[SR-Users] Unknown caller gets online user's identity

Thu Jul 17 09:22:50 CEST 2014

Hello,

There is a message "Possible Security issue with Kamailio - Asterisk 
Realtime integration" in Asterisk users mailing list:

http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html

I think the problem I have is somewhat similar.

Should I suppose that there is a security risk in Kamailio - Asterisk 
realtime integration, and if this is a case what I can do to eliminate 
this risk?

Best,

Teijo

16.7.2014 9:44, g.aloitus at gmail.com kirjoitti:
> Hello,
>
> Has anybody any solution or suggestion?
>
> If I for example launch MicroSIP (no doubt it could be some other SIP
> client), and simply call:
>
> sip:some_extension at my.public.ip.address
>
> call is established, if there is online user/users. Naturally this
> incoming call should be handled by Asterisk in context where I have
> defined unauthorized calls are handled, but in stead, the call goes
> online user's context.
>
> To get this situation I don't need to define any account information in
> MicroSIP.
>
> I have not set passwords for users in Asterisk to avoid double
> authorization. May this cause the behavior? I have not set default user
> or from user in my peer definitions. I am not registering Kamailio to
> Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
>
> I do not know what direction to go to. I would be happy, if I should not
> go to the trial and error path so any help is welcome.
>
> Thanks in advance,
>
> Teijo
>
>
> 14.7.2014 9:06, g.aloitus at gmail.com kirjoitti:
>> Hello,
>>
>> If one places call, and tell that "my from domain is your Kamailio's
>> IP", call is established, because Asterisk accepts requests from
>> Kamailio. One problem is that it's unpredictable in this case what is
>> the context where thiskind of call is handled by Asterisk.
>>
>> This situation requires that I change something in my setup. If I decide
>> accept calls only from my users, I suppose that it can be quite easily
>> done by modifying if statement referred below or at least by applying
>> instructions found here:
>>
>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
>>
>>
>>
>> However, I'm somewhat unsure what should I do, if I decide to accept
>> calls from any caller - not only from my users.
>>
>> Best,
>>
>> Teijo
>>
>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti:
>>> Well, this
>>>
>>> *if (from_uri!=myself && uri!=myself)*
>>>
>>> Means neither source nor destination is our user. Which implies that
>>> if our
>>> domain is A, then call from domain "B to C" is not possible. However,
>>> calls
>>> from "B or C to A" and "A to B or C" are possible. That is way an
>>> unauthorized user gets passed and reaches asterisk. Asterisk accepts it
>>> since call is coming from kamailio and tries to route it back to
>>> kamailio,
>>> where kamailio finds user online and thus it goes through.
>>>
>>> You should really break down this,
>>>
>>> *if (from_uri!=myself && uri!=myself)*
>>>
>>> into something like this for clarity,
>>>
>>>
>>> *if (from_uri!=myself) { *
>>> *   if (uri!=myself) {*
>>> *       # neither source nor destination is our user*
>>> *   } else {*
>>> *       # source is not our user but destination is our user*
>>> *   };*
>>> *} else {*
>>> *   if (uri!=myself) {*
>>> *       # source is our user but destination is not our user*
>>> *   } else {*
>>> *      # both source and destination are our users*
>>> *   };*
>>> *};*
>>>
>>> Hope this helps.
>>>
>>> Thank you.
>>>
>>>
>>>
>>>
>>> On Fri, Jul 11, 2014 at 5:36 PM, <g.aloitus at gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm using Kamailio version 4.1.4+precise (amd64).
>>>>
>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
>>>> Integration
>>>> using Asterisk Database" (http://kb.asipto.com/
>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
>>>> difference in my setup compared to that one is that I continued use of
>>>> Kamailio's database.
>>>>
>>>> The problem is as follows:
>>>>
>>>> I decided to put Kamailio and through it Asterisk reachable from
>>>> internet.
>>>> I have tried to configure Asterisk so that only calls of registered
>>>> users
>>>> would be possible, and they could only call to other registered
>>>> users or
>>>> conference rooms and echo test number.
>>>>
>>>> Then I took the following steps:
>>>>
>>>> I ensured that there was no online users with kamctl online. Then I
>>>> launched MicroSIP (www.microsip.org), but I did not defined account, I
>>>> simply set the protocol to tls and media encryption to mandatory,
>>>> because
>>>> I'm using these.
>>>>
>>>> I called to extension with xxx at my.public.ip.address (where xxx is
>>>> extension) getting "unauthorized". And that was what I wanted.
>>>>
>>>> But if there is online users, calls go through, and incoming call is
>>>> coming from Asterisk (in syslog I can find out that src_user=asterisk).
>>>>
>>>> Kamailio and Asterisk are listening the same IP address, but different
>>>> port. I have refused connections to the Asterisk's port with iptables.
>>>>
>>>> I have defined my public IP address as domain in sip.conf. There is
>>>> also
>>>> other domain defined which corresponds to users' domain I am using in
>>>> Kamailio's database.
>>>>
>>>> In kamailio.cfg there is if statement which prevents Kamailio not to be
>>>> open relay:
>>>>
>>>> if (from_uri!=myself && uri!=myself)
>>>> ...
>>>>
>>>> If I change this for example:
>>>>
>>>> if (from_uri!=myself || uri!=myself)
>>>>
>>>> I get what I want this time: no calls from outside, but I somewhat
>>>> think
>>>> that this is not a final solution.
>>>>
>>>> I have not found from log files such information which would have
>>>> helped
>>>> me. I have not yet investigated this problem so much that I could
>>>> tell the
>>>> logic behind the selection of online user's identity which is used.
>>>> However, if I make a call to conference room I notice that Asterisk is
>>>> thinking that one of online users has joined the conference.
>>>>
>>>> If I can recall correctly, I started with Kamailio version 3.2, and
>>>> integrated it with Asterisk 11 (currently 11.10.2). Is there something
>>>> which has changed in Kamailio, but what I have not changed in my setup
>>>> which could explain this.
>>>>
>>>> Best,
>>>>
>>>> Teijo
>>>>
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>> sr-users at lists.sip-router.org
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>>
>>>>
>>>> TÃ¤mÃ¤ viestin rungon osa siirretÃ¤Ã¤n pyydettÃ¤essÃ¤.