Re: [SR-Users] Unknown caller gets online user's identity
Hello, Well, this is still problem for me. Best, Teijo 17.7.2014 11:22, g.aloi...@gmail.com kirjoitti: Hello, I have: allowguest=no contactpermit=kamailio.ip.addr.ess I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not. Best, Teijo 17.7.2014 10:48, Cibin Paul kirjoitti: Hello, Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf Regards Cibin 17.7.2014 10:22, g.aloi...@gmail.com kirjoitti: Hello, There is a message Possible Security issue with Kamailio - Asterisk Realtime integration in Asterisk users mailing list: http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html I think the problem I have is somewhat similar. Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk? Best, Teijo 16.7.2014 9:44, g.aloi...@gmail.com kirjoitti: Hello, Has anybody any solution or suggestion? If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call: sip:some_extens...@my.public.ip.address call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context. To get this situation I don't need to define any account information in MicroSIP. I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf. I do not know what direction to go to. I would be happy, if I should not go to the trial and error path so any help is welcome. Thanks in advance, Teijo 14.7.2014 9:06, g.aloi...@gmail.com kirjoitti: Hello, If one places call, and tell that my from domain is your Kamailio's IP, call is established, because Asterisk accepts requests from Kamailio. One problem is that it's unpredictable in this case what is the context where thiskind of call is handled by Asterisk. This situation requires that I change something in my setup. If I decide accept calls only from my users, I suppose that it can be quite easily done by modifying if statement referred below or at least by applying instructions found here: http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users However, I'm somewhat unsure what should I do, if I decide to accept calls from any caller - not only from my users. Best, Teijo 12.7.2014 19:36, Muhammad Shahzad kirjoitti: Well, this *if (from_uri!=myself uri!=myself)* Means neither source nor destination is our user. Which implies that if our domain is A, then call from domain B to C is not possible. However, calls from B or C to A and A to B or C are possible. That is way an unauthorized user gets passed and reaches asterisk. Asterisk accepts it since call is coming from kamailio and tries to route it back to kamailio, where kamailio finds user online and thus it goes through. You should really break down this, *if (from_uri!=myself uri!=myself)* into something like this for clarity, *if (from_uri!=myself) { * * if (uri!=myself) {* * # neither source nor destination is our user* * } else {* * # source is not our user but destination is our user* * };* *} else {* * if (uri!=myself) {* * # source is our user but destination is not our user* * } else {* * # both source and destination are our users* * };* *};* Hope this helps. Thank you. On Fri, Jul 11, 2014 at 5:36 PM, g.aloi...@gmail.com wrote: Hello, I'm using Kamailio version 4.1.4+precise (amd64). I have followed Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration using Asterisk Database (http://kb.asipto.com/ asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main difference in my setup compared to that one is that I continued use of Kamailio's database. The problem is as follows: I decided to put Kamailio and through it Asterisk reachable from internet. I have tried to configure Asterisk so that only calls of registered users would be possible, and they could only call to other registered users or conference rooms and echo test number. Then I took the following steps: I ensured that there was no online users with kamctl online. Then I launched MicroSIP (www.microsip.org), but I did not defined account, I simply set the protocol to tls and media encryption to mandatory, because I'm using these. I called to extension with x...@my.public.ip.address (where xxx is extension) getting unauthorized. And that was what I wanted. But if there is online users,
Re: [SR-Users] Kamailio RtpProxy MHomed
I was using an Internet access from Vodafone that has a modem with a SIP ALG for their phone. Not sure why, this modem would prevent to connect properly. But Kamailio/rtpproxy was doing what it was supposed to do as it works on a modem with no ALG. To fix the posted configuration problem, just flip the internal/external IP when starting rtpproxy. I think the information on how to start it is missleading. Finally, I tested: Internet - Internet. It works and rtpproxy is not used as supposed to be. Internet - NATed device arriving at the external interface. It works and here rtpproxy is used as it is suppoed to be. Internet - NATed device behind Kamailio (internal interface). It works and here rtpproxy is used as it is suppoed to be. The only remaining test I want to do is between two devices, registered on internal network, calling eah other. Here rtpproxy should not be used as they are in the same subnet. However, I am afraid it will be used as the check for NATed devices will always be set as NATed if the call is comming from private address space (RFC1918). Am I wrong? Cheers! Moacir Date: Fri, 18 Jul 2014 00:18:27 +0200 From: mico...@gmail.com To: sr-users@lists.sip-router.org Subject: Re: [SR-Users] Kamailio RtpProxy MHomed On 17/07/14 23:10, Moacir Ferreira wrote: I have created an environment with the same config and I find the same problem. While still does not work for video, I have changed (flip) the public/internal IP addresses on rtpproxy and I can get half call leg working properly, includding video. However, I am testing video calls. So I got another question on top of the original post: Can we use rtpproxy also for video or it only supports voice rtp proxy? Yes, it works for both audio and video at the same time. As an example, see my ipv4-ipv6 tutorial where I used it in bridge mode and tested with video using Jitsi: - http://kb.asipto.com/kamailio:kamailio-mixed-ipv4-ipv6 Cheers, Daniel Cheers, Mo Date: Thu, 17 Jul 2014 13:56:53 +0200 From: mico...@gmail.com To: sr-users@lists.sip-router.org Subject: Re: [SR-Users] Kamailio RtpProxy MHomed Hello, have you looked at sip trace and checked what are the IP addresses in the SDP? Maybe you need to swap the flags i and e. You can eventually provide here the incoming invite as well as outgoing invite, saying what you would expect to be in the outgoing one, so we can give further hints. Cheers, Daniel On 16/07/14 15:08, Pascal Fautré wrote: Hi, I tried to use Kamailio / RTPProxy in mhomed setup without any luck. I had no problem to configure it with only 1 interface, without mhomed, everything worked perfectly. The RTP streams where not established correctly even if I managed to have to proper IP in the SIP INVITE (C O). Versions: version: kamailio 4.1.4 (x86_64/linux) flags: STATS: Off, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, DBG_QM_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled on 04:23:19 Jun 13 2014 with gcc 4.7.2 RTPProxy -v: Basic version: 20040107 Extension 20050322: Support for multiple RTP streams and MOH Extension 20060704: Support for extra parameter in the V command Extension 20071116: Support for RTP re-packetization Extension 20071218: Support for forking (copying) RTP stream Extension 20080403: Support for RTP statistics querying Extension 20081102: Support for setting codecs in the update/lookup command Extension
Re: [SR-Users] Unknown caller gets online user's identity
Hello, Can you elaborate on your issue. who is handling registration and how is the call flow? Regards Cibin On 19-Jul-2014, at 4:34 pm, Teijo g.aloi...@gmail.com wrote: Hello, Well, this is still problem for me. Best, Teijo 17.7.2014 11:22, g.aloi...@gmail.com kirjoitti: Hello, I have: allowguest=no contactpermit=kamailio.ip.addr.ess I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not. Best, Teijo 17.7.2014 10:48, Cibin Paul kirjoitti: Hello, Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf Regards Cibin 17.7.2014 10:22, g.aloi...@gmail.com kirjoitti: Hello, There is a message Possible Security issue with Kamailio - Asterisk Realtime integration in Asterisk users mailing list: http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html I think the problem I have is somewhat similar. Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk? Best, Teijo 16.7.2014 9:44, g.aloi...@gmail.com kirjoitti: Hello, Has anybody any solution or suggestion? If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call: sip:some_extens...@my.public.ip.address call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context. To get this situation I don't need to define any account information in MicroSIP. I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf. I do not know what direction to go to. I would be happy, if I should not go to the trial and error path so any help is welcome. Thanks in advance, Teijo 14.7.2014 9:06, g.aloi...@gmail.com kirjoitti: Hello, If one places call, and tell that my from domain is your Kamailio's IP, call is established, because Asterisk accepts requests from Kamailio. One problem is that it's unpredictable in this case what is the context where thiskind of call is handled by Asterisk. This situation requires that I change something in my setup. If I decide accept calls only from my users, I suppose that it can be quite easily done by modifying if statement referred below or at least by applying instructions found here: http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users However, I'm somewhat unsure what should I do, if I decide to accept calls from any caller - not only from my users. Best, Teijo 12.7.2014 19:36, Muhammad Shahzad kirjoitti: Well, this *if (from_uri!=myself uri!=myself)* Means neither source nor destination is our user. Which implies that if our domain is A, then call from domain B to C is not possible. However, calls from B or C to A and A to B or C are possible. That is way an unauthorized user gets passed and reaches asterisk. Asterisk accepts it since call is coming from kamailio and tries to route it back to kamailio, where kamailio finds user online and thus it goes through. You should really break down this, *if (from_uri!=myself uri!=myself)* into something like this for clarity, *if (from_uri!=myself) { * * if (uri!=myself) {* * # neither source nor destination is our user* * } else {* * # source is not our user but destination is our user* * };* *} else {* * if (uri!=myself) {* * # source is our user but destination is not our user* * } else {* * # both source and destination are our users* * };* *};* Hope this helps. Thank you. On Fri, Jul 11, 2014 at 5:36 PM, g.aloi...@gmail.com wrote: Hello, I'm using Kamailio version 4.1.4+precise (amd64). I have followed Kamailio 4.0.x and Asterisk 11.3.0 Realtime Integration using Asterisk Database (http://kb.asipto.com/ asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main difference in my setup compared to that one is that I continued use of Kamailio's database. The problem is as follows: I decided to put Kamailio and through it Asterisk reachable from internet. I have tried to configure Asterisk so that only calls of registered users would be possible, and they could only call to other registered users or conference rooms and echo test number. Then I took the following steps: I ensured that there was no online users
Re: [SR-Users] Unknown caller gets online user's identity
Hello, The problem are unauthenticated calls - calls from somebody from outside to my server. Kamailio accepts these calls, because destination is my server. This happen if somebody calls to some_extens...@my.public.ip.address. My public IP refers to the address both Kamailio and Asterisk are listening to. This is not problem if there are no online friends/peers in Asterisk, because then incoming call goes to context I have defined for incoming calls. But if there are online friends/peers in Asterisk, calls goes to online friend's/peer's context. I think this happens because one of the methods Asterisk decides to put incoming calls to given context is IP address. Now all the calls come from Kamailio - ie. from the same IP. I think that when Asterisk is considering what to do with incoming call, it detects that there is registration(s) from Kamailio's IP, and concludes that this incoming call belongs to thiskinds of peer's context, and this causes problem. Likely Asterisk put it to the peer's context who has in the first place in its registered peers list. I do not know what to do for this in Asterisk. I think - but I'm not sure at all - that refusing to forward such calls to Asterisk whose domain is Kamailio's IP - could solve this. But if this would be the solution, I do not know what I should do in Kamailio. Well, I suppose that if statement in kamailio.cfg: # if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself uri!=myself) is the place where I should do modification, but what the modified if statement should exactly be, I am not sure. Best, Teijo 19.7.2014 14:16, Cibin Paul kirjoitti: Hello, Can you elaborate on your issue. who is handling registration and how is the call flow? Regards Cibin On 19-Jul-2014, at 4:34 pm, Teijo g.aloi...@gmail.com wrote: Hello, Well, this is still problem for me. Best, Teijo 17.7.2014 11:22, g.aloi...@gmail.com kirjoitti: Hello, I have: allowguest=no contactpermit=kamailio.ip.addr.ess I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not. Best, Teijo 17.7.2014 10:48, Cibin Paul kirjoitti: Hello, Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf Regards Cibin 17.7.2014 10:22, g.aloi...@gmail.com kirjoitti: Hello, There is a message Possible Security issue with Kamailio - Asterisk Realtime integration in Asterisk users mailing list: http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html I think the problem I have is somewhat similar. Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk? Best, Teijo 16.7.2014 9:44, g.aloi...@gmail.com kirjoitti: Hello, Has anybody any solution or suggestion? If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call: sip:some_extens...@my.public.ip.address call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context. To get this situation I don't need to define any account information in MicroSIP. I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf. I do not know what direction to go to. I would be happy, if I should not go to the trial and error path so any help is welcome. Thanks in advance, Teijo 14.7.2014 9:06, g.aloi...@gmail.com kirjoitti: Hello, If one places call, and tell that my from domain is your Kamailio's IP, call is established, because Asterisk accepts requests from Kamailio. One problem is that it's unpredictable in this case what is the context where thiskind of call is handled by Asterisk. This situation requires that I change something in my setup. If I decide accept calls only from my users, I suppose that it can be quite easily done by modifying if statement referred below or at least by applying instructions found here: http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users However, I'm somewhat unsure what should I do, if I decide to accept calls from any caller - not only from my users. Best, Teijo 12.7.2014 19:36, Muhammad Shahzad kirjoitti: Well, this *if (from_uri!=myself uri!=myself)* Means neither source nor destination is our user. Which implies that if our domain is A, then call from
Re: [SR-Users] Unknown caller gets online user's identity
Hello, Let me understand this. You have an extension 4000 which is online. If some one which is not even a registered user calls the extension 4000 using 4...@your.public.ip.address, the call will get connected. Correct if I am wrong. As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call. Regards Cibin On 19-Jul-2014, at 5:30 pm, Teijo g.aloi...@gmail.com wrote: Hello, The problem are unauthenticated calls - calls from somebody from outside to my server. Kamailio accepts these calls, because destination is my server. This happen if somebody calls to some_extens...@my.public.ip.address. My public IP refers to the address both Kamailio and Asterisk are listening to. This is not problem if there are no online friends/peers in Asterisk, because then incoming call goes to context I have defined for incoming calls. But if there are online friends/peers in Asterisk, calls goes to online friend's/peer's context. I think this happens because one of the methods Asterisk decides to put incoming calls to given context is IP address. Now all the calls come from Kamailio - ie. from the same IP. I think that when Asterisk is considering what to do with incoming call, it detects that there is registration(s) from Kamailio's IP, and concludes that this incoming call belongs to thiskinds of peer's context, and this causes problem. Likely Asterisk put it to the peer's context who has in the first place in its registered peers list. I do not know what to do for this in Asterisk. I think - but I'm not sure at all - that refusing to forward such calls to Asterisk whose domain is Kamailio's IP - could solve this. But if this would be the solution, I do not know what I should do in Kamailio. Well, I suppose that if statement in kamailio.cfg: # if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself uri!=myself) is the place where I should do modification, but what the modified if statement should exactly be, I am not sure. Best, Teijo 19.7.2014 14:16, Cibin Paul kirjoitti: Hello, Can you elaborate on your issue. who is handling registration and how is the call flow? Regards Cibin On 19-Jul-2014, at 4:34 pm, Teijo g.aloi...@gmail.com wrote: Hello, Well, this is still problem for me. Best, Teijo 17.7.2014 11:22, g.aloi...@gmail.com kirjoitti: Hello, I have: allowguest=no contactpermit=kamailio.ip.addr.ess I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not. Best, Teijo 17.7.2014 10:48, Cibin Paul kirjoitti: Hello, Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf Regards Cibin 17.7.2014 10:22, g.aloi...@gmail.com kirjoitti: Hello, There is a message Possible Security issue with Kamailio - Asterisk Realtime integration in Asterisk users mailing list: http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html I think the problem I have is somewhat similar. Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk? Best, Teijo 16.7.2014 9:44, g.aloi...@gmail.com kirjoitti: Hello, Has anybody any solution or suggestion? If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call: sip:some_extens...@my.public.ip.address call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context. To get this situation I don't need to define any account information in MicroSIP. I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf. I do not know what direction to go to. I would be happy, if I should not go to the trial and error path so any help is welcome. Thanks in advance, Teijo 14.7.2014 9:06, g.aloi...@gmail.com kirjoitti: Hello, If one places call, and tell that my from domain is your Kamailio's IP, call is established, because Asterisk accepts requests from Kamailio. One problem is that
Re: [SR-Users] Unknown caller gets online user's identity
Yes, you are correct. But let's say that user A is online. Now somebody from somewhere calls sip:5...@my.public.ip.address. What happens is as follows: Suppose that 5000 is extension which should only has limited access, for example users A and B have this extension in their contexts. Now however, when A is online, any unauthenticated call is handled in A's context so anybody could get A's privileges. Best, Teijo 19.7.2014 15:30, Cibin Paul kirjoitti: Hello, Let me understand this. You have an extension 4000 which is online. If some one which is not even a registered user calls the extension 4000 using 4...@your.public.ip.address, the call will get connected. Correct if I am wrong. As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call. Regards Cibin On 19-Jul-2014, at 5:30 pm, Teijo g.aloi...@gmail.com wrote: Hello, The problem are unauthenticated calls - calls from somebody from outside to my server. Kamailio accepts these calls, because destination is my server. This happen if somebody calls to some_extens...@my.public.ip.address. My public IP refers to the address both Kamailio and Asterisk are listening to. This is not problem if there are no online friends/peers in Asterisk, because then incoming call goes to context I have defined for incoming calls. But if there are online friends/peers in Asterisk, calls goes to online friend's/peer's context. I think this happens because one of the methods Asterisk decides to put incoming calls to given context is IP address. Now all the calls come from Kamailio - ie. from the same IP. I think that when Asterisk is considering what to do with incoming call, it detects that there is registration(s) from Kamailio's IP, and concludes that this incoming call belongs to thiskinds of peer's context, and this causes problem. Likely Asterisk put it to the peer's context who has in the first place in its registered peers list. I do not know what to do for this in Asterisk. I think - but I'm not sure at all - that refusing to forward such calls to Asterisk whose domain is Kamailio's IP - could solve this. But if this would be the solution, I do not know what I should do in Kamailio. Well, I suppose that if statement in kamailio.cfg: # if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself uri!=myself) is the place where I should do modification, but what the modified if statement should exactly be, I am not sure. Best, Teijo 19.7.2014 14:16, Cibin Paul kirjoitti: Hello, Can you elaborate on your issue. who is handling registration and how is the call flow? Regards Cibin On 19-Jul-2014, at 4:34 pm, Teijo g.aloi...@gmail.com wrote: Hello, Well, this is still problem for me. Best, Teijo 17.7.2014 11:22, g.aloi...@gmail.com kirjoitti: Hello, I have: allowguest=no contactpermit=kamailio.ip.addr.ess I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not. Best, Teijo 17.7.2014 10:48, Cibin Paul kirjoitti: Hello, Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf Regards Cibin 17.7.2014 10:22, g.aloi...@gmail.com kirjoitti: Hello, There is a message Possible Security issue with Kamailio - Asterisk Realtime integration in Asterisk users mailing list: http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html I think the problem I have is somewhat similar. Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk? Best, Teijo 16.7.2014 9:44, g.aloi...@gmail.com kirjoitti: Hello, Has anybody any solution or suggestion? If I for example launch MicroSIP (no doubt it could be some other SIP client), and simply call: sip:some_extens...@my.public.ip.address call is established, if there is online user/users. Naturally this incoming call should be handled by Asterisk in context where I have defined unauthorized calls are handled, but in stead, the call goes online user's context. To get this situation I don't need to define any account information in MicroSIP. I have not set passwords for users in Asterisk to avoid double authorization. May this cause the behavior? I have not set default user or from user in my peer definitions. I am not registering Kamailio to Asterisk - I mean I have no peer definition for Kamailio in sip.conf. I do not know what direction to go to. I
Re: [SR-Users] Unknown caller gets online user's identity
Hello, Is this part of your setup to allow anyone to call any extension, but handle this unauthenticated calls in a different context? If so, will the following entry works for you? Create a peer of kamailio in sip.conf [kamailio] Type=peer Host=kamailio ip Port= kamailio port . . . context= some context where all calls should be handled. In extensions.conf [context] exten = _X.,1, GotoIf([condition for checking call authentication]?:auth:unauth) Same = n(auth),Goto(context of authenticated call) Same = n(unauth),Goto(context of unauthenticated call) . . . Cibin On 19-Jul-2014, at 7:20 pm, Teijo Burman g.aloi...@gmail.com wrote: Yes, you are correct. But let's say that user A is online. Now somebody from somewhere calls sip:5...@my.public.ip.address. What happens is as follows: Suppose that 5000 is extension which should only has limited access, for example users A and B have this extension in their contexts. Now however, when A is online, any unauthenticated call is handled in A's context so anybody could get A's privileges. Best, Teijo 19.7.2014 15:30, Cibin Paul kirjoitti: Hello, Let me understand this. You have an extension 4000 which is online. If some one which is not even a registered user calls the extension 4000 using 4...@your.public.ip.address, the call will get connected. Correct if I am wrong. As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call. Regards Cibin On 19-Jul-2014, at 5:30 pm, Teijo g.aloi...@gmail.com wrote: Hello, The problem are unauthenticated calls - calls from somebody from outside to my server. Kamailio accepts these calls, because destination is my server. This happen if somebody calls to some_extens...@my.public.ip.address. My public IP refers to the address both Kamailio and Asterisk are listening to. This is not problem if there are no online friends/peers in Asterisk, because then incoming call goes to context I have defined for incoming calls. But if there are online friends/peers in Asterisk, calls goes to online friend's/peer's context. I think this happens because one of the methods Asterisk decides to put incoming calls to given context is IP address. Now all the calls come from Kamailio - ie. from the same IP. I think that when Asterisk is considering what to do with incoming call, it detects that there is registration(s) from Kamailio's IP, and concludes that this incoming call belongs to thiskinds of peer's context, and this causes problem. Likely Asterisk put it to the peer's context who has in the first place in its registered peers list. I do not know what to do for this in Asterisk. I think - but I'm not sure at all - that refusing to forward such calls to Asterisk whose domain is Kamailio's IP - could solve this. But if this would be the solution, I do not know what I should do in Kamailio. Well, I suppose that if statement in kamailio.cfg: # if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself uri!=myself) is the place where I should do modification, but what the modified if statement should exactly be, I am not sure. Best, Teijo 19.7.2014 14:16, Cibin Paul kirjoitti: Hello, Can you elaborate on your issue. who is handling registration and how is the call flow? Regards Cibin On 19-Jul-2014, at 4:34 pm, Teijo g.aloi...@gmail.com wrote: Hello, Well, this is still problem for me. Best, Teijo 17.7.2014 11:22, g.aloi...@gmail.com kirjoitti: Hello, I have: allowguest=no contactpermit=kamailio.ip.addr.ess I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not. Best, Teijo 17.7.2014 10:48, Cibin Paul kirjoitti: Hello, Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf Regards Cibin 17.7.2014 10:22, g.aloi...@gmail.com kirjoitti: Hello, There is a message Possible Security issue with Kamailio - Asterisk Realtime integration in Asterisk users mailing list: http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html I think the problem I have is somewhat similar. Should I suppose that there is a security risk in Kamailio - Asterisk realtime integration, and if this is a case what I can do to eliminate this risk? Best, Teijo 16.7.2014 9:44, g.aloi...@gmail.com kirjoitti: Hello, Has anybody any solution or suggestion?
Re: [SR-Users] Unknown caller gets online user's identity
Hello, I'd like to allow calls to my users from anyone, but I'd like to have control over those calls so that I could suppose that they go tocontext I want - let's say that that context would be unauth. But as said, this is not the case currently. Sorry, but I cannot figure out what condition for checking call authentication could be. As I wrote in my first post, I have followed this tutorial: http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb for Kamailio - Asterisk realtime integration. Only exception I have is that I use Kamailio's database for user authentication, and that I have no Asterisk database. Best, Teijo 19.7.2014 17:36, Cibin Paul kirjoitti: Hello, Is this part of your setup to allow anyone to call any extension, but handle this unauthenticated calls in a different context? If so, will the following entry works for you? Create a peer of kamailio in sip.conf [kamailio] Type=peer Host=kamailio ip Port= kamailio port . . . context= some context where all calls should be handled. In extensions.conf [context] exten = _X.,1, GotoIf([condition for checking call authentication]?:auth:unauth) Same = n(auth),Goto(context of authenticated call) Same = n(unauth),Goto(context of unauthenticated call) . . . Cibin On 19-Jul-2014, at 7:20 pm, Teijo Burman g.aloi...@gmail.com wrote: Yes, you are correct. But let's say that user A is online. Now somebody from somewhere calls sip:5...@my.public.ip.address. What happens is as follows: Suppose that 5000 is extension which should only has limited access, for example users A and B have this extension in their contexts. Now however, when A is online, any unauthenticated call is handled in A's context so anybody could get A's privileges. Best, Teijo 19.7.2014 15:30, Cibin Paul kirjoitti: Hello, Let me understand this. You have an extension 4000 which is online. If some one which is not even a registered user calls the extension 4000 using 4...@your.public.ip.address, the call will get connected. Correct if I am wrong. As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call. Regards Cibin On 19-Jul-2014, at 5:30 pm, Teijo g.aloi...@gmail.com wrote: Hello, The problem are unauthenticated calls - calls from somebody from outside to my server. Kamailio accepts these calls, because destination is my server. This happen if somebody calls to some_extens...@my.public.ip.address. My public IP refers to the address both Kamailio and Asterisk are listening to. This is not problem if there are no online friends/peers in Asterisk, because then incoming call goes to context I have defined for incoming calls. But if there are online friends/peers in Asterisk, calls goes to online friend's/peer's context. I think this happens because one of the methods Asterisk decides to put incoming calls to given context is IP address. Now all the calls come from Kamailio - ie. from the same IP. I think that when Asterisk is considering what to do with incoming call, it detects that there is registration(s) from Kamailio's IP, and concludes that this incoming call belongs to thiskinds of peer's context, and this causes problem. Likely Asterisk put it to th e peer's context who has in the first place in its registered peers list. I do not know what to do for this in Asterisk. I think - but I'm not sure at all - that refusing to forward such calls to Asterisk whose domain is Kamailio's IP - could solve this. But if this would be the solution, I do not know what I should do in Kamailio. Well, I suppose that if statement in kamailio.cfg: # if caller is not local subscriber, then check if it calls # a local destination, otherwise deny, not an open relay here if (from_uri!=myself uri!=myself) is the place where I should do modification, but what the modified if statement should exactly be, I am not sure. Best, Teijo 19.7.2014 14:16, Cibin Paul kirjoitti: Hello, Can you elaborate on your issue. who is handling registration and how is the call flow? Regards Cibin On 19-Jul-2014, at 4:34 pm, Teijo g.aloi...@gmail.com wrote: Hello, Well, this is still problem for me. Best, Teijo 17.7.2014 11:22, g.aloi...@gmail.com kirjoitti: Hello, I have: allowguest=no contactpermit=kamailio.ip.addr.ess I also have tried the approach that I have peer kamailio, but then all calls seems to go to to the context defined for kamailio peer. I do not know how I could in that case handle individual calls - for example determine if given phone can call to given number or not. Best, Teijo 17.7.2014 10:48, Cibin Paul kirjoitti: Hello, Try allow* allowguest=no *in sip.conf [general] context and create a peer for kamailio in sip.comf
Re: [SR-Users] please help with Msilo config
Thanks. I'll take a look On Friday, July 18, 2014 8:22 AM, Daniel-Constantin Mierla mico...@gmail.com wrote: Hello. based on discussions so far, I suggest you guide after: - set the outbound_proxy parameter for msilo module to point to the proxy address - do not call m_store(...) if src_ip==myself - run with debug=3 in kamailio.cfg to see more log messages that can provide further hints about what is happening Cheers, Daniel On 15/07/14 15:58, Miguel Rios wrote: Hi list, I'm a newbie when it comes to kamailio, although I have a fair amount of SIP experience. I'm trying to setup a very basic kamailio install (4.1 on Wheezy) with Msilo support. I just used the default kamailio.cfg file (changing obviously the relevant parameters for my setup) and have not touched the routing blocks. I'm very confused about how routing works, and I don't have a background in C. I've read the wiki up and down and have looked at inumerous tutorials spread out on the internet (most of which just add to my confusion because they seem out of date), but I still don't get it. I managed to setup a working kamailio server where local users can call each other fine. Now when I try to add the msilo module, and specially the routing example from MSILO Module is when things get tricky. I'm sure my error is a fairly basic one and has to do with the routing logic and syntax. Could some kind soul please share a copy of the whole ### Routing Logic on downwards for a basic no frills kamailio with msilo setup? Thanks, Miguel MSILO Module 3. Parameters 3.1. db_url (string) Database URL. Default value is “mysql://kamailio:kamailiorw@localhost/kamailio”. Example 1.1. Set the “db_url” parameter View on kamailio.org Preview by Yahoo ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
[SR-Users] Outbound registration?
I don't see anything relevant in the docs, nor greping the src, but in case I missed something: Does the core, or do any of the modules support originating registration requests to other proxies a/o endpoints? I'd like to move registration responsibility to kama, and have it add a header on incoming INVITEs and the like from anything with which it has REGISTERed indicating which outbound registration is relevant to said request. If I'm right that there isn't support for that, do any of the app modules expose enough sip capability easily to write such? -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users