[SR-Users] Problem with Kamailio - Asterisk integration (WAS: Re: Unknown caller gets online user's identity)
Teijo
g.aloitus at gmail.com
Sun Jul 20 14:23:40 CEST 2014
Hello,
This problem seems not to happen when Kamailio is not in use.
I'd like to handle registrations etc. in Kamailio, but I do not know how
to do it without suffering from this problem.
Best,
Teijo
19.7.2014 21:12, Teijo kirjoitti:
> Hello,
>
> I'd like to allow calls to my users from anyone, but I'd like to have
> control over those calls so that I could suppose that they go tocontext
> I want - let's say that that context would be unauth. But as said, this
> is not the case currently.
>
> Sorry, but I cannot figure out what condition for checking call
> authentication could be.
>
> As I wrote in my first post, I have followed this tutorial:
>
> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
>
> for Kamailio - Asterisk realtime integration. Only exception I have is
> that I use Kamailio's database for user authentication, and that I have
> no Asterisk database.
>
> Best,
>
> Teijo
>
> 19.7.2014 17:36, Cibin Paul kirjoitti:
>> Hello,
>>
>> Is this part of your setup to allow anyone to call any extension, but
>> handle this unauthenticated calls in a different context? If so, will
>> the following entry works for you?
>>
>> Create a peer of kamailio in sip.conf
>> [kamailio]
>> Type=peer
>> Host=kamailio ip
>> Port= kamailio port
>> .
>> .
>> .
>> context= some context where all calls should be handled.
>>
>> In extensions.conf
>>
>> [context]
>> exten => _X.,1, GotoIf([condition for checking call
>> authentication]?:auth:unauth)
>> Same = n(auth),Goto(context of authenticated call)
>> Same = n(unauth),Goto(context of unauthenticated call)
>> .
>> .
>> .
>>
>> Cibin
>>
>>
>>> On 19-Jul-2014, at 7:20 pm, Teijo Burman <g.aloitus at gmail.com> wrote:
>>>
>>> Yes, you are correct. But let's say that user A is online. Now
>>> somebody from somewhere calls sip:5000 at my.public.ip.address. What
>>> happens is as follows: Suppose that 5000 is extension which should
>>> only has limited access, for example users A and B have this
>>> extension in their contexts. Now however, when A is online, any
>>> unauthenticated call is handled in A's context so anybody could get
>>> A's privileges.
>>>
>>> Best,
>>>
>>> Teijo
>>>
>>> 19.7.2014 15:30, Cibin Paul kirjoitti:
>>>> Hello,
>>>>
>>>> Let me understand this. You have an extension 4000 which is online.
>>>> If some one which is not even a registered user calls the extension
>>>> 4000 using 4000 at your.public.ip.address, the call will get connected.
>>>> Correct if I am wrong.
>>>> As far as I understand , you have configured this box as a PBX where
>>>> only registered users can communicate. If that is the case, can you
>>>> do a lookup in location table wether the originating caller is
>>>> actually online? By this you can check wether the originating call
>>>> is from a valid source. If not, Hangup the call.
>>>>
>>>> Regards
>>>> Cibin
>>>>
>>>>
>>>>> On 19-Jul-2014, at 5:30 pm, Teijo <g.aloitus at gmail.com> wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> The problem are unauthenticated calls - calls from somebody from
>>>>> outside to my server. Kamailio accepts these calls, because
>>>>> destination is my server. This happen if somebody calls to
>>>>> some_extension at my.public.ip.address. My public IP refers to the
>>>>> address both Kamailio and Asterisk are listening to. This is not
>>>>> problem if there are no online friends/peers in Asterisk, because
>>>>> then incoming call goes to context I have defined for incoming
>>>>> calls. But if there are online friends/peers in Asterisk, calls
>>>>> goes to online friend's/peer's context. I think this happens
>>>>> because one of the methods Asterisk decides to put incoming calls
>>>>> to given context is IP address. Now all the calls come from
>>>>> Kamailio - ie. from the same IP. I think that when Asterisk is
>>>>> considering what to do with incoming call, it detects that there is
>>>>> registration(s) from Kamailio's IP, and concludes that this
>>>>> incoming call belongs to thiskinds of peer's context, and this
>>>>> causes problem. Likely Asterisk put it to th
> e peer's context who has in the first place in its registered peers list.
>>>>>
>>>>> I do not know what to do for this in Asterisk. I think - but I'm
>>>>> not sure at all - that refusing to forward such calls to Asterisk
>>>>> whose domain is Kamailio's IP - could solve this. But if this would
>>>>> be the solution, I do not know what I should do in Kamailio. Well,
>>>>> I suppose that if statement in kamailio.cfg:
>>>>>
>>>>> # if caller is not local subscriber, then check if it calls
>>>>> # a local destination, otherwise deny, not an open relay here
>>>>> if (from_uri!=myself && uri!=myself)
>>>>>
>>>>> is the place where I should do modification, but what the modified
>>>>> if statement should exactly be, I am not sure.
>>>>>
>>>>> Best,
>>>>>
>>>>> Teijo
>>>>>
>>>>> 19.7.2014 14:16, Cibin Paul kirjoitti:
>>>>>> Hello,
>>>>>>
>>>>>> Can you elaborate on your issue. who is handling registration and
>>>>>> how is the call flow?
>>>>>>
>>>>>> Regards
>>>>>> Cibin
>>>>>>
>>>>>>
>>>>>>> On 19-Jul-2014, at 4:34 pm, Teijo <g.aloitus at gmail.com> wrote:
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> Well, this is still problem for me.
>>>>>>>
>>>>>>> Best,
>>>>>>>
>>>>>>> Teijo
>>>>>>>
>>>>>>> 17.7.2014 11:22, g.aloitus at gmail.com kirjoitti:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I have:
>>>>>>>>
>>>>>>>> allowguest=no
>>>>>>>> contactpermit=kamailio.ip.addr.ess
>>>>>>>>
>>>>>>>> I also have tried the approach that I have peer kamailio, but
>>>>>>>> then all
>>>>>>>> calls seems to go to to the context defined for kamailio peer. I
>>>>>>>> do not
>>>>>>>> know how I could in that case handle individual calls - for example
>>>>>>>> determine if given phone can call to given number or not.
>>>>>>>>
>>>>>>>> Best,
>>>>>>>>
>>>>>>>> Teijo
>>>>>>>>
>>>>>>>> 17.7.2014 10:48, Cibin Paul kirjoitti:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> Try allow* allowguest=no *in sip.conf [general] context and
>>>>>>>>> create a
>>>>>>>>> peer for kamailio in sip.comf
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Cibin
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 17.7.2014 10:22, g.aloitus at gmail.com kirjoitti:
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> There is a message "Possible Security issue with Kamailio -
>>>>>>>>>> Asterisk
>>>>>>>>>> Realtime integration" in Asterisk users mailing list:
>>>>>>>>>>
>>>>>>>>>> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I think the problem I have is somewhat similar.
>>>>>>>>>>
>>>>>>>>>> Should I suppose that there is a security risk in Kamailio -
>>>>>>>>>> Asterisk
>>>>>>>>>> realtime integration, and if this is a case what I can do to
>>>>>>>>>> eliminate
>>>>>>>>>> this risk?
>>>>>>>>>>
>>>>>>>>>> Best,
>>>>>>>>>>
>>>>>>>>>> Teijo
>>>>>>>>>>
>>>>>>>>>> 16.7.2014 9:44, g.aloitus at gmail.com kirjoitti:
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> Has anybody any solution or suggestion?
>>>>>>>>>>>
>>>>>>>>>>> If I for example launch MicroSIP (no doubt it could be some
>>>>>>>>>>> other SIP
>>>>>>>>>>> client), and simply call:
>>>>>>>>>>>
>>>>>>>>>>> sip:some_extension at my.public.ip.address
>>>>>>>>>>>
>>>>>>>>>>> call is established, if there is online user/users. Naturally
>>>>>>>>>>> this
>>>>>>>>>>> incoming call should be handled by Asterisk in context where
>>>>>>>>>>> I have
>>>>>>>>>>> defined unauthorized calls are handled, but in stead, the
>>>>>>>>>>> call goes
>>>>>>>>>>> online user's context.
>>>>>>>>>>>
>>>>>>>>>>> To get this situation I don't need to define any account
>>>>>>>>>>> information in
>>>>>>>>>>> MicroSIP.
>>>>>>>>>>>
>>>>>>>>>>> I have not set passwords for users in Asterisk to avoid double
>>>>>>>>>>> authorization. May this cause the behavior? I have not set
>>>>>>>>>>> default user
>>>>>>>>>>> or from user in my peer definitions. I am not registering
>>>>>>>>>>> Kamailio to
>>>>>>>>>>> Asterisk - I mean I have no peer definition for Kamailio in
>>>>>>>>>>> sip.conf.
>>>>>>>>>>>
>>>>>>>>>>> I do not know what direction to go to. I would be happy, if I
>>>>>>>>>>> should not
>>>>>>>>>>> go to the trial and error path so any help is welcome.
>>>>>>>>>>>
>>>>>>>>>>> Thanks in advance,
>>>>>>>>>>>
>>>>>>>>>>> Teijo
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 14.7.2014 9:06, g.aloitus at gmail.com kirjoitti:
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> If one places call, and tell that "my from domain is your
>>>>>>>>>>>> Kamailio's
>>>>>>>>>>>> IP", call is established, because Asterisk accepts requests
>>>>>>>>>>>> from
>>>>>>>>>>>> Kamailio. One problem is that it's unpredictable in this
>>>>>>>>>>>> case what is
>>>>>>>>>>>> the context where thiskind of call is handled by Asterisk.
>>>>>>>>>>>>
>>>>>>>>>>>> This situation requires that I change something in my setup.
>>>>>>>>>>>> If I decide
>>>>>>>>>>>> accept calls only from my users, I suppose that it can be
>>>>>>>>>>>> quite easily
>>>>>>>>>>>> done by modifying if statement referred below or at least by
>>>>>>>>>>>> applying
>>>>>>>>>>>> instructions found here:
>>>>>>>>>>>>
>>>>>>>>>>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> However, I'm somewhat unsure what should I do, if I decide
>>>>>>>>>>>> to accept
>>>>>>>>>>>> calls from any caller - not only from my users.
>>>>>>>>>>>>
>>>>>>>>>>>> Best,
>>>>>>>>>>>>
>>>>>>>>>>>> Teijo
>>>>>>>>>>>>
>>>>>>>>>>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti:
>>>>>>>>>>>>> Well, this
>>>>>>>>>>>>>
>>>>>>>>>>>>> *if (from_uri!=myself && uri!=myself)*
>>>>>>>>>>>>>
>>>>>>>>>>>>> Means neither source nor destination is our user. Which
>>>>>>>>>>>>> implies that
>>>>>>>>>>>>> if our
>>>>>>>>>>>>> domain is A, then call from domain "B to C" is not
>>>>>>>>>>>>> possible. However,
>>>>>>>>>>>>> calls
>>>>>>>>>>>>> from "B or C to A" and "A to B or C" are possible. That is
>>>>>>>>>>>>> way an
>>>>>>>>>>>>> unauthorized user gets passed and reaches asterisk.
>>>>>>>>>>>>> Asterisk accepts it
>>>>>>>>>>>>> since call is coming from kamailio and tries to route it
>>>>>>>>>>>>> back to
>>>>>>>>>>>>> kamailio,
>>>>>>>>>>>>> where kamailio finds user online and thus it goes through.
>>>>>>>>>>>>>
>>>>>>>>>>>>> You should really break down this,
>>>>>>>>>>>>>
>>>>>>>>>>>>> *if (from_uri!=myself && uri!=myself)*
>>>>>>>>>>>>>
>>>>>>>>>>>>> into something like this for clarity,
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> *if (from_uri!=myself) { *
>>>>>>>>>>>>> * if (uri!=myself) {*
>>>>>>>>>>>>> * # neither source nor destination is our user*
>>>>>>>>>>>>> * } else {*
>>>>>>>>>>>>> * # source is not our user but destination is our user*
>>>>>>>>>>>>> * };*
>>>>>>>>>>>>> *} else {*
>>>>>>>>>>>>> * if (uri!=myself) {*
>>>>>>>>>>>>> * # source is our user but destination is not our user*
>>>>>>>>>>>>> * } else {*
>>>>>>>>>>>>> * # both source and destination are our users*
>>>>>>>>>>>>> * };*
>>>>>>>>>>>>> *};*
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hope this helps.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thank you.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, Jul 11, 2014 at 5:36 PM, <g.aloitus at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'm using Kamailio version 4.1.4+precise (amd64).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
>>>>>>>>>>>>>> Integration
>>>>>>>>>>>>>> using Asterisk Database" (http://kb.asipto.com/
>>>>>>>>>>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb).
>>>>>>>>>>>>>> One main
>>>>>>>>>>>>>> difference in my setup compared to that one is that I
>>>>>>>>>>>>>> continued use of
>>>>>>>>>>>>>> Kamailio's database.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The problem is as follows:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I decided to put Kamailio and through it Asterisk
>>>>>>>>>>>>>> reachable from
>>>>>>>>>>>>>> internet.
>>>>>>>>>>>>>> I have tried to configure Asterisk so that only calls of
>>>>>>>>>>>>>> registered
>>>>>>>>>>>>>> users
>>>>>>>>>>>>>> would be possible, and they could only call to other
>>>>>>>>>>>>>> registered
>>>>>>>>>>>>>> users or
>>>>>>>>>>>>>> conference rooms and echo test number.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Then I took the following steps:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I ensured that there was no online users with kamctl
>>>>>>>>>>>>>> online. Then I
>>>>>>>>>>>>>> launched MicroSIP (www.microsip.org), but I did not
>>>>>>>>>>>>>> defined account, I
>>>>>>>>>>>>>> simply set the protocol to tls and media encryption to
>>>>>>>>>>>>>> mandatory,
>>>>>>>>>>>>>> because
>>>>>>>>>>>>>> I'm using these.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I called to extension with xxx at my.public.ip.address (where
>>>>>>>>>>>>>> xxx is
>>>>>>>>>>>>>> extension) getting "unauthorized". And that was what I
>>>>>>>>>>>>>> wanted.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> But if there is online users, calls go through, and
>>>>>>>>>>>>>> incoming call is
>>>>>>>>>>>>>> coming from Asterisk (in syslog I can find out that
>>>>>>>>>>>>>> src_user=asterisk).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Kamailio and Asterisk are listening the same IP address,
>>>>>>>>>>>>>> but different
>>>>>>>>>>>>>> port. I have refused connections to the Asterisk's port
>>>>>>>>>>>>>> with iptables.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have defined my public IP address as domain in sip.conf.
>>>>>>>>>>>>>> There is
>>>>>>>>>>>>>> also
>>>>>>>>>>>>>> other domain defined which corresponds to users' domain I
>>>>>>>>>>>>>> am using in
>>>>>>>>>>>>>> Kamailio's database.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> In kamailio.cfg there is if statement which prevents
>>>>>>>>>>>>>> Kamailio not
>>>>>>>>>>>>>> to be
>>>>>>>>>>>>>> open relay:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> if (from_uri!=myself && uri!=myself)
>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If I change this for example:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> if (from_uri!=myself || uri!=myself)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I get what I want this time: no calls from outside, but I
>>>>>>>>>>>>>> somewhat
>>>>>>>>>>>>>> think
>>>>>>>>>>>>>> that this is not a final solution.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have not found from log files such information which
>>>>>>>>>>>>>> would have
>>>>>>>>>>>>>> helped
>>>>>>>>>>>>>> me. I have not yet investigated this problem so much that
>>>>>>>>>>>>>> I could
>>>>>>>>>>>>>> tell the
>>>>>>>>>>>>>> logic behind the selection of online user's identity which
>>>>>>>>>>>>>> is used.
>>>>>>>>>>>>>> However, if I make a call to conference room I notice that
>>>>>>>>>>>>>> Asterisk is
>>>>>>>>>>>>>> thinking that one of online users has joined the conference.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If I can recall correctly, I started with Kamailio version
>>>>>>>>>>>>>> 3.2, and
>>>>>>>>>>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is
>>>>>>>>>>>>>> there something
>>>>>>>>>>>>>> which has changed in Kamailio, but what I have not changed
>>>>>>>>>>>>>> in my setup
>>>>>>>>>>>>>> which could explain this.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Best,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Teijo
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>>>>>>>>>>>> mailing
>>>>>>>>>>>>>> list
>>>>>>>>>>>>>> sr-users at lists.sip-router.org
>>>>>>>>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Tämä viestin rungon osa siirretään pyydettäessä.
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>>>>> mailing list
>>>>>>> sr-users at lists.sip-router.org
>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>
>>>>>> _______________________________________________
>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>>> list
>>>>>> sr-users at lists.sip-router.org
>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>> list
>>>>> sr-users at lists.sip-router.org
>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>> sr-users at lists.sip-router.org
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users at lists.sip-router.org
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
More information about the sr-users
mailing list