Hello, Try allow allowguest=no in sip.conf [general] context and create a peer for kamailio in sip.comf
Regards Cibin On 17-Jul-2014, at 12:52 pm, g.aloi...@gmail.com wrote: > Hello, > > There is a message "Possible Security issue with Kamailio - Asterisk Realtime > integration" in Asterisk users mailing list: > > http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html > > I think the problem I have is somewhat similar. > > Should I suppose that there is a security risk in Kamailio - Asterisk > realtime integration, and if this is a case what I can do to eliminate this > risk? > > Best, > > Teijo > > 16.7.2014 9:44, g.aloi...@gmail.com kirjoitti: >> Hello, >> >> Has anybody any solution or suggestion? >> >> If I for example launch MicroSIP (no doubt it could be some other SIP >> client), and simply call: >> >> sip:some_extens...@my.public.ip.address >> >> call is established, if there is online user/users. Naturally this >> incoming call should be handled by Asterisk in context where I have >> defined unauthorized calls are handled, but in stead, the call goes >> online user's context. >> >> To get this situation I don't need to define any account information in >> MicroSIP. >> >> I have not set passwords for users in Asterisk to avoid double >> authorization. May this cause the behavior? I have not set default user >> or from user in my peer definitions. I am not registering Kamailio to >> Asterisk - I mean I have no peer definition for Kamailio in sip.conf. >> >> I do not know what direction to go to. I would be happy, if I should not >> go to the trial and error path so any help is welcome. >> >> Thanks in advance, >> >> Teijo >> >> >> 14.7.2014 9:06, g.aloi...@gmail.com kirjoitti: >>> Hello, >>> >>> If one places call, and tell that "my from domain is your Kamailio's >>> IP", call is established, because Asterisk accepts requests from >>> Kamailio. One problem is that it's unpredictable in this case what is >>> the context where thiskind of call is handled by Asterisk. >>> >>> This situation requires that I change something in my setup. If I decide >>> accept calls only from my users, I suppose that it can be quite easily >>> done by modifying if statement referred below or at least by applying >>> instructions found here: >>> >>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users >>> >>> >>> >>> However, I'm somewhat unsure what should I do, if I decide to accept >>> calls from any caller - not only from my users. >>> >>> Best, >>> >>> Teijo >>> >>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti: >>>> Well, this >>>> >>>> *if (from_uri!=myself && uri!=myself)* >>>> >>>> Means neither source nor destination is our user. Which implies that >>>> if our >>>> domain is A, then call from domain "B to C" is not possible. However, >>>> calls >>>> from "B or C to A" and "A to B or C" are possible. That is way an >>>> unauthorized user gets passed and reaches asterisk. Asterisk accepts it >>>> since call is coming from kamailio and tries to route it back to >>>> kamailio, >>>> where kamailio finds user online and thus it goes through. >>>> >>>> You should really break down this, >>>> >>>> *if (from_uri!=myself && uri!=myself)* >>>> >>>> into something like this for clarity, >>>> >>>> >>>> *if (from_uri!=myself) { * >>>> * if (uri!=myself) {* >>>> * # neither source nor destination is our user* >>>> * } else {* >>>> * # source is not our user but destination is our user* >>>> * };* >>>> *} else {* >>>> * if (uri!=myself) {* >>>> * # source is our user but destination is not our user* >>>> * } else {* >>>> * # both source and destination are our users* >>>> * };* >>>> *};* >>>> >>>> Hope this helps. >>>> >>>> Thank you. >>>> >>>> >>>> >>>> >>>> On Fri, Jul 11, 2014 at 5:36 PM, <g.aloi...@gmail.com> wrote: >>>> >>>>> Hello, >>>>> >>>>> I'm using Kamailio version 4.1.4+precise (amd64). >>>>> >>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime >>>>> Integration >>>>> using Asterisk Database" (http://kb.asipto.com/ >>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main >>>>> difference in my setup compared to that one is that I continued use of >>>>> Kamailio's database. >>>>> >>>>> The problem is as follows: >>>>> >>>>> I decided to put Kamailio and through it Asterisk reachable from >>>>> internet. >>>>> I have tried to configure Asterisk so that only calls of registered >>>>> users >>>>> would be possible, and they could only call to other registered >>>>> users or >>>>> conference rooms and echo test number. >>>>> >>>>> Then I took the following steps: >>>>> >>>>> I ensured that there was no online users with kamctl online. Then I >>>>> launched MicroSIP (www.microsip.org), but I did not defined account, I >>>>> simply set the protocol to tls and media encryption to mandatory, >>>>> because >>>>> I'm using these. >>>>> >>>>> I called to extension with x...@my.public.ip.address (where xxx is >>>>> extension) getting "unauthorized". And that was what I wanted. >>>>> >>>>> But if there is online users, calls go through, and incoming call is >>>>> coming from Asterisk (in syslog I can find out that src_user=asterisk). >>>>> >>>>> Kamailio and Asterisk are listening the same IP address, but different >>>>> port. I have refused connections to the Asterisk's port with iptables. >>>>> >>>>> I have defined my public IP address as domain in sip.conf. There is >>>>> also >>>>> other domain defined which corresponds to users' domain I am using in >>>>> Kamailio's database. >>>>> >>>>> In kamailio.cfg there is if statement which prevents Kamailio not to be >>>>> open relay: >>>>> >>>>> if (from_uri!=myself && uri!=myself) >>>>> ... >>>>> >>>>> If I change this for example: >>>>> >>>>> if (from_uri!=myself || uri!=myself) >>>>> >>>>> I get what I want this time: no calls from outside, but I somewhat >>>>> think >>>>> that this is not a final solution. >>>>> >>>>> I have not found from log files such information which would have >>>>> helped >>>>> me. I have not yet investigated this problem so much that I could >>>>> tell the >>>>> logic behind the selection of online user's identity which is used. >>>>> However, if I make a call to conference room I notice that Asterisk is >>>>> thinking that one of online users has joined the conference. >>>>> >>>>> If I can recall correctly, I started with Kamailio version 3.2, and >>>>> integrated it with Asterisk 11 (currently 11.10.2). Is there something >>>>> which has changed in Kamailio, but what I have not changed in my setup >>>>> which could explain this. >>>>> >>>>> Best, >>>>> >>>>> Teijo >>>>> >>>>> _______________________________________________ >>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list >>>>> sr-users@lists.sip-router.org >>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>>>> >>>>> >>>>> >>>>> Tämä viestin rungon osa siirretään pyydettäessä. > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users