>>>>>>>>>> sr-users(a)lists.sip-router.org
>>>>>>>>>>>>>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tämä viestin rungon osa siirretään
pyydettäessä.
>>>>>>
>>>>>> _______________________________________________
>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>>>> mailing list
>>>>>> sr-users(a)lists.sip-router.org
>>>>>>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>> list
>>>>> sr-users(a)lists.sip-router.org
>>>>>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>> list
>>>> sr-users(a)lists.sip-router.org
>>>>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users(a)lists.sip-router.org
>>>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users(a)lists.sip-router.org
>>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org
>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>