[SR-Users] Unknown caller gets online user's identity

Thu Jul 17 10:24:22 CEST 2014

Hello,

I have:

allowguest=no
contactpermit=kamailio.ip.addr.ess

I also have tried the approach that I have peer kamailio, but then all 
calls seems to go to to the context defined for kamailio peer. I do not 
know how I could in that case handle individual calls - for example 
determine if given phone can call to given number or not.

Best,

Teijo

17.7.2014 10:48, Cibin Paul kirjoitti:
> Hello,
>
> Try allow* allowguest=no *in sip.conf [general] context and create a
> peer for kamailio in sip.comf
>
>
> Regards
> Cibin
>
>
>
>
> On 17-Jul-2014, at 12:52 pm, g.aloitus at gmail.com
> <mailto:g.aloitus at gmail.com> wrote:
>
>> Hello,
>>
>> There is a message "Possible Security issue with Kamailio - Asterisk
>> Realtime integration" in Asterisk users mailing list:
>>
>> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
>>
>> I think the problem I have is somewhat similar.
>>
>> Should I suppose that there is a security risk in Kamailio - Asterisk
>> realtime integration, and if this is a case what I can do to eliminate
>> this risk?
>>
>> Best,
>>
>> Teijo
>>
>> 16.7.2014 9:44, g.aloitus at gmail.com <mailto:g.aloitus at gmail.com>
>> kirjoitti:
>>> Hello,
>>>
>>> Has anybody any solution or suggestion?
>>>
>>> If I for example launch MicroSIP (no doubt it could be some other SIP
>>> client), and simply call:
>>>
>>> sip:some_extension at my.public.ip.address
>>>
>>> call is established, if there is online user/users. Naturally this
>>> incoming call should be handled by Asterisk in context where I have
>>> defined unauthorized calls are handled, but in stead, the call goes
>>> online user's context.
>>>
>>> To get this situation I don't need to define any account information in
>>> MicroSIP.
>>>
>>> I have not set passwords for users in Asterisk to avoid double
>>> authorization. May this cause the behavior? I have not set default user
>>> or from user in my peer definitions. I am not registering Kamailio to
>>> Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
>>>
>>> I do not know what direction to go to. I would be happy, if I should not
>>> go to the trial and error path so any help is welcome.
>>>
>>> Thanks in advance,
>>>
>>> Teijo
>>>
>>>
>>> 14.7.2014 9:06, g.aloitus at gmail.com <mailto:g.aloitus at gmail.com>
>>> kirjoitti:
>>>> Hello,
>>>>
>>>> If one places call, and tell that "my from domain is your Kamailio's
>>>> IP", call is established, because Asterisk accepts requests from
>>>> Kamailio. One problem is that it's unpredictable in this case what is
>>>> the context where thiskind of call is handled by Asterisk.
>>>>
>>>> This situation requires that I change something in my setup. If I decide
>>>> accept calls only from my users, I suppose that it can be quite easily
>>>> done by modifying if statement referred below or at least by applying
>>>> instructions found here:
>>>>
>>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
>>>>
>>>>
>>>>
>>>> However, I'm somewhat unsure what should I do, if I decide to accept
>>>> calls from any caller - not only from my users.
>>>>
>>>> Best,
>>>>
>>>> Teijo
>>>>
>>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti:
>>>>> Well, this
>>>>>
>>>>> *if (from_uri!=myself && uri!=myself)*
>>>>>
>>>>> Means neither source nor destination is our user. Which implies that
>>>>> if our
>>>>> domain is A, then call from domain "B to C" is not possible. However,
>>>>> calls
>>>>> from "B or C to A" and "A to B or C" are possible. That is way an
>>>>> unauthorized user gets passed and reaches asterisk. Asterisk accepts it
>>>>> since call is coming from kamailio and tries to route it back to
>>>>> kamailio,
>>>>> where kamailio finds user online and thus it goes through.
>>>>>
>>>>> You should really break down this,
>>>>>
>>>>> *if (from_uri!=myself && uri!=myself)*
>>>>>
>>>>> into something like this for clarity,
>>>>>
>>>>>
>>>>> *if (from_uri!=myself) { *
>>>>> *   if (uri!=myself) {*
>>>>> *       # neither source nor destination is our user*
>>>>> *   } else {*
>>>>> *       # source is not our user but destination is our user*
>>>>> *   };*
>>>>> *} else {*
>>>>> *   if (uri!=myself) {*
>>>>> *       # source is our user but destination is not our user*
>>>>> *   } else {*
>>>>> *      # both source and destination are our users*
>>>>> *   };*
>>>>> *};*
>>>>>
>>>>> Hope this helps.
>>>>>
>>>>> Thank you.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jul 11, 2014 at 5:36 PM, <g.aloitus at gmail.com> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I'm using Kamailio version 4.1.4+precise (amd64).
>>>>>>
>>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
>>>>>> Integration
>>>>>> using Asterisk Database" (http://kb.asipto.com/
>>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
>>>>>> difference in my setup compared to that one is that I continued use of
>>>>>> Kamailio's database.
>>>>>>
>>>>>> The problem is as follows:
>>>>>>
>>>>>> I decided to put Kamailio and through it Asterisk reachable from
>>>>>> internet.
>>>>>> I have tried to configure Asterisk so that only calls of registered
>>>>>> users
>>>>>> would be possible, and they could only call to other registered
>>>>>> users or
>>>>>> conference rooms and echo test number.
>>>>>>
>>>>>> Then I took the following steps:
>>>>>>
>>>>>> I ensured that there was no online users with kamctl online. Then I
>>>>>> launched MicroSIP (www.microsip.org), but I did not defined account, I
>>>>>> simply set the protocol to tls and media encryption to mandatory,
>>>>>> because
>>>>>> I'm using these.
>>>>>>
>>>>>> I called to extension with xxx at my.public.ip.address (where xxx is
>>>>>> extension) getting "unauthorized". And that was what I wanted.
>>>>>>
>>>>>> But if there is online users, calls go through, and incoming call is
>>>>>> coming from Asterisk (in syslog I can find out that
>>>>>> src_user=asterisk).
>>>>>>
>>>>>> Kamailio and Asterisk are listening the same IP address, but different
>>>>>> port. I have refused connections to the Asterisk's port with iptables.
>>>>>>
>>>>>> I have defined my public IP address as domain in sip.conf. There is
>>>>>> also
>>>>>> other domain defined which corresponds to users' domain I am using in
>>>>>> Kamailio's database.
>>>>>>
>>>>>> In kamailio.cfg there is if statement which prevents Kamailio not
>>>>>> to be
>>>>>> open relay:
>>>>>>
>>>>>> if (from_uri!=myself && uri!=myself)
>>>>>> ...
>>>>>>
>>>>>> If I change this for example:
>>>>>>
>>>>>> if (from_uri!=myself || uri!=myself)
>>>>>>
>>>>>> I get what I want this time: no calls from outside, but I somewhat
>>>>>> think
>>>>>> that this is not a final solution.
>>>>>>
>>>>>> I have not found from log files such information which would have
>>>>>> helped
>>>>>> me. I have not yet investigated this problem so much that I could
>>>>>> tell the
>>>>>> logic behind the selection of online user's identity which is used.
>>>>>> However, if I make a call to conference room I notice that Asterisk is
>>>>>> thinking that one of online users has joined the conference.
>>>>>>
>>>>>> If I can recall correctly, I started with Kamailio version 3.2, and
>>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is there something
>>>>>> which has changed in Kamailio, but what I have not changed in my setup
>>>>>> which could explain this.
>>>>>>
>>>>>> Best,
>>>>>>
>>>>>> Teijo
>>>>>>
>>>>>> _______________________________________________
>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>>> list
>>>>>> sr-users at lists.sip-router.org
>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>
>>>>>>
>>>>>>
>>>>>> TÃ¤mÃ¤ viestin rungon osa siirretÃ¤Ã¤n pyydettÃ¤essÃ¤.
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org <mailto:sr-users at lists.sip-router.org>
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>