[SR-Users] Unknown caller gets online user's identity

Cibin Paul paul_cibin at me.com
Thu Jul 17 09:48:07 CEST 2014 

Hello,

Try allow allowguest=no in sip.conf [general] context and create a peer for kamailio in sip.comf


Regards
Cibin




On 17-Jul-2014, at 12:52 pm, g.aloitus at gmail.com wrote:

> Hello,
> 
> There is a message "Possible Security issue with Kamailio - Asterisk Realtime integration" in Asterisk users mailing list:
> 
> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
> 
> I think the problem I have is somewhat similar.
> 
> Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk?
> 
> Best,
> 
> Teijo
> 
> 16.7.2014 9:44, g.aloitus at gmail.com kirjoitti:
>> Hello,
>> 
>> Has anybody any solution or suggestion?
>> 
>> If I for example launch MicroSIP (no doubt it could be some other SIP
>> client), and simply call:
>> 
>> sip:some_extension at my.public.ip.address
>> 
>> call is established, if there is online user/users. Naturally this
>> incoming call should be handled by Asterisk in context where I have
>> defined unauthorized calls are handled, but in stead, the call goes
>> online user's context.
>> 
>> To get this situation I don't need to define any account information in
>> MicroSIP.
>> 
>> I have not set passwords for users in Asterisk to avoid double
>> authorization. May this cause the behavior? I have not set default user
>> or from user in my peer definitions. I am not registering Kamailio to
>> Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
>> 
>> I do not know what direction to go to. I would be happy, if I should not
>> go to the trial and error path so any help is welcome.
>> 
>> Thanks in advance,
>> 
>> Teijo
>> 
>> 
>> 14.7.2014 9:06, g.aloitus at gmail.com kirjoitti:
>>> Hello,
>>> 
>>> If one places call, and tell that "my from domain is your Kamailio's
>>> IP", call is established, because Asterisk accepts requests from
>>> Kamailio. One problem is that it's unpredictable in this case what is
>>> the context where thiskind of call is handled by Asterisk.
>>> 
>>> This situation requires that I change something in my setup. If I decide
>>> accept calls only from my users, I suppose that it can be quite easily
>>> done by modifying if statement referred below or at least by applying
>>> instructions found here:
>>> 
>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
>>> 
>>> 
>>> 
>>> However, I'm somewhat unsure what should I do, if I decide to accept
>>> calls from any caller - not only from my users.
>>> 
>>> Best,
>>> 
>>> Teijo
>>> 
>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti:
>>>> Well, this
>>>> 
>>>> *if (from_uri!=myself && uri!=myself)*
>>>> 
>>>> Means neither source nor destination is our user. Which implies that
>>>> if our
>>>> domain is A, then call from domain "B to C" is not possible. However,
>>>> calls
>>>> from "B or C to A" and "A to B or C" are possible. That is way an
>>>> unauthorized user gets passed and reaches asterisk. Asterisk accepts it
>>>> since call is coming from kamailio and tries to route it back to
>>>> kamailio,
>>>> where kamailio finds user online and thus it goes through.
>>>> 
>>>> You should really break down this,
>>>> 
>>>> *if (from_uri!=myself && uri!=myself)*
>>>> 
>>>> into something like this for clarity,
>>>> 
>>>> 
>>>> *if (from_uri!=myself) { *
>>>> *   if (uri!=myself) {*
>>>> *       # neither source nor destination is our user*
>>>> *   } else {*
>>>> *       # source is not our user but destination is our user*
>>>> *   };*
>>>> *} else {*
>>>> *   if (uri!=myself) {*
>>>> *       # source is our user but destination is not our user*
>>>> *   } else {*
>>>> *      # both source and destination are our users*
>>>> *   };*
>>>> *};*
>>>> 
>>>> Hope this helps.
>>>> 
>>>> Thank you.
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On Fri, Jul 11, 2014 at 5:36 PM, <g.aloitus at gmail.com> wrote:
>>>> 
>>>>> Hello,
>>>>> 
>>>>> I'm using Kamailio version 4.1.4+precise (amd64).
>>>>> 
>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
>>>>> Integration
>>>>> using Asterisk Database" (http://kb.asipto.com/
>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
>>>>> difference in my setup compared to that one is that I continued use of
>>>>> Kamailio's database.
>>>>> 
>>>>> The problem is as follows:
>>>>> 
>>>>> I decided to put Kamailio and through it Asterisk reachable from
>>>>> internet.
>>>>> I have tried to configure Asterisk so that only calls of registered
>>>>> users
>>>>> would be possible, and they could only call to other registered
>>>>> users or
>>>>> conference rooms and echo test number.
>>>>> 
>>>>> Then I took the following steps:
>>>>> 
>>>>> I ensured that there was no online users with kamctl online. Then I
>>>>> launched MicroSIP (www.microsip.org), but I did not defined account, I
>>>>> simply set the protocol to tls and media encryption to mandatory,
>>>>> because
>>>>> I'm using these.
>>>>> 
>>>>> I called to extension with xxx at my.public.ip.address (where xxx is
>>>>> extension) getting "unauthorized". And that was what I wanted.
>>>>> 
>>>>> But if there is online users, calls go through, and incoming call is
>>>>> coming from Asterisk (in syslog I can find out that src_user=asterisk).
>>>>> 
>>>>> Kamailio and Asterisk are listening the same IP address, but different
>>>>> port. I have refused connections to the Asterisk's port with iptables.
>>>>> 
>>>>> I have defined my public IP address as domain in sip.conf. There is
>>>>> also
>>>>> other domain defined which corresponds to users' domain I am using in
>>>>> Kamailio's database.
>>>>> 
>>>>> In kamailio.cfg there is if statement which prevents Kamailio not to be
>>>>> open relay:
>>>>> 
>>>>> if (from_uri!=myself && uri!=myself)
>>>>> ...
>>>>> 
>>>>> If I change this for example:
>>>>> 
>>>>> if (from_uri!=myself || uri!=myself)
>>>>> 
>>>>> I get what I want this time: no calls from outside, but I somewhat
>>>>> think
>>>>> that this is not a final solution.
>>>>> 
>>>>> I have not found from log files such information which would have
>>>>> helped
>>>>> me. I have not yet investigated this problem so much that I could
>>>>> tell the
>>>>> logic behind the selection of online user's identity which is used.
>>>>> However, if I make a call to conference room I notice that Asterisk is
>>>>> thinking that one of online users has joined the conference.
>>>>> 
>>>>> If I can recall correctly, I started with Kamailio version 3.2, and
>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is there something
>>>>> which has changed in Kamailio, but what I have not changed in my setup
>>>>> which could explain this.
>>>>> 
>>>>> Best,
>>>>> 
>>>>> Teijo
>>>>> 
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>>> sr-users at lists.sip-router.org
>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>> 
>>>>> 
>>>>> 
>>>>> Tämä viestin rungon osa siirretään pyydettäessä.
> 
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140717/87bb4ba2/attachment.html>

More information about the sr-users mailing list