[SR-Users] Problem with Kamailio - Asterisk integration (WAS: Re: Unknown caller gets online user's identity)
Cibin Paul
paul_cibin at me.com
Mon Jul 21 17:39:30 CEST 2014
Hello,
If you want to check call authentication, you can perform the following.
CASE 1: Outside caller initiating a call to a user with the callerid set to a valid username(callerid) in Kamailio
You will get the IP address from which the call is originated using ${SIPURI}. Basically you have to strip the ip address from ${SIPURI}. You can compare the same with the ip in location table of kamailio. If same, the call is from a registered user, otherwise some one is using the same callerid as of a registered user which you can send to a different context.
CASE 2: CALLERID not set or a different pattern other than your users
In this case you can straight away send the call to a different context.
You can check this condition using an AGI.
Regards
Cibin
On 20-Jul-2014, at 5:53 pm, Teijo <g.aloitus at gmail.com> wrote:
> Hello,
>
> This problem seems not to happen when Kamailio is not in use.
>
> I'd like to handle registrations etc. in Kamailio, but I do not know how to do it without suffering from this problem.
>
> Best,
>
> Teijo
>
> 19.7.2014 21:12, Teijo kirjoitti:
>> Hello,
>>
>> I'd like to allow calls to my users from anyone, but I'd like to have
>> control over those calls so that I could suppose that they go tocontext
>> I want - let's say that that context would be unauth. But as said, this
>> is not the case currently.
>>
>> Sorry, but I cannot figure out what condition for checking call
>> authentication could be.
>>
>> As I wrote in my first post, I have followed this tutorial:
>>
>> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
>>
>> for Kamailio - Asterisk realtime integration. Only exception I have is
>> that I use Kamailio's database for user authentication, and that I have
>> no Asterisk database.
>>
>> Best,
>>
>> Teijo
>>
>> 19.7.2014 17:36, Cibin Paul kirjoitti:
>>> Hello,
>>>
>>> Is this part of your setup to allow anyone to call any extension, but
>>> handle this unauthenticated calls in a different context? If so, will
>>> the following entry works for you?
>>>
>>> Create a peer of kamailio in sip.conf
>>> [kamailio]
>>> Type=peer
>>> Host=kamailio ip
>>> Port= kamailio port
>>> .
>>> .
>>> .
>>> context= some context where all calls should be handled.
>>>
>>> In extensions.conf
>>>
>>> [context]
>>> exten => _X.,1, GotoIf([condition for checking call
>>> authentication]?:auth:unauth)
>>> Same = n(auth),Goto(context of authenticated call)
>>> Same = n(unauth),Goto(context of unauthenticated call)
>>> .
>>> .
>>> .
>>>
>>> Cibin
>>>
>>>
>>>> On 19-Jul-2014, at 7:20 pm, Teijo Burman <g.aloitus at gmail.com> wrote:
>>>>
>>>> Yes, you are correct. But let's say that user A is online. Now
>>>> somebody from somewhere calls sip:5000 at my.public.ip.address. What
>>>> happens is as follows: Suppose that 5000 is extension which should
>>>> only has limited access, for example users A and B have this
>>>> extension in their contexts. Now however, when A is online, any
>>>> unauthenticated call is handled in A's context so anybody could get
>>>> A's privileges.
>>>>
>>>> Best,
>>>>
>>>> Teijo
>>>>
>>>> 19.7.2014 15:30, Cibin Paul kirjoitti:
>>>>> Hello,
>>>>>
>>>>> Let me understand this. You have an extension 4000 which is online.
>>>>> If some one which is not even a registered user calls the extension
>>>>> 4000 using 4000 at your.public.ip.address, the call will get connected.
>>>>> Correct if I am wrong.
>>>>> As far as I understand , you have configured this box as a PBX where
>>>>> only registered users can communicate. If that is the case, can you
>>>>> do a lookup in location table wether the originating caller is
>>>>> actually online? By this you can check wether the originating call
>>>>> is from a valid source. If not, Hangup the call.
>>>>>
>>>>> Regards
>>>>> Cibin
>>>>>
>>>>>
>>>>>> On 19-Jul-2014, at 5:30 pm, Teijo <g.aloitus at gmail.com> wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> The problem are unauthenticated calls - calls from somebody from
>>>>>> outside to my server. Kamailio accepts these calls, because
>>>>>> destination is my server. This happen if somebody calls to
>>>>>> some_extension at my.public.ip.address. My public IP refers to the
>>>>>> address both Kamailio and Asterisk are listening to. This is not
>>>>>> problem if there are no online friends/peers in Asterisk, because
>>>>>> then incoming call goes to context I have defined for incoming
>>>>>> calls. But if there are online friends/peers in Asterisk, calls
>>>>>> goes to online friend's/peer's context. I think this happens
>>>>>> because one of the methods Asterisk decides to put incoming calls
>>>>>> to given context is IP address. Now all the calls come from
>>>>>> Kamailio - ie. from the same IP. I think that when Asterisk is
>>>>>> considering what to do with incoming call, it detects that there is
>>>>>> registration(s) from Kamailio's IP, and concludes that this
>>>>>> incoming call belongs to thiskinds of peer's context, and this
>>>>>> causes problem. Likely Asterisk put it to th
>> e peer's context who has in the first place in its registered peers list.
>>>>>>
>>>>>> I do not know what to do for this in Asterisk. I think - but I'm
>>>>>> not sure at all - that refusing to forward such calls to Asterisk
>>>>>> whose domain is Kamailio's IP - could solve this. But if this would
>>>>>> be the solution, I do not know what I should do in Kamailio. Well,
>>>>>> I suppose that if statement in kamailio.cfg:
>>>>>>
>>>>>> # if caller is not local subscriber, then check if it calls
>>>>>> # a local destination, otherwise deny, not an open relay here
>>>>>> if (from_uri!=myself && uri!=myself)
>>>>>>
>>>>>> is the place where I should do modification, but what the modified
>>>>>> if statement should exactly be, I am not sure.
>>>>>>
>>>>>> Best,
>>>>>>
>>>>>> Teijo
>>>>>>
>>>>>> 19.7.2014 14:16, Cibin Paul kirjoitti:
>>>>>>> Hello,
>>>>>>>
>>>>>>> Can you elaborate on your issue. who is handling registration and
>>>>>>> how is the call flow?
>>>>>>>
>>>>>>> Regards
>>>>>>> Cibin
>>>>>>>
>>>>>>>
>>>>>>>> On 19-Jul-2014, at 4:34 pm, Teijo <g.aloitus at gmail.com> wrote:
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> Well, this is still problem for me.
>>>>>>>>
>>>>>>>> Best,
>>>>>>>>
>>>>>>>> Teijo
>>>>>>>>
>>>>>>>> 17.7.2014 11:22, g.aloitus at gmail.com kirjoitti:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I have:
>>>>>>>>>
>>>>>>>>> allowguest=no
>>>>>>>>> contactpermit=kamailio.ip.addr.ess
>>>>>>>>>
>>>>>>>>> I also have tried the approach that I have peer kamailio, but
>>>>>>>>> then all
>>>>>>>>> calls seems to go to to the context defined for kamailio peer. I
>>>>>>>>> do not
>>>>>>>>> know how I could in that case handle individual calls - for example
>>>>>>>>> determine if given phone can call to given number or not.
>>>>>>>>>
>>>>>>>>> Best,
>>>>>>>>>
>>>>>>>>> Teijo
>>>>>>>>>
>>>>>>>>> 17.7.2014 10:48, Cibin Paul kirjoitti:
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> Try allow* allowguest=no *in sip.conf [general] context and
>>>>>>>>>> create a
>>>>>>>>>> peer for kamailio in sip.comf
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>> Cibin
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 17.7.2014 10:22, g.aloitus at gmail.com kirjoitti:
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> There is a message "Possible Security issue with Kamailio -
>>>>>>>>>>> Asterisk
>>>>>>>>>>> Realtime integration" in Asterisk users mailing list:
>>>>>>>>>>>
>>>>>>>>>>> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I think the problem I have is somewhat similar.
>>>>>>>>>>>
>>>>>>>>>>> Should I suppose that there is a security risk in Kamailio -
>>>>>>>>>>> Asterisk
>>>>>>>>>>> realtime integration, and if this is a case what I can do to
>>>>>>>>>>> eliminate
>>>>>>>>>>> this risk?
>>>>>>>>>>>
>>>>>>>>>>> Best,
>>>>>>>>>>>
>>>>>>>>>>> Teijo
>>>>>>>>>>>
>>>>>>>>>>> 16.7.2014 9:44, g.aloitus at gmail.com kirjoitti:
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> Has anybody any solution or suggestion?
>>>>>>>>>>>>
>>>>>>>>>>>> If I for example launch MicroSIP (no doubt it could be some
>>>>>>>>>>>> other SIP
>>>>>>>>>>>> client), and simply call:
>>>>>>>>>>>>
>>>>>>>>>>>> sip:some_extension at my.public.ip.address
>>>>>>>>>>>>
>>>>>>>>>>>> call is established, if there is online user/users. Naturally
>>>>>>>>>>>> this
>>>>>>>>>>>> incoming call should be handled by Asterisk in context where
>>>>>>>>>>>> I have
>>>>>>>>>>>> defined unauthorized calls are handled, but in stead, the
>>>>>>>>>>>> call goes
>>>>>>>>>>>> online user's context.
>>>>>>>>>>>>
>>>>>>>>>>>> To get this situation I don't need to define any account
>>>>>>>>>>>> information in
>>>>>>>>>>>> MicroSIP.
>>>>>>>>>>>>
>>>>>>>>>>>> I have not set passwords for users in Asterisk to avoid double
>>>>>>>>>>>> authorization. May this cause the behavior? I have not set
>>>>>>>>>>>> default user
>>>>>>>>>>>> or from user in my peer definitions. I am not registering
>>>>>>>>>>>> Kamailio to
>>>>>>>>>>>> Asterisk - I mean I have no peer definition for Kamailio in
>>>>>>>>>>>> sip.conf.
>>>>>>>>>>>>
>>>>>>>>>>>> I do not know what direction to go to. I would be happy, if I
>>>>>>>>>>>> should not
>>>>>>>>>>>> go to the trial and error path so any help is welcome.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks in advance,
>>>>>>>>>>>>
>>>>>>>>>>>> Teijo
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> 14.7.2014 9:06, g.aloitus at gmail.com kirjoitti:
>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>
>>>>>>>>>>>>> If one places call, and tell that "my from domain is your
>>>>>>>>>>>>> Kamailio's
>>>>>>>>>>>>> IP", call is established, because Asterisk accepts requests
>>>>>>>>>>>>> from
>>>>>>>>>>>>> Kamailio. One problem is that it's unpredictable in this
>>>>>>>>>>>>> case what is
>>>>>>>>>>>>> the context where thiskind of call is handled by Asterisk.
>>>>>>>>>>>>>
>>>>>>>>>>>>> This situation requires that I change something in my setup.
>>>>>>>>>>>>> If I decide
>>>>>>>>>>>>> accept calls only from my users, I suppose that it can be
>>>>>>>>>>>>> quite easily
>>>>>>>>>>>>> done by modifying if statement referred below or at least by
>>>>>>>>>>>>> applying
>>>>>>>>>>>>> instructions found here:
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> However, I'm somewhat unsure what should I do, if I decide
>>>>>>>>>>>>> to accept
>>>>>>>>>>>>> calls from any caller - not only from my users.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Best,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Teijo
>>>>>>>>>>>>>
>>>>>>>>>>>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti:
>>>>>>>>>>>>>> Well, this
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *if (from_uri!=myself && uri!=myself)*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Means neither source nor destination is our user. Which
>>>>>>>>>>>>>> implies that
>>>>>>>>>>>>>> if our
>>>>>>>>>>>>>> domain is A, then call from domain "B to C" is not
>>>>>>>>>>>>>> possible. However,
>>>>>>>>>>>>>> calls
>>>>>>>>>>>>>> from "B or C to A" and "A to B or C" are possible. That is
>>>>>>>>>>>>>> way an
>>>>>>>>>>>>>> unauthorized user gets passed and reaches asterisk.
>>>>>>>>>>>>>> Asterisk accepts it
>>>>>>>>>>>>>> since call is coming from kamailio and tries to route it
>>>>>>>>>>>>>> back to
>>>>>>>>>>>>>> kamailio,
>>>>>>>>>>>>>> where kamailio finds user online and thus it goes through.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You should really break down this,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *if (from_uri!=myself && uri!=myself)*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> into something like this for clarity,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *if (from_uri!=myself) { *
>>>>>>>>>>>>>> * if (uri!=myself) {*
>>>>>>>>>>>>>> * # neither source nor destination is our user*
>>>>>>>>>>>>>> * } else {*
>>>>>>>>>>>>>> * # source is not our user but destination is our user*
>>>>>>>>>>>>>> * };*
>>>>>>>>>>>>>> *} else {*
>>>>>>>>>>>>>> * if (uri!=myself) {*
>>>>>>>>>>>>>> * # source is our user but destination is not our user*
>>>>>>>>>>>>>> * } else {*
>>>>>>>>>>>>>> * # both source and destination are our users*
>>>>>>>>>>>>>> * };*
>>>>>>>>>>>>>> *};*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hope this helps.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thank you.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, Jul 11, 2014 at 5:36 PM, <g.aloitus at gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'm using Kamailio version 4.1.4+precise (amd64).
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
>>>>>>>>>>>>>>> Integration
>>>>>>>>>>>>>>> using Asterisk Database" (http://kb.asipto.com/
>>>>>>>>>>>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb).
>>>>>>>>>>>>>>> One main
>>>>>>>>>>>>>>> difference in my setup compared to that one is that I
>>>>>>>>>>>>>>> continued use of
>>>>>>>>>>>>>>> Kamailio's database.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The problem is as follows:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I decided to put Kamailio and through it Asterisk
>>>>>>>>>>>>>>> reachable from
>>>>>>>>>>>>>>> internet.
>>>>>>>>>>>>>>> I have tried to configure Asterisk so that only calls of
>>>>>>>>>>>>>>> registered
>>>>>>>>>>>>>>> users
>>>>>>>>>>>>>>> would be possible, and they could only call to other
>>>>>>>>>>>>>>> registered
>>>>>>>>>>>>>>> users or
>>>>>>>>>>>>>>> conference rooms and echo test number.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Then I took the following steps:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I ensured that there was no online users with kamctl
>>>>>>>>>>>>>>> online. Then I
>>>>>>>>>>>>>>> launched MicroSIP (www.microsip.org), but I did not
>>>>>>>>>>>>>>> defined account, I
>>>>>>>>>>>>>>> simply set the protocol to tls and media encryption to
>>>>>>>>>>>>>>> mandatory,
>>>>>>>>>>>>>>> because
>>>>>>>>>>>>>>> I'm using these.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I called to extension with xxx at my.public.ip.address (where
>>>>>>>>>>>>>>> xxx is
>>>>>>>>>>>>>>> extension) getting "unauthorized". And that was what I
>>>>>>>>>>>>>>> wanted.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> But if there is online users, calls go through, and
>>>>>>>>>>>>>>> incoming call is
>>>>>>>>>>>>>>> coming from Asterisk (in syslog I can find out that
>>>>>>>>>>>>>>> src_user=asterisk).
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Kamailio and Asterisk are listening the same IP address,
>>>>>>>>>>>>>>> but different
>>>>>>>>>>>>>>> port. I have refused connections to the Asterisk's port
>>>>>>>>>>>>>>> with iptables.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I have defined my public IP address as domain in sip.conf.
>>>>>>>>>>>>>>> There is
>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>> other domain defined which corresponds to users' domain I
>>>>>>>>>>>>>>> am using in
>>>>>>>>>>>>>>> Kamailio's database.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> In kamailio.cfg there is if statement which prevents
>>>>>>>>>>>>>>> Kamailio not
>>>>>>>>>>>>>>> to be
>>>>>>>>>>>>>>> open relay:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> if (from_uri!=myself && uri!=myself)
>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If I change this for example:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> if (from_uri!=myself || uri!=myself)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I get what I want this time: no calls from outside, but I
>>>>>>>>>>>>>>> somewhat
>>>>>>>>>>>>>>> think
>>>>>>>>>>>>>>> that this is not a final solution.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I have not found from log files such information which
>>>>>>>>>>>>>>> would have
>>>>>>>>>>>>>>> helped
>>>>>>>>>>>>>>> me. I have not yet investigated this problem so much that
>>>>>>>>>>>>>>> I could
>>>>>>>>>>>>>>> tell the
>>>>>>>>>>>>>>> logic behind the selection of online user's identity which
>>>>>>>>>>>>>>> is used.
>>>>>>>>>>>>>>> However, if I make a call to conference room I notice that
>>>>>>>>>>>>>>> Asterisk is
>>>>>>>>>>>>>>> thinking that one of online users has joined the conference.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If I can recall correctly, I started with Kamailio version
>>>>>>>>>>>>>>> 3.2, and
>>>>>>>>>>>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is
>>>>>>>>>>>>>>> there something
>>>>>>>>>>>>>>> which has changed in Kamailio, but what I have not changed
>>>>>>>>>>>>>>> in my setup
>>>>>>>>>>>>>>> which could explain this.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Best,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Teijo
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>>>>>>>>>>>>> mailing
>>>>>>>>>>>>>>> list
>>>>>>>>>>>>>>> sr-users at lists.sip-router.org
>>>>>>>>>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Tämä viestin rungon osa siirretään pyydettäessä.
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>>>>>> mailing list
>>>>>>>> sr-users at lists.sip-router.org
>>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>>>> list
>>>>>>> sr-users at lists.sip-router.org
>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>> _______________________________________________
>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>>> list
>>>>>> sr-users at lists.sip-router.org
>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>>> sr-users at lists.sip-router.org
>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>> sr-users at lists.sip-router.org
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users at lists.sip-router.org
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
More information about the sr-users
mailing list