[SR-Users] Setting up uacreg
Duncan Turnbull
duncan at turnbull.co.nz
Fri Jul 30 07:01:31 CEST 2021
Thanks Arsen
My perspective is evolving and I see we can go with two alternate scenarios
- we can register everything to Kamailio and then let asterisk find the
clients at Kamilio as well as accept clients from Kamailio. This requires
some testing for us to make sure asterisk thinks of the UAs happily but we
have that kind of working ok with repro but want to step up to Kamailio
- Alternately we can proxy through Kamailio to asterisk which is more
standard and if we implement the various security checks that will help a
lot. How hard is it to also add a check that the user registration passed
through is in an approved list, and then to segregate that by trusted
networks and external networks? I am thinking its just another check in the
registration route block that looks up a db table for the source ip and the
registration details.
- where should I put such a check? Is it one place or many?
I think we like option 2 for now. One day we can move to option 1 and just
use asterisk as a media server and have kamailio be the full front end
Cheers Duncan
On Thu, Jul 29, 2021 at 9:50 PM Arsen Semenov <arsperger at gmail.com> wrote:
> Hi Duncan,
>
> There are plenty of options here.
>
> I think here is good place to start:
> https://www.kamailio.org/wiki/tutorials/security/kamailio-security
>
> You also can check https://www.apiban.org/doc.html
>
>
> Regards,
>
> On Thu, Jul 29, 2021 at 8:37 AM Duncan Turnbull <duncan at turnbull.co.nz>
> wrote:
>
>> Hi Arsen
>>
>> Thanks very much, I am looking at that now
>>
>> Is there an easy way to control the extensions that are proxied through
>> to asterisk so that we restrict the ability of outside scanning of
>> extension lists. I would like to limit the registrations for extensions
>> passed through to asterisk that come from an unknown / external ips.
>>
>> Thanks again
>>
>> Cheers Duncan
>>
>> On Wed, Jul 28, 2021 at 11:11 PM Arsen Semenov <arsperger at gmail.com>
>> wrote:
>>
>>> You can check how Path works, it is described in rfc3327, this is
>>> probably what you need.
>>> From the Asterisk side; however, I can't tell whether it is supported by
>>> pjsip, there was some issue as I know, but at least chan_sip should support
>>> it.
>>> Also docs for kamailio registrar module.
>>> What do you mean by "limit the user ids that go through to asterisk"?
>>>
>>> On Wed, Jul 28, 2021 at 12:50 PM Duncan Turnbull <duncan at turnbull.co.nz>
>>> wrote:
>>>
>>>> Hi Arsen
>>>>
>>>> Thanks very much for your reply
>>>>
>>>> We were using repro which does that but are interested in the wider
>>>> capabilities of kamailio.
>>>>
>>>> We are wanting to limit the user ids that go through to asterisk and
>>>> eventually have two kamailio servers that provide some failover
>>>>
>>>> I saw a slide pack from Fred Posner talking about fronting asterisk
>>>> with kamailio and I probably jumped to uac without fully understanding what
>>>> it’s purpose is
>>>>
>>>> I also saw that shared line appearance can be simulated using kamailio,
>>>> and perhaps it needs the uac module to achieve that.
>>>>
>>>> My general understanding is new and growing so I am grateful for all
>>>> advice or questions
>>>>
>>>> Thanks again
>>>>
>>>> Cheers Duncan
>>>>
>>>> On 28/07/2021, at 3:34 PM, Arsen Semenov <arsperger at gmail.com> wrote:
>>>>
>>>>
>>>> Hi Duncan,
>>>>
>>>> This scenario is quite new for me, not sure I got it right.. but why
>>>> have you decided not to proxying requests to asterisks?
>>>> By leveraging Path and Record-route headers Asterisk will know how to
>>>> route the response back as well as new requests.
>>>> And the proxy will know how to handle them.
>>>> This is how kamailio is usually set as a front-end for media servers.
>>>>
>>>>
>>>>
>>>> On Wed, Jul 28, 2021 at 8:35 AM Duncan Turnbull <duncan at turnbull.co.nz>
>>>> wrote:
>>>>
>>>>> Hi there
>>>>>
>>>>> I am a new user of Kamailio and we are trying to use it to be as a
>>>>> front end for our asterisk pbx. We are running on Ubuntu 18.04 and Kamailio
>>>>> 5.3.8 with Siremis
>>>>>
>>>>> Rather than proxying the request through to asterisk we are trying to
>>>>> use uacreg to send a login to asterisk. Asterisk will think all the users
>>>>> are appear from the proxy but thats okay. Initially this is just for
>>>>> external users but eventually all phones etc will register via Kamailio and
>>>>> we will have the trunks there (and split them across another kamailio but
>>>>> thats another job)
>>>>>
>>>>> If I add a user to the uacreg then when I register to Kamailio it
>>>>> sends a register request but to the realm in the uacreg table and the
>>>>> matching port Kamailio is running on.
>>>>>
>>>>> Is this because somewhere we have set Kamailio to directly proxy on
>>>>> and we need to turn that off first?
>>>>>
>>>>> This is our uacreg table
>>>>>
>>>>> mysql> select * from uacreg;
>>>>>
>>>>> +----+--------+------------+------------+------------+-----------+-----------+---------------+---------------+----------+--------------------+---------+-------+-----------+--------+
>>>>> | id | l_uuid | l_username | l_domain | r_username | r_domain |
>>>>> realm | auth_username | auth_password | auth_ha1 | auth_proxy |
>>>>> expires | flags | reg_delay | socket |
>>>>>
>>>>> +----+--------+------------+------------+------------+-----------+-----------+---------------+---------------+----------+--------------------+---------+-------+-----------+--------+
>>>>> | 1 | testuser | testuser | ourdomain.com | 88 |
>>>>> 10.8.8.20 | 10.8.8.20 | 88 | password | '' | sip:
>>>>> 10.8.8.20:5060 | 360 | 0 | 3 | |
>>>>>
>>>>> +----+--------+------------+------------+------------+-----------+-----------+---------------+---------------+----------+--------------------+---------+-------+-----------+--------+
>>>>> 1 row in set (0.00 sec)
>>>>>
>>>>> All pointer, guides and recommendations will be welcome
>>>>>
>>>>> Thanks very much
>>>>>
>>>>> Cheers Duncan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> __________________________________________________________
>>>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>>> * sr-users at lists.kamailio.org
>>>>> Important: keep the mailing list in the recipients, do not reply only
>>>>> to the sender!
>>>>> Edit mailing list options or unsubscribe:
>>>>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>>>
>>>>
>>>>
>>>> --
>>>> Arsen Semenov
>>>>
>>>> __________________________________________________________
>>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>> * sr-users at lists.kamailio.org
>>>> Important: keep the mailing list in the recipients, do not reply only
>>>> to the sender!
>>>> Edit mailing list options or unsubscribe:
>>>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>> __________________________________________________________
>>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>> * sr-users at lists.kamailio.org
>>>> Important: keep the mailing list in the recipients, do not reply only
>>>> to the sender!
>>>> Edit mailing list options or unsubscribe:
>>>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>
>>>
>>> --
>>> Arsen Semenov
>>>
>>> __________________________________________________________
>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>> * sr-users at lists.kamailio.org
>>> Important: keep the mailing list in the recipients, do not reply only to
>>> the sender!
>>> Edit mailing list options or unsubscribe:
>>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> * sr-users at lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to
>> the sender!
>> Edit mailing list options or unsubscribe:
>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>
>
> --
> Arsen Semenov
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
> Edit mailing list options or unsubscribe:
> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210730/a205049d/attachment.htm>
More information about the sr-users
mailing list