[SR-Users] Unknown caller gets online user's identity

Cibin Paul paul_cibin at me.com
Sat Jul 19 13:16:51 CEST 2014 

Hello,

Can you elaborate on your issue. who is handling registration and how is the call flow?

Regards
Cibin


On 19-Jul-2014, at 4:34 pm, Teijo <g.aloitus at gmail.com> wrote:

> Hello,
> 
> Well, this is still problem for me.
> 
> Best,
> 
> Teijo
> 
> 17.7.2014 11:22, g.aloitus at gmail.com kirjoitti:
>> Hello,
>> 
>> I have:
>> 
>> allowguest=no
>> contactpermit=kamailio.ip.addr.ess
>> 
>> I also have tried the approach that I have peer kamailio, but then all
>> calls seems to go to to the context defined for kamailio peer. I do not
>> know how I could in that case handle individual calls - for example
>> determine if given phone can call to given number or not.
>> 
>> Best,
>> 
>> Teijo
>> 
>> 17.7.2014 10:48, Cibin Paul kirjoitti:
>>> Hello,
>>> 
>>> Try allow* allowguest=no *in sip.conf [general] context and create a
>>> peer for kamailio in sip.comf
>>> 
>>> 
>>> Regards
>>> Cibin
>>> 
>>> 
>>> 
>>> 17.7.2014 10:22, g.aloitus at gmail.com kirjoitti:
> >>>
>>>> Hello,
>>>> 
>>>> There is a message "Possible Security issue with Kamailio - Asterisk
>>>> Realtime integration" in Asterisk users mailing list:
>>>> 
>>>> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
>>>> 
>>>> I think the problem I have is somewhat similar.
>>>> 
>>>> Should I suppose that there is a security risk in Kamailio - Asterisk
>>>> realtime integration, and if this is a case what I can do to eliminate
>>>> this risk?
>>>> 
>>>> Best,
>>>> 
>>>> Teijo
>>>> 
>>>> 16.7.2014 9:44, g.aloitus at gmail.com kirjoitti:
>>>>> Hello,
>>>>> 
>>>>> Has anybody any solution or suggestion?
>>>>> 
>>>>> If I for example launch MicroSIP (no doubt it could be some other SIP
>>>>> client), and simply call:
>>>>> 
>>>>> sip:some_extension at my.public.ip.address
>>>>> 
>>>>> call is established, if there is online user/users. Naturally this
>>>>> incoming call should be handled by Asterisk in context where I have
>>>>> defined unauthorized calls are handled, but in stead, the call goes
>>>>> online user's context.
>>>>> 
>>>>> To get this situation I don't need to define any account information in
>>>>> MicroSIP.
>>>>> 
>>>>> I have not set passwords for users in Asterisk to avoid double
>>>>> authorization. May this cause the behavior? I have not set default user
>>>>> or from user in my peer definitions. I am not registering Kamailio to
>>>>> Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
>>>>> 
>>>>> I do not know what direction to go to. I would be happy, if I should not
>>>>> go to the trial and error path so any help is welcome.
>>>>> 
>>>>> Thanks in advance,
>>>>> 
>>>>> Teijo
>>>>> 
>>>>> 
>>>>> 14.7.2014 9:06, g.aloitus at gmail.com kirjoitti:
>>>>>> Hello,
>>>>>> 
>>>>>> If one places call, and tell that "my from domain is your Kamailio's
>>>>>> IP", call is established, because Asterisk accepts requests from
>>>>>> Kamailio. One problem is that it's unpredictable in this case what is
>>>>>> the context where thiskind of call is handled by Asterisk.
>>>>>> 
>>>>>> This situation requires that I change something in my setup. If I decide
>>>>>> accept calls only from my users, I suppose that it can be quite easily
>>>>>> done by modifying if statement referred below or at least by applying
>>>>>> instructions found here:
>>>>>> 
>>>>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> However, I'm somewhat unsure what should I do, if I decide to accept
>>>>>> calls from any caller - not only from my users.
>>>>>> 
>>>>>> Best,
>>>>>> 
>>>>>> Teijo
>>>>>> 
>>>>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti:
>>>>>>> Well, this
>>>>>>> 
>>>>>>> *if (from_uri!=myself && uri!=myself)*
>>>>>>> 
>>>>>>> Means neither source nor destination is our user. Which implies that
>>>>>>> if our
>>>>>>> domain is A, then call from domain "B to C" is not possible. However,
>>>>>>> calls
>>>>>>> from "B or C to A" and "A to B or C" are possible. That is way an
>>>>>>> unauthorized user gets passed and reaches asterisk. Asterisk accepts it
>>>>>>> since call is coming from kamailio and tries to route it back to
>>>>>>> kamailio,
>>>>>>> where kamailio finds user online and thus it goes through.
>>>>>>> 
>>>>>>> You should really break down this,
>>>>>>> 
>>>>>>> *if (from_uri!=myself && uri!=myself)*
>>>>>>> 
>>>>>>> into something like this for clarity,
>>>>>>> 
>>>>>>> 
>>>>>>> *if (from_uri!=myself) { *
>>>>>>> *   if (uri!=myself) {*
>>>>>>> *       # neither source nor destination is our user*
>>>>>>> *   } else {*
>>>>>>> *       # source is not our user but destination is our user*
>>>>>>> *   };*
>>>>>>> *} else {*
>>>>>>> *   if (uri!=myself) {*
>>>>>>> *       # source is our user but destination is not our user*
>>>>>>> *   } else {*
>>>>>>> *      # both source and destination are our users*
>>>>>>> *   };*
>>>>>>> *};*
>>>>>>> 
>>>>>>> Hope this helps.
>>>>>>> 
>>>>>>> Thank you.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On Fri, Jul 11, 2014 at 5:36 PM, <g.aloitus at gmail.com> wrote:
>>>>>>> 
>>>>>>>> Hello,
>>>>>>>> 
>>>>>>>> I'm using Kamailio version 4.1.4+precise (amd64).
>>>>>>>> 
>>>>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
>>>>>>>> Integration
>>>>>>>> using Asterisk Database" (http://kb.asipto.com/
>>>>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
>>>>>>>> difference in my setup compared to that one is that I continued use of
>>>>>>>> Kamailio's database.
>>>>>>>> 
>>>>>>>> The problem is as follows:
>>>>>>>> 
>>>>>>>> I decided to put Kamailio and through it Asterisk reachable from
>>>>>>>> internet.
>>>>>>>> I have tried to configure Asterisk so that only calls of registered
>>>>>>>> users
>>>>>>>> would be possible, and they could only call to other registered
>>>>>>>> users or
>>>>>>>> conference rooms and echo test number.
>>>>>>>> 
>>>>>>>> Then I took the following steps:
>>>>>>>> 
>>>>>>>> I ensured that there was no online users with kamctl online. Then I
>>>>>>>> launched MicroSIP (www.microsip.org), but I did not defined account, I
>>>>>>>> simply set the protocol to tls and media encryption to mandatory,
>>>>>>>> because
>>>>>>>> I'm using these.
>>>>>>>> 
>>>>>>>> I called to extension with xxx at my.public.ip.address (where xxx is
>>>>>>>> extension) getting "unauthorized". And that was what I wanted.
>>>>>>>> 
>>>>>>>> But if there is online users, calls go through, and incoming call is
>>>>>>>> coming from Asterisk (in syslog I can find out that
>>>>>>>> src_user=asterisk).
>>>>>>>> 
>>>>>>>> Kamailio and Asterisk are listening the same IP address, but different
>>>>>>>> port. I have refused connections to the Asterisk's port with iptables.
>>>>>>>> 
>>>>>>>> I have defined my public IP address as domain in sip.conf. There is
>>>>>>>> also
>>>>>>>> other domain defined which corresponds to users' domain I am using in
>>>>>>>> Kamailio's database.
>>>>>>>> 
>>>>>>>> In kamailio.cfg there is if statement which prevents Kamailio not
>>>>>>>> to be
>>>>>>>> open relay:
>>>>>>>> 
>>>>>>>> if (from_uri!=myself && uri!=myself)
>>>>>>>> ...
>>>>>>>> 
>>>>>>>> If I change this for example:
>>>>>>>> 
>>>>>>>> if (from_uri!=myself || uri!=myself)
>>>>>>>> 
>>>>>>>> I get what I want this time: no calls from outside, but I somewhat
>>>>>>>> think
>>>>>>>> that this is not a final solution.
>>>>>>>> 
>>>>>>>> I have not found from log files such information which would have
>>>>>>>> helped
>>>>>>>> me. I have not yet investigated this problem so much that I could
>>>>>>>> tell the
>>>>>>>> logic behind the selection of online user's identity which is used.
>>>>>>>> However, if I make a call to conference room I notice that Asterisk is
>>>>>>>> thinking that one of online users has joined the conference.
>>>>>>>> 
>>>>>>>> If I can recall correctly, I started with Kamailio version 3.2, and
>>>>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is there something
>>>>>>>> which has changed in Kamailio, but what I have not changed in my setup
>>>>>>>> which could explain this.
>>>>>>>> 
>>>>>>>> Best,
>>>>>>>> 
>>>>>>>> Teijo
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>>>>> list
>>>>>>>> sr-users at lists.sip-router.org
>>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Tämä viestin rungon osa siirretään pyydettäessä.
>> 
> 
> 
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

More information about the sr-users mailing list