[SR-Users] Problem with Kamailio - Asterisk integration (WAS: Re: Unknown caller gets online user's identity)

Cibin Paul paul_cibin at me.com
Mon Jul 21 17:39:30 CEST 2014


Hello,

If you want to check call authentication, you can perform the following. 

CASE 1: Outside caller initiating a call to a user with the callerid set to a valid username(callerid) in Kamailio 

You will get the IP address from which the call is originated using ${SIPURI}. Basically you have to strip the ip address from ${SIPURI}. You can compare the same with the ip in location table of kamailio. If same, the call is from a registered user, otherwise some one is using the same callerid as of a registered user which you can send to a different context. 

CASE 2: CALLERID not set or a different pattern other than your users

In this case you can straight away send the call to a different context.

You can check this condition using an AGI. 

Regards
Cibin



On 20-Jul-2014, at 5:53 pm, Teijo <g.aloitus at gmail.com> wrote:

> Hello,
> 
> This problem seems not to happen when Kamailio is not in use.
> 
> I'd like to handle registrations etc. in Kamailio, but I do not know how to do it without suffering from this problem.
> 
> Best,
> 
> Teijo
> 
> 19.7.2014 21:12, Teijo kirjoitti:
>> Hello,
>> 
>> I'd like to allow calls to my users from anyone, but I'd like to have
>> control over those calls so that I could suppose that they go tocontext
>> I want - let's say that that context would be unauth. But as said, this
>> is not the case currently.
>> 
>> Sorry, but I cannot figure out what condition for checking call
>> authentication could be.
>> 
>> As I wrote in my first post, I have followed this tutorial:
>> 
>> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
>> 
>> for Kamailio - Asterisk realtime integration. Only exception I have is
>> that I use Kamailio's database for user authentication, and that I have
>> no Asterisk database.
>> 
>> Best,
>> 
>> Teijo
>> 
>> 19.7.2014 17:36, Cibin Paul kirjoitti:
>>> Hello,
>>> 
>>> Is this part of your setup to allow anyone to call any extension, but
>>> handle this unauthenticated calls in a different context? If so, will
>>> the following entry works for you?
>>> 
>>> Create a peer of kamailio in sip.conf
>>> [kamailio]
>>> Type=peer
>>> Host=kamailio ip
>>> Port= kamailio port
>>> .
>>> .
>>> .
>>> context= some context where all calls should be handled.
>>> 
>>> In extensions.conf
>>> 
>>> [context]
>>> exten => _X.,1, GotoIf([condition for checking call
>>> authentication]?:auth:unauth)
>>> Same = n(auth),Goto(context of authenticated call)
>>> Same = n(unauth),Goto(context of unauthenticated call)
>>> .
>>> .
>>> .
>>> 
>>> Cibin
>>> 
>>> 
>>>> On 19-Jul-2014, at 7:20 pm, Teijo Burman <g.aloitus at gmail.com> wrote:
>>>> 
>>>> Yes, you are correct. But let's say that user A is online. Now
>>>> somebody from somewhere calls sip:5000 at my.public.ip.address. What
>>>> happens is as follows: Suppose that 5000 is extension which should
>>>> only has limited access, for example users A and B have this
>>>> extension in their contexts. Now however, when A is online, any
>>>> unauthenticated call is handled in A's context so anybody could get
>>>> A's privileges.
>>>> 
>>>> Best,
>>>> 
>>>> Teijo
>>>> 
>>>> 19.7.2014 15:30, Cibin Paul kirjoitti:
>>>>> Hello,
>>>>> 
>>>>> Let me understand this. You have an extension 4000 which is online.
>>>>> If some one which is not even a registered user calls the extension
>>>>> 4000 using 4000 at your.public.ip.address, the call will get connected.
>>>>> Correct if I am wrong.
>>>>> As far as I understand , you have configured this box as a PBX where
>>>>> only registered users can communicate. If that is the case, can you
>>>>> do a lookup in location table wether the originating caller is
>>>>> actually online? By this you can check wether  the originating call
>>>>> is from a valid source. If not, Hangup the call.
>>>>> 
>>>>> Regards
>>>>> Cibin
>>>>> 
>>>>> 
>>>>>> On 19-Jul-2014, at 5:30 pm, Teijo <g.aloitus at gmail.com> wrote:
>>>>>> 
>>>>>> Hello,
>>>>>> 
>>>>>> The problem are unauthenticated calls - calls from somebody  from
>>>>>> outside to my server. Kamailio accepts these calls, because
>>>>>> destination is my server. This happen if somebody calls to
>>>>>> some_extension at my.public.ip.address. My public IP refers to the
>>>>>> address both Kamailio and Asterisk are listening to. This is not
>>>>>> problem if there are no online friends/peers in Asterisk, because
>>>>>> then incoming call goes to context I have defined for incoming
>>>>>> calls. But if there are online friends/peers in Asterisk, calls
>>>>>> goes to online friend's/peer's context. I think this happens
>>>>>> because one of the methods Asterisk decides to put incoming calls
>>>>>> to given context is IP address. Now all the calls come from
>>>>>> Kamailio - ie. from the same IP. I think that when Asterisk is
>>>>>> considering what to do with incoming call, it detects that there is
>>>>>> registration(s) from Kamailio's IP, and concludes that this
>>>>>> incoming call belongs to thiskinds of peer's context, and this
>>>>>> causes problem. Likely Asterisk put it to th
>> e peer's context who has in the first place in its registered peers list.
>>>>>> 
>>>>>> I do not know what to do for this in Asterisk. I think - but I'm
>>>>>> not sure at all - that refusing to forward such calls to Asterisk
>>>>>> whose domain is Kamailio's IP - could solve this. But if this would
>>>>>> be the solution, I do not know what I should do in Kamailio. Well,
>>>>>> I suppose that if statement in kamailio.cfg:
>>>>>> 
>>>>>>    # if caller is not local subscriber, then check if it calls
>>>>>>    # a local destination, otherwise deny, not an open relay here
>>>>>>    if (from_uri!=myself && uri!=myself)
>>>>>> 
>>>>>> is the place where I should do modification, but what the modified
>>>>>> if statement should exactly be, I am not sure.
>>>>>> 
>>>>>> Best,
>>>>>> 
>>>>>> Teijo
>>>>>> 
>>>>>> 19.7.2014 14:16, Cibin Paul kirjoitti:
>>>>>>> Hello,
>>>>>>> 
>>>>>>> Can you elaborate on your issue. who is handling registration and
>>>>>>> how is the call flow?
>>>>>>> 
>>>>>>> Regards
>>>>>>> Cibin
>>>>>>> 
>>>>>>> 
>>>>>>>> On 19-Jul-2014, at 4:34 pm, Teijo <g.aloitus at gmail.com> wrote:
>>>>>>>> 
>>>>>>>> Hello,
>>>>>>>> 
>>>>>>>> Well, this is still problem for me.
>>>>>>>> 
>>>>>>>> Best,
>>>>>>>> 
>>>>>>>> Teijo
>>>>>>>> 
>>>>>>>> 17.7.2014 11:22, g.aloitus at gmail.com kirjoitti:
>>>>>>>>> Hello,
>>>>>>>>> 
>>>>>>>>> I have:
>>>>>>>>> 
>>>>>>>>> allowguest=no
>>>>>>>>> contactpermit=kamailio.ip.addr.ess
>>>>>>>>> 
>>>>>>>>> I also have tried the approach that I have peer kamailio, but
>>>>>>>>> then all
>>>>>>>>> calls seems to go to to the context defined for kamailio peer. I
>>>>>>>>> do not
>>>>>>>>> know how I could in that case handle individual calls - for example
>>>>>>>>> determine if given phone can call to given number or not.
>>>>>>>>> 
>>>>>>>>> Best,
>>>>>>>>> 
>>>>>>>>> Teijo
>>>>>>>>> 
>>>>>>>>> 17.7.2014 10:48, Cibin Paul kirjoitti:
>>>>>>>>>> Hello,
>>>>>>>>>> 
>>>>>>>>>> Try allow* allowguest=no *in sip.conf [general] context and
>>>>>>>>>> create a
>>>>>>>>>> peer for kamailio in sip.comf
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Regards
>>>>>>>>>> Cibin
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 17.7.2014 10:22, g.aloitus at gmail.com kirjoitti:
>>>>>>>>>>> Hello,
>>>>>>>>>>> 
>>>>>>>>>>> There is a message "Possible Security issue with Kamailio -
>>>>>>>>>>> Asterisk
>>>>>>>>>>> Realtime integration" in Asterisk users mailing list:
>>>>>>>>>>> 
>>>>>>>>>>> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> I think the problem I have is somewhat similar.
>>>>>>>>>>> 
>>>>>>>>>>> Should I suppose that there is a security risk in Kamailio -
>>>>>>>>>>> Asterisk
>>>>>>>>>>> realtime integration, and if this is a case what I can do to
>>>>>>>>>>> eliminate
>>>>>>>>>>> this risk?
>>>>>>>>>>> 
>>>>>>>>>>> Best,
>>>>>>>>>>> 
>>>>>>>>>>> Teijo
>>>>>>>>>>> 
>>>>>>>>>>> 16.7.2014 9:44, g.aloitus at gmail.com kirjoitti:
>>>>>>>>>>>> Hello,
>>>>>>>>>>>> 
>>>>>>>>>>>> Has anybody any solution or suggestion?
>>>>>>>>>>>> 
>>>>>>>>>>>> If I for example launch MicroSIP (no doubt it could be some
>>>>>>>>>>>> other SIP
>>>>>>>>>>>> client), and simply call:
>>>>>>>>>>>> 
>>>>>>>>>>>> sip:some_extension at my.public.ip.address
>>>>>>>>>>>> 
>>>>>>>>>>>> call is established, if there is online user/users. Naturally
>>>>>>>>>>>> this
>>>>>>>>>>>> incoming call should be handled by Asterisk in context where
>>>>>>>>>>>> I have
>>>>>>>>>>>> defined unauthorized calls are handled, but in stead, the
>>>>>>>>>>>> call goes
>>>>>>>>>>>> online user's context.
>>>>>>>>>>>> 
>>>>>>>>>>>> To get this situation I don't need to define any account
>>>>>>>>>>>> information in
>>>>>>>>>>>> MicroSIP.
>>>>>>>>>>>> 
>>>>>>>>>>>> I have not set passwords for users in Asterisk to avoid double
>>>>>>>>>>>> authorization. May this cause the behavior? I have not set
>>>>>>>>>>>> default user
>>>>>>>>>>>> or from user in my peer definitions. I am not registering
>>>>>>>>>>>> Kamailio to
>>>>>>>>>>>> Asterisk - I mean I have no peer definition for Kamailio in
>>>>>>>>>>>> sip.conf.
>>>>>>>>>>>> 
>>>>>>>>>>>> I do not know what direction to go to. I would be happy, if I
>>>>>>>>>>>> should not
>>>>>>>>>>>> go to the trial and error path so any help is welcome.
>>>>>>>>>>>> 
>>>>>>>>>>>> Thanks in advance,
>>>>>>>>>>>> 
>>>>>>>>>>>> Teijo
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 14.7.2014 9:06, g.aloitus at gmail.com kirjoitti:
>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>> 
>>>>>>>>>>>>> If one places call, and tell that "my from domain is your
>>>>>>>>>>>>> Kamailio's
>>>>>>>>>>>>> IP", call is established, because Asterisk accepts requests
>>>>>>>>>>>>> from
>>>>>>>>>>>>> Kamailio. One problem is that it's unpredictable in this
>>>>>>>>>>>>> case what is
>>>>>>>>>>>>> the context where thiskind of call is handled by Asterisk.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> This situation requires that I change something in my setup.
>>>>>>>>>>>>> If I decide
>>>>>>>>>>>>> accept calls only from my users, I suppose that it can be
>>>>>>>>>>>>> quite easily
>>>>>>>>>>>>> done by modifying if statement referred below or at least by
>>>>>>>>>>>>> applying
>>>>>>>>>>>>> instructions found here:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> However, I'm somewhat unsure what should I do, if I decide
>>>>>>>>>>>>> to accept
>>>>>>>>>>>>> calls from any caller - not only from my users.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Best,
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Teijo
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti:
>>>>>>>>>>>>>> Well, this
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> *if (from_uri!=myself && uri!=myself)*
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Means neither source nor destination is our user. Which
>>>>>>>>>>>>>> implies that
>>>>>>>>>>>>>> if our
>>>>>>>>>>>>>> domain is A, then call from domain "B to C" is not
>>>>>>>>>>>>>> possible. However,
>>>>>>>>>>>>>> calls
>>>>>>>>>>>>>> from "B or C to A" and "A to B or C" are possible. That is
>>>>>>>>>>>>>> way an
>>>>>>>>>>>>>> unauthorized user gets passed and reaches asterisk.
>>>>>>>>>>>>>> Asterisk accepts it
>>>>>>>>>>>>>> since call is coming from kamailio and tries to route it
>>>>>>>>>>>>>> back to
>>>>>>>>>>>>>> kamailio,
>>>>>>>>>>>>>> where kamailio finds user online and thus it goes through.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> You should really break down this,
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> *if (from_uri!=myself && uri!=myself)*
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> into something like this for clarity,
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> *if (from_uri!=myself) { *
>>>>>>>>>>>>>> *   if (uri!=myself) {*
>>>>>>>>>>>>>> *       # neither source nor destination is our user*
>>>>>>>>>>>>>> *   } else {*
>>>>>>>>>>>>>> *       # source is not our user but destination is our user*
>>>>>>>>>>>>>> *   };*
>>>>>>>>>>>>>> *} else {*
>>>>>>>>>>>>>> *   if (uri!=myself) {*
>>>>>>>>>>>>>> *       # source is our user but destination is not our user*
>>>>>>>>>>>>>> *   } else {*
>>>>>>>>>>>>>> *      # both source and destination are our users*
>>>>>>>>>>>>>> *   };*
>>>>>>>>>>>>>> *};*
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Hope this helps.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Thank you.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> On Fri, Jul 11, 2014 at 5:36 PM, <g.aloitus at gmail.com> wrote:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> I'm using Kamailio version 4.1.4+precise (amd64).
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
>>>>>>>>>>>>>>> Integration
>>>>>>>>>>>>>>> using Asterisk Database" (http://kb.asipto.com/
>>>>>>>>>>>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb).
>>>>>>>>>>>>>>> One main
>>>>>>>>>>>>>>> difference in my setup compared to that one is that I
>>>>>>>>>>>>>>> continued use of
>>>>>>>>>>>>>>> Kamailio's database.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> The problem is as follows:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> I decided to put Kamailio and through it Asterisk
>>>>>>>>>>>>>>> reachable from
>>>>>>>>>>>>>>> internet.
>>>>>>>>>>>>>>> I have tried to configure Asterisk so that only calls of
>>>>>>>>>>>>>>> registered
>>>>>>>>>>>>>>> users
>>>>>>>>>>>>>>> would be possible, and they could only call to other
>>>>>>>>>>>>>>> registered
>>>>>>>>>>>>>>> users or
>>>>>>>>>>>>>>> conference rooms and echo test number.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Then I took the following steps:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> I ensured that there was no online users with kamctl
>>>>>>>>>>>>>>> online. Then I
>>>>>>>>>>>>>>> launched MicroSIP (www.microsip.org), but I did not
>>>>>>>>>>>>>>> defined account, I
>>>>>>>>>>>>>>> simply set the protocol to tls and media encryption to
>>>>>>>>>>>>>>> mandatory,
>>>>>>>>>>>>>>> because
>>>>>>>>>>>>>>> I'm using these.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> I called to extension with xxx at my.public.ip.address (where
>>>>>>>>>>>>>>> xxx is
>>>>>>>>>>>>>>> extension) getting "unauthorized". And that was what I
>>>>>>>>>>>>>>> wanted.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> But if there is online users, calls go through, and
>>>>>>>>>>>>>>> incoming call is
>>>>>>>>>>>>>>> coming from Asterisk (in syslog I can find out that
>>>>>>>>>>>>>>> src_user=asterisk).
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Kamailio and Asterisk are listening the same IP address,
>>>>>>>>>>>>>>> but different
>>>>>>>>>>>>>>> port. I have refused connections to the Asterisk's port
>>>>>>>>>>>>>>> with iptables.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> I have defined my public IP address as domain in sip.conf.
>>>>>>>>>>>>>>> There is
>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>> other domain defined which corresponds to users' domain I
>>>>>>>>>>>>>>> am using in
>>>>>>>>>>>>>>> Kamailio's database.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> In kamailio.cfg there is if statement which prevents
>>>>>>>>>>>>>>> Kamailio not
>>>>>>>>>>>>>>> to be
>>>>>>>>>>>>>>> open relay:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> if (from_uri!=myself && uri!=myself)
>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> If I change this for example:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> if (from_uri!=myself || uri!=myself)
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> I get what I want this time: no calls from outside, but I
>>>>>>>>>>>>>>> somewhat
>>>>>>>>>>>>>>> think
>>>>>>>>>>>>>>> that this is not a final solution.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> I have not found from log files such information which
>>>>>>>>>>>>>>> would have
>>>>>>>>>>>>>>> helped
>>>>>>>>>>>>>>> me. I have not yet investigated this problem so much that
>>>>>>>>>>>>>>> I could
>>>>>>>>>>>>>>> tell the
>>>>>>>>>>>>>>> logic behind the selection of online user's identity which
>>>>>>>>>>>>>>> is used.
>>>>>>>>>>>>>>> However, if I make a call to conference room I notice that
>>>>>>>>>>>>>>> Asterisk is
>>>>>>>>>>>>>>> thinking that one of online users has joined the conference.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> If I can recall correctly, I started with Kamailio version
>>>>>>>>>>>>>>> 3.2, and
>>>>>>>>>>>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is
>>>>>>>>>>>>>>> there something
>>>>>>>>>>>>>>> which has changed in Kamailio, but what I have not changed
>>>>>>>>>>>>>>> in my setup
>>>>>>>>>>>>>>> which could explain this.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Best,
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Teijo
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>>>>>>>>>>>>> mailing
>>>>>>>>>>>>>>> list
>>>>>>>>>>>>>>> sr-users at lists.sip-router.org
>>>>>>>>>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Tämä viestin rungon osa siirretään pyydettäessä.
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>>>>>> mailing list
>>>>>>>> sr-users at lists.sip-router.org
>>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>>>> list
>>>>>>> sr-users at lists.sip-router.org
>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>> _______________________________________________
>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>>> list
>>>>>> sr-users at lists.sip-router.org
>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>> 
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>>> sr-users at lists.sip-router.org
>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>> sr-users at lists.sip-router.org
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>> 
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users at lists.sip-router.org
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>> 
> 
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users




More information about the sr-users mailing list