Discussion:
[SR-Users] Unknown caller gets online user's identity
g***@public.gmane.org
2014-07-11 15:36:20 UTC
Permalink
Hello,

I'm using Kamailio version 4.1.4+precise (amd64).

I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration
using Asterisk Database"
(http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb).
One main difference in my setup compared to that one is that I continued
use of Kamailio's database.

The problem is as follows:

I decided to put Kamailio and through it Asterisk reachable from
internet. I have tried to configure Asterisk so that only calls of
registered users would be possible, and they could only call to other
registered users or conference rooms and echo test number.

Then I took the following steps:

I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory,
because I'm using these.

I called to extension with xxx-h4XAU/***@public.gmane.org (where xxx is
extension) getting "unauthorized". And that was what I wanted.

But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that src_user=asterisk).

Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.

I have defined my public IP address as domain in sip.conf. There is also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.

In kamailio.cfg there is if statement which prevents Kamailio not to be
open relay:

if (from_uri!=myself && uri!=myself)
...

If I change this for example:

if (from_uri!=myself || uri!=myself)

I get what I want this time: no calls from outside, but I somewhat think
that this is not a final solution.

I have not found from log files such information which would have helped
me. I have not yet investigated this problem so much that I could tell
the logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.

If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.

Best,

Teijo
Muhammad Shahzad
2014-07-12 16:36:25 UTC
Permalink
Well, this

*if (from_uri!=myself && uri!=myself)*

Means neither source nor destination is our user. Which implies that if our
domain is A, then call from domain "B to C" is not possible. However, calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to kamailio,
where kamailio finds user online and thus it goes through.

You should really break down this,

*if (from_uri!=myself && uri!=myself)*

into something like this for clarity,


*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*

Hope this helps.

Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from internet.
I have tried to configure Asterisk so that only calls of registered users
would be possible, and they could only call to other registered users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory, because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think
that this is not a final solution.
I have not found from log files such information which would have helped
me. I have not yet investigated this problem so much that I could tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
g***@public.gmane.org
2014-07-14 06:06:12 UTC
Permalink
Hello,

If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.

This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
instructions found here:

http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users

However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.

Best,

Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our
domain is A, then call from domain "B to C" is not possible. However, calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from internet.
I have tried to configure Asterisk so that only calls of registered users
would be possible, and they could only call to other registered users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory, because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think
that this is not a final solution.
I have not found from log files such information which would have helped
me. I have not yet investigated this problem so much that I could tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
g***@public.gmane.org
2014-07-16 06:44:47 UTC
Permalink
Hello,

Has anybody any solution or suggestion?

If I for example launch MicroSIP (no doubt it could be some other SIP
client), and simply call:

sip:some_extension-h4XAU/***@public.gmane.org

call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.

To get this situation I don't need to define any account information in
MicroSIP.

I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.

I do not know what direction to go to. I would be happy, if I should not
go to the trial and error path so any help is welcome.

Thanks in advance,

Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our
domain is A, then call from domain "B to C" is not possible. However, calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from internet.
I have tried to configure Asterisk so that only calls of registered users
would be possible, and they could only call to other registered users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory, because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think
that this is not a final solution.
I have not found from log files such information which would have helped
me. I have not yet investigated this problem so much that I could tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
g***@public.gmane.org
2014-07-17 07:22:50 UTC
Permalink
Hello,

There is a message "Possible Security issue with Kamailio - Asterisk
Realtime integration" in Asterisk users mailing list:

http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html

I think the problem I have is somewhat similar.

Should I suppose that there is a security risk in Kamailio - Asterisk
realtime integration, and if this is a case what I can do to eliminate
this risk?

Best,

Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our
domain is A, then call from domain "B to C" is not possible. However, calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from internet.
I have tried to configure Asterisk so that only calls of registered users
would be possible, and they could only call to other registered users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory, because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think
that this is not a final solution.
I have not found from log files such information which would have helped
me. I have not yet investigated this problem so much that I could tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
Cibin Paul
2014-07-17 07:47:00 UTC
Permalink
Hello,

Try allow allowguest=no in sip.conf [general] context and create a peer for kamailio in sip.comf


Regards
Cibin
Post by g***@public.gmane.org
Hello,
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk?
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our
domain is A, then call from domain "B to C" is not possible. However, calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from internet.
I have tried to configure Asterisk so that only calls of registered users
would be possible, and they could only call to other registered users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory, because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think
that this is not a final solution.
I have not found from log files such information which would have helped
me. I have not yet investigated this problem so much that I could tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
TÀmÀ viestin rungon osa siirretÀÀn pyydettÀessÀ.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Cibin Paul
2014-07-17 07:48:07 UTC
Permalink
Hello,

Try allow allowguest=no in sip.conf [general] context and create a peer for kamailio in sip.comf


Regards
Cibin
Post by g***@public.gmane.org
Hello,
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk?
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our
domain is A, then call from domain "B to C" is not possible. However, calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from internet.
I have tried to configure Asterisk so that only calls of registered users
would be possible, and they could only call to other registered users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory, because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think
that this is not a final solution.
I have not found from log files such information which would have helped
me. I have not yet investigated this problem so much that I could tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
TÀmÀ viestin rungon osa siirretÀÀn pyydettÀessÀ.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
g***@public.gmane.org
2014-07-17 08:24:22 UTC
Permalink
Hello,

I have:

allowguest=no
contactpermit=kamailio.ip.addr.ess

I also have tried the approach that I have peer kamailio, but then all
calls seems to go to to the context defined for kamailio peer. I do not
know how I could in that case handle individual calls - for example
determine if given phone can call to given number or not.

Best,

Teijo
Post by g***@public.gmane.org
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a
peer for kamailio in sip.comf
Regards
Cibin
Post by g***@public.gmane.org
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk
realtime integration, and if this is a case what I can do to eliminate
this risk?
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our
domain is A, then call from domain "B to C" is not possible. However, calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from internet.
I have tried to configure Asterisk so that only calls of registered users
would be possible, and they could only call to other registered users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory, because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that
src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think
that this is not a final solution.
I have not found from log files such information which would have helped
me. I have not yet investigated this problem so much that I could tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Teijo
2014-07-19 11:04:20 UTC
Permalink
Hello,

Well, this is still problem for me.

Best,

Teijo
Post by g***@public.gmane.org
Hello,
allowguest=no
contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all
calls seems to go to to the context defined for kamailio peer. I do not
know how I could in that case handle individual calls - for example
determine if given phone can call to given number or not.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a
peer for kamailio in sip.comf
Regards
Cibin
Post by g***@public.gmane.org
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk
realtime integration, and if this is a case what I can do to eliminate
this risk?
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our
domain is A, then call from domain "B to C" is not possible. However, calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from internet.
I have tried to configure Asterisk so that only calls of registered users
would be possible, and they could only call to other registered users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory, because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that
src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think
that this is not a final solution.
I have not found from log files such information which would have helped
me. I have not yet investigated this problem so much that I could tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
Cibin Paul
2014-07-19 11:16:51 UTC
Permalink
Hello,

Can you elaborate on your issue. who is handling registration and how is the call flow?

Regards
Cibin
Post by g***@public.gmane.org
Hello,
Well, this is still problem for me.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
allowguest=no
contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all
calls seems to go to to the context defined for kamailio peer. I do not
know how I could in that case handle individual calls - for example
determine if given phone can call to given number or not.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a
peer for kamailio in sip.comf
Regards
Cibin
Post by g***@public.gmane.org
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk
realtime integration, and if this is a case what I can do to eliminate
this risk?
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our
domain is A, then call from domain "B to C" is not possible. However, calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from internet.
I have tried to configure Asterisk so that only calls of registered users
would be possible, and they could only call to other registered users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory, because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that
src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think
that this is not a final solution.
I have not found from log files such information which would have helped
me. I have not yet investigated this problem so much that I could tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Teijo
2014-07-19 12:00:33 UTC
Permalink
Hello,

The problem are unauthenticated calls - calls from somebody from
outside to my server. Kamailio accepts these calls, because destination
is my server. This happen if somebody calls to
some_extension-h4XAU/***@public.gmane.org My public IP refers to the address
both Kamailio and Asterisk are listening to. This is not problem if
there are no online friends/peers in Asterisk, because then incoming
call goes to context I have defined for incoming calls. But if there are
online friends/peers in Asterisk, calls goes to online friend's/peer's
context. I think this happens because one of the methods Asterisk
decides to put incoming calls to given context is IP address. Now all
the calls come from Kamailio - ie. from the same IP. I think that when
Asterisk is considering what to do with incoming call, it detects that
there is registration(s) from Kamailio's IP, and concludes that this
incoming call belongs to thiskinds of peer's context, and this causes
problem. Likely Asterisk put it to the peer's context who has in the
first place in its registered peers list.

I do not know what to do for this in Asterisk. I think - but I'm not
sure at all - that refusing to forward such calls to Asterisk whose
domain is Kamailio's IP - could solve this. But if this would be the
solution, I do not know what I should do in Kamailio. Well, I suppose
that if statement in kamailio.cfg:

# if caller is not local subscriber, then check if it calls
# a local destination, otherwise deny, not an open relay here
if (from_uri!=myself && uri!=myself)

is the place where I should do modification, but what the modified if
statement should exactly be, I am not sure.

Best,

Teijo
Post by g***@public.gmane.org
Hello,
Can you elaborate on your issue. who is handling registration and how is the call flow?
Regards
Cibin
Post by g***@public.gmane.org
Hello,
Well, this is still problem for me.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
allowguest=no
contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all
calls seems to go to to the context defined for kamailio peer. I do not
know how I could in that case handle individual calls - for example
determine if given phone can call to given number or not.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a
peer for kamailio in sip.comf
Regards
Cibin
Post by g***@public.gmane.org
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk
realtime integration, and if this is a case what I can do to eliminate
this risk?
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our
domain is A, then call from domain "B to C" is not possible. However, calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from internet.
I have tried to configure Asterisk so that only calls of registered users
would be possible, and they could only call to other registered users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory, because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that
src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think
that this is not a final solution.
I have not found from log files such information which would have helped
me. I have not yet investigated this problem so much that I could tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Cibin Paul
2014-07-19 12:30:11 UTC
Permalink
Hello,

Let me understand this. You have an extension 4000 which is online. If some one which is not even a registered user calls the extension 4000 using ***@your.public.ip.address, the call will get connected. Correct if I am wrong.
As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call.

Regards
Cibin
Post by g***@public.gmane.org
Hello,
# if caller is not local subscriber, then check if it calls
# a local destination, otherwise deny, not an open relay here
if (from_uri!=myself && uri!=myself)
is the place where I should do modification, but what the modified if statement should exactly be, I am not sure.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Can you elaborate on your issue. who is handling registration and how is the call flow?
Regards
Cibin
Post by g***@public.gmane.org
Hello,
Well, this is still problem for me.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
allowguest=no
contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all
calls seems to go to to the context defined for kamailio peer. I do not
know how I could in that case handle individual calls - for example
determine if given phone can call to given number or not.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a
peer for kamailio in sip.comf
Regards
Cibin
Post by g***@public.gmane.org
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk
realtime integration, and if this is a case what I can do to eliminate
this risk?
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that if our
domain is A, then call from domain "B to C" is not possible. However, calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from
internet.
I have tried to configure Asterisk so that only calls of registered users
would be possible, and they could only call to other registered users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory, because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that
src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat think
that this is not a final solution.
I have not found from log files such information which would have helped
me. I have not yet investigated this problem so much that I could
tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Teijo Burman
2014-07-19 13:50:00 UTC
Permalink
Yes, you are correct. But let's say that user A is online. Now somebody
from somewhere calls sip:5000-h4XAU/***@public.gmane.org What happens is as
follows: Suppose that 5000 is extension which should only has limited
access, for example users A and B have this extension in their contexts.
Now however, when A is online, any unauthenticated call is handled in
A's context so anybody could get A's privileges.

Best,

Teijo
Post by g***@public.gmane.org
Hello,
As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call.
Regards
Cibin
Post by g***@public.gmane.org
Hello,
# if caller is not local subscriber, then check if it calls
# a local destination, otherwise deny, not an open relay here
if (from_uri!=myself && uri!=myself)
is the place where I should do modification, but what the modified if statement should exactly be, I am not sure.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Can you elaborate on your issue. who is handling registration and how is the call flow?
Regards
Cibin
Post by g***@public.gmane.org
Hello,
Well, this is still problem for me.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
allowguest=no
contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all
calls seems to go to to the context defined for kamailio peer. I do not
know how I could in that case handle individual calls - for example
determine if given phone can call to given number or not.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a
peer for kamailio in sip.comf
Regards
Cibin
Post by g***@public.gmane.org
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk
realtime integration, and if this is a case what I can do to eliminate
this risk?
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that
if our
domain is A, then call from domain "B to C" is not possible. However,
calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to
kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from
internet.
I have tried to configure Asterisk so that only calls of registered
users
would be possible, and they could only call to other registered
users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory,
because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that
src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is
also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat
think
that this is not a final solution.
I have not found from log files such information which would have
helped
me. I have not yet investigated this problem so much that I could
tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Cibin Paul
2014-07-19 14:36:44 UTC
Permalink
Hello,

Is this part of your setup to allow anyone to call any extension, but handle this unauthenticated calls in a different context? If so, will the following entry works for you?

Create a peer of kamailio in sip.conf
[kamailio]
Type=peer
Host=kamailio ip
Port= kamailio port
.
.
.
context= some context where all calls should be handled.

In extensions.conf

[context]
exten => _X.,1, GotoIf([condition for checking call authentication]?:auth:unauth)
Same = n(auth),Goto(context of authenticated call)
Same = n(unauth),Goto(context of unauthenticated call)
.
.
.

Cibin
Post by g***@public.gmane.org
Best,
Teijo
Post by g***@public.gmane.org
Hello,
As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call.
Regards
Cibin
Post by g***@public.gmane.org
Hello,
# if caller is not local subscriber, then check if it calls
# a local destination, otherwise deny, not an open relay here
if (from_uri!=myself && uri!=myself)
is the place where I should do modification, but what the modified if statement should exactly be, I am not sure.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Can you elaborate on your issue. who is handling registration and how is the call flow?
Regards
Cibin
Post by g***@public.gmane.org
Hello,
Well, this is still problem for me.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
allowguest=no
contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all
calls seems to go to to the context defined for kamailio peer. I do not
know how I could in that case handle individual calls - for example
determine if given phone can call to given number or not.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a
peer for kamailio in sip.comf
Regards
Cibin
Post by g***@public.gmane.org
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk
realtime integration, and if this is a case what I can do to eliminate
this risk?
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that
if our
domain is A, then call from domain "B to C" is not possible. However,
calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to
kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from
internet.
I have tried to configure Asterisk so that only calls of registered
users
would be possible, and they could only call to other registered
users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory,
because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that
src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is
also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not
to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat
think
that this is not a final solution.
I have not found from log files such information which would have
helped
me. I have not yet investigated this problem so much that I could
tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Teijo
2014-07-19 18:12:12 UTC
Permalink
Hello,

I'd like to allow calls to my users from anyone, but I'd like to have
control over those calls so that I could suppose that they go tocontext
I want - let's say that that context would be unauth. But as said, this
is not the case currently.

Sorry, but I cannot figure out what condition for checking call
authentication could be.

As I wrote in my first post, I have followed this tutorial:

http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb

for Kamailio - Asterisk realtime integration. Only exception I have is
that I use Kamailio's database for user authentication, and that I have
no Asterisk database.

Best,

Teijo
Post by g***@public.gmane.org
Hello,
Is this part of your setup to allow anyone to call any extension, but handle this unauthenticated calls in a different context? If so, will the following entry works for you?
Create a peer of kamailio in sip.conf
[kamailio]
Type=peer
Host=kamailio ip
Port= kamailio port
.
.
.
context= some context where all calls should be handled.
In extensions.conf
[context]
exten => _X.,1, GotoIf([condition for checking call authentication]?:auth:unauth)
Same = n(auth),Goto(context of authenticated call)
Same = n(unauth),Goto(context of unauthenticated call)
.
.
.
Cibin
Post by g***@public.gmane.org
Best,
Teijo
Post by g***@public.gmane.org
Hello,
As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call.
Regards
Cibin
Post by g***@public.gmane.org
Hello,
e peer's context who has in the first place in its registered peers list.
Post by g***@public.gmane.org
Post by g***@public.gmane.org
Post by g***@public.gmane.org
Post by g***@public.gmane.org
# if caller is not local subscriber, then check if it calls
# a local destination, otherwise deny, not an open relay here
if (from_uri!=myself && uri!=myself)
is the place where I should do modification, but what the modified if statement should exactly be, I am not sure.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Can you elaborate on your issue. who is handling registration and how is the call flow?
Regards
Cibin
Post by g***@public.gmane.org
Hello,
Well, this is still problem for me.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
allowguest=no
contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all
calls seems to go to to the context defined for kamailio peer. I do not
know how I could in that case handle individual calls - for example
determine if given phone can call to given number or not.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a
peer for kamailio in sip.comf
Regards
Cibin
Post by g***@public.gmane.org
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk
realtime integration, and if this is a case what I can do to eliminate
this risk?
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup. If I decide
accept calls only from my users, I suppose that it can be quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which implies that
if our
domain is A, then call from domain "B to C" is not possible. However,
calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk. Asterisk accepts it
since call is coming from kamailio and tries to route it back to
kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk reachable from
internet.
I have tried to configure Asterisk so that only calls of registered
users
would be possible, and they could only call to other registered
users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl online. Then I
launched MicroSIP (www.microsip.org), but I did not defined account, I
simply set the protocol to tls and media encryption to mandatory,
because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and incoming call is
coming from Asterisk (in syslog I can find out that
src_user=asterisk).
Kamailio and Asterisk are listening the same IP address, but different
port. I have refused connections to the Asterisk's port with iptables.
I have defined my public IP address as domain in sip.conf. There is
also
other domain defined which corresponds to users' domain I am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not
to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I somewhat
think
that this is not a final solution.
I have not found from log files such information which would have
helped
me. I have not yet investigated this problem so much that I could
tell the
logic behind the selection of online user's identity which is used.
However, if I make a call to conference room I notice that Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version 3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is there something
which has changed in Kamailio, but what I have not changed in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Teijo
2014-07-20 12:23:40 UTC
Permalink
Hello,

This problem seems not to happen when Kamailio is not in use.

I'd like to handle registrations etc. in Kamailio, but I do not know how
to do it without suffering from this problem.

Best,

Teijo
Post by g***@public.gmane.org
Hello,
I'd like to allow calls to my users from anyone, but I'd like to have
control over those calls so that I could suppose that they go tocontext
I want - let's say that that context would be unauth. But as said, this
is not the case currently.
Sorry, but I cannot figure out what condition for checking call
authentication could be.
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
for Kamailio - Asterisk realtime integration. Only exception I have is
that I use Kamailio's database for user authentication, and that I have
no Asterisk database.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Is this part of your setup to allow anyone to call any extension, but
handle this unauthenticated calls in a different context? If so, will
the following entry works for you?
Create a peer of kamailio in sip.conf
[kamailio]
Type=peer
Host=kamailio ip
Port= kamailio port
.
.
.
context= some context where all calls should be handled.
In extensions.conf
[context]
exten => _X.,1, GotoIf([condition for checking call
authentication]?:auth:unauth)
Same = n(auth),Goto(context of authenticated call)
Same = n(unauth),Goto(context of unauthenticated call)
.
.
.
Cibin
Post by Teijo Burman
Yes, you are correct. But let's say that user A is online. Now
happens is as follows: Suppose that 5000 is extension which should
only has limited access, for example users A and B have this
extension in their contexts. Now however, when A is online, any
unauthenticated call is handled in A's context so anybody could get
A's privileges.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Let me understand this. You have an extension 4000 which is online.
If some one which is not even a registered user calls the extension
Correct if I am wrong.
As far as I understand , you have configured this box as a PBX where
only registered users can communicate. If that is the case, can you
do a lookup in location table wether the originating caller is
actually online? By this you can check wether the originating call
is from a valid source. If not, Hangup the call.
Regards
Cibin
Post by g***@public.gmane.org
Hello,
The problem are unauthenticated calls - calls from somebody from
outside to my server. Kamailio accepts these calls, because
destination is my server. This happen if somebody calls to
address both Kamailio and Asterisk are listening to. This is not
problem if there are no online friends/peers in Asterisk, because
then incoming call goes to context I have defined for incoming
calls. But if there are online friends/peers in Asterisk, calls
goes to online friend's/peer's context. I think this happens
because one of the methods Asterisk decides to put incoming calls
to given context is IP address. Now all the calls come from
Kamailio - ie. from the same IP. I think that when Asterisk is
considering what to do with incoming call, it detects that there is
registration(s) from Kamailio's IP, and concludes that this
incoming call belongs to thiskinds of peer's context, and this
causes problem. Likely Asterisk put it to th
e peer's context who has in the first place in its registered peers list.
Post by g***@public.gmane.org
Post by Teijo Burman
Post by g***@public.gmane.org
Post by g***@public.gmane.org
I do not know what to do for this in Asterisk. I think - but I'm
not sure at all - that refusing to forward such calls to Asterisk
whose domain is Kamailio's IP - could solve this. But if this would
be the solution, I do not know what I should do in Kamailio. Well,
# if caller is not local subscriber, then check if it calls
# a local destination, otherwise deny, not an open relay here
if (from_uri!=myself && uri!=myself)
is the place where I should do modification, but what the modified
if statement should exactly be, I am not sure.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Can you elaborate on your issue. who is handling registration and
how is the call flow?
Regards
Cibin
Post by g***@public.gmane.org
Hello,
Well, this is still problem for me.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
allowguest=no
contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all
calls seems to go to to the context defined for kamailio peer. I do not
know how I could in that case handle individual calls - for example
determine if given phone can call to given number or not.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a
peer for kamailio in sip.comf
Regards
Cibin
Post by g***@public.gmane.org
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk
realtime integration, and if this is a case what I can do to eliminate
this risk?
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I
should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup.
If I decide
accept calls only from my users, I suppose that it can be
quite easily
done by modifying if statement referred below or at least by applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which
implies that
if our
domain is A, then call from domain "B to C" is not
possible. However,
calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk.
Asterisk accepts it
since call is coming from kamailio and tries to route it back to
kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
difference in my setup compared to that one is that I
continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk
reachable from
internet.
I have tried to configure Asterisk so that only calls of
registered
users
would be possible, and they could only call to other registered
users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl
online. Then I
launched MicroSIP (www.microsip.org), but I did not
defined account, I
simply set the protocol to tls and media encryption to mandatory,
because
I'm using these.
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and
incoming call is
coming from Asterisk (in syslog I can find out that
src_user=asterisk).
Kamailio and Asterisk are listening the same IP address,
but different
port. I have refused connections to the Asterisk's port
with iptables.
I have defined my public IP address as domain in sip.conf.
There is
also
other domain defined which corresponds to users' domain I
am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents Kamailio not
to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I
somewhat
think
that this is not a final solution.
I have not found from log files such information which would have
helped
me. I have not yet investigated this problem so much that I could
tell the
logic behind the selection of online user's identity which
is used.
However, if I make a call to conference room I notice that
Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version
3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is
there something
which has changed in Kamailio, but what I have not changed
in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
mailing
list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Cibin Paul
2014-07-21 15:39:30 UTC
Permalink
Hello,

If you want to check call authentication, you can perform the following.

CASE 1: Outside caller initiating a call to a user with the callerid set to a valid username(callerid) in Kamailio

You will get the IP address from which the call is originated using ${SIPURI}. Basically you have to strip the ip address from ${SIPURI}. You can compare the same with the ip in location table of kamailio. If same, the call is from a registered user, otherwise some one is using the same callerid as of a registered user which you can send to a different context.

CASE 2: CALLERID not set or a different pattern other than your users

In this case you can straight away send the call to a different context.

You can check this condition using an AGI.

Regards
Cibin
Post by g***@public.gmane.org
Hello,
This problem seems not to happen when Kamailio is not in use.
I'd like to handle registrations etc. in Kamailio, but I do not know how to do it without suffering from this problem.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
I'd like to allow calls to my users from anyone, but I'd like to have
control over those calls so that I could suppose that they go tocontext
I want - let's say that that context would be unauth. But as said, this
is not the case currently.
Sorry, but I cannot figure out what condition for checking call
authentication could be.
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
for Kamailio - Asterisk realtime integration. Only exception I have is
that I use Kamailio's database for user authentication, and that I have
no Asterisk database.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Is this part of your setup to allow anyone to call any extension, but
handle this unauthenticated calls in a different context? If so, will
the following entry works for you?
Create a peer of kamailio in sip.conf
[kamailio]
Type=peer
Host=kamailio ip
Port= kamailio port
.
.
.
context= some context where all calls should be handled.
In extensions.conf
[context]
exten => _X.,1, GotoIf([condition for checking call
authentication]?:auth:unauth)
Same = n(auth),Goto(context of authenticated call)
Same = n(unauth),Goto(context of unauthenticated call)
.
.
.
Cibin
Post by Teijo Burman
Yes, you are correct. But let's say that user A is online. Now
happens is as follows: Suppose that 5000 is extension which should
only has limited access, for example users A and B have this
extension in their contexts. Now however, when A is online, any
unauthenticated call is handled in A's context so anybody could get
A's privileges.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Let me understand this. You have an extension 4000 which is online.
If some one which is not even a registered user calls the extension
Correct if I am wrong.
As far as I understand , you have configured this box as a PBX where
only registered users can communicate. If that is the case, can you
do a lookup in location table wether the originating caller is
actually online? By this you can check wether the originating call
is from a valid source. If not, Hangup the call.
Regards
Cibin
Post by g***@public.gmane.org
Hello,
The problem are unauthenticated calls - calls from somebody from
outside to my server. Kamailio accepts these calls, because
destination is my server. This happen if somebody calls to
address both Kamailio and Asterisk are listening to. This is not
problem if there are no online friends/peers in Asterisk, because
then incoming call goes to context I have defined for incoming
calls. But if there are online friends/peers in Asterisk, calls
goes to online friend's/peer's context. I think this happens
because one of the methods Asterisk decides to put incoming calls
to given context is IP address. Now all the calls come from
Kamailio - ie. from the same IP. I think that when Asterisk is
considering what to do with incoming call, it detects that there is
registration(s) from Kamailio's IP, and concludes that this
incoming call belongs to thiskinds of peer's context, and this
causes problem. Likely Asterisk put it to th
e peer's context who has in the first place in its registered peers list.
Post by g***@public.gmane.org
Post by Teijo Burman
Post by g***@public.gmane.org
Post by g***@public.gmane.org
I do not know what to do for this in Asterisk. I think - but I'm
not sure at all - that refusing to forward such calls to Asterisk
whose domain is Kamailio's IP - could solve this. But if this would
be the solution, I do not know what I should do in Kamailio. Well,
# if caller is not local subscriber, then check if it calls
# a local destination, otherwise deny, not an open relay here
if (from_uri!=myself && uri!=myself)
is the place where I should do modification, but what the modified
if statement should exactly be, I am not sure.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Can you elaborate on your issue. who is handling registration and
how is the call flow?
Regards
Cibin
Post by g***@public.gmane.org
Hello,
Well, this is still problem for me.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
allowguest=no
contactpermit=kamailio.ip.addr.ess
I also have tried the approach that I have peer kamailio, but then all
calls seems to go to to the context defined for kamailio peer. I do not
know how I could in that case handle individual calls - for example
determine if given phone can call to given number or not.
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Try allow* allowguest=no *in sip.conf [general] context and create a
peer for kamailio in sip.comf
Regards
Cibin
Post by g***@public.gmane.org
Hello,
There is a message "Possible Security issue with Kamailio - Asterisk
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
I think the problem I have is somewhat similar.
Should I suppose that there is a security risk in Kamailio - Asterisk
realtime integration, and if this is a case what I can do to eliminate
this risk?
Best,
Teijo
Post by g***@public.gmane.org
Hello,
Has anybody any solution or suggestion?
If I for example launch MicroSIP (no doubt it could be some other SIP
call is established, if there is online user/users. Naturally this
incoming call should be handled by Asterisk in context where I have
defined unauthorized calls are handled, but in stead, the call goes
online user's context.
To get this situation I don't need to define any account
information in
MicroSIP.
I have not set passwords for users in Asterisk to avoid double
authorization. May this cause the behavior? I have not set
default user
or from user in my peer definitions. I am not registering Kamailio to
Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
I do not know what direction to go to. I would be happy, if I
should not
go to the trial and error path so any help is welcome.
Thanks in advance,
Teijo
Post by g***@public.gmane.org
Hello,
If one places call, and tell that "my from domain is your
Kamailio's
IP", call is established, because Asterisk accepts requests from
Kamailio. One problem is that it's unpredictable in this
case what is
the context where thiskind of call is handled by Asterisk.
This situation requires that I change something in my setup.
If I decide
accept calls only from my users, I suppose that it can be
quite easily
done by modifying if statement referred below or at least by
applying
http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
However, I'm somewhat unsure what should I do, if I decide
to accept
calls from any caller - not only from my users.
Best,
Teijo
Post by Muhammad Shahzad
Well, this
*if (from_uri!=myself && uri!=myself)*
Means neither source nor destination is our user. Which
implies that
if our
domain is A, then call from domain "B to C" is not
possible. However,
calls
from "B or C to A" and "A to B or C" are possible. That is way an
unauthorized user gets passed and reaches asterisk.
Asterisk accepts it
since call is coming from kamailio and tries to route it back to
kamailio,
where kamailio finds user online and thus it goes through.
You should really break down this,
*if (from_uri!=myself && uri!=myself)*
into something like this for clarity,
*if (from_uri!=myself) { *
* if (uri!=myself) {*
* # neither source nor destination is our user*
* } else {*
* # source is not our user but destination is our user*
* };*
*} else {*
* if (uri!=myself) {*
* # source is our user but destination is not our user*
* } else {*
* # both source and destination are our users*
* };*
*};*
Hope this helps.
Thank you.
Post by g***@public.gmane.org
Hello,
I'm using Kamailio version 4.1.4+precise (amd64).
I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
Integration
using Asterisk Database" (http://kb.asipto.com/
asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb).
One main
difference in my setup compared to that one is that I
continued use of
Kamailio's database.
I decided to put Kamailio and through it Asterisk
reachable from
internet.
I have tried to configure Asterisk so that only calls of
registered
users
would be possible, and they could only call to other registered
users or
conference rooms and echo test number.
I ensured that there was no online users with kamctl
online. Then I
launched MicroSIP (www.microsip.org), but I did not
defined account, I
simply set the protocol to tls and media encryption to
mandatory,
because
I'm using these.
xxx is
extension) getting "unauthorized". And that was what I wanted.
But if there is online users, calls go through, and
incoming call is
coming from Asterisk (in syslog I can find out that
src_user=asterisk).
Kamailio and Asterisk are listening the same IP address,
but different
port. I have refused connections to the Asterisk's port
with iptables.
I have defined my public IP address as domain in sip.conf.
There is
also
other domain defined which corresponds to users' domain I
am using in
Kamailio's database.
In kamailio.cfg there is if statement which prevents
Kamailio not
to be
if (from_uri!=myself && uri!=myself)
...
if (from_uri!=myself || uri!=myself)
I get what I want this time: no calls from outside, but I
somewhat
think
that this is not a final solution.
I have not found from log files such information which
would have
helped
me. I have not yet investigated this problem so much that
I could
tell the
logic behind the selection of online user's identity which
is used.
However, if I make a call to conference room I notice that
Asterisk is
thinking that one of online users has joined the conference.
If I can recall correctly, I started with Kamailio version
3.2, and
integrated it with Asterisk 11 (currently 11.10.2). Is
there something
which has changed in Kamailio, but what I have not changed
in my setup
which could explain this.
Best,
Teijo
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
mailing
list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Tämä viestin rungon osa siirretään pyydettäessä.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Daniel Tryba
2014-07-21 17:01:17 UTC
Permalink
Post by Cibin Paul
You will get the IP address from which the call is originated using
${SIPURI}. Basically you have to strip the ip address from ${SIPURI}. You
can compare the same with the ip in location table of kamailio.
OT: SIPURI is parsed/constructed from the INVITE. CHANNEL(recvip) will give
you the ip addr of the remote socket.
Teijo
2014-07-21 18:29:11 UTC
Permalink
Thank you both for your replies which made me to get more familiar with
Asterisk's features/possibilities.

Is there something I could do with Kamailio to manage the problem?

Best,

Teijo
Post by Daniel Tryba
Post by Cibin Paul
You will get the IP address from which the call is originated using
${SIPURI}. Basically you have to strip the ip address from ${SIPURI}. You
can compare the same with the ip in location table of kamailio.
OT: SIPURI is parsed/constructed from the INVITE. CHANNEL(recvip) will give
you the ip addr of the remote socket.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Loading...