Re: [asterisk-users] PJSIP tight loop on auth failure

2020-10-30 Thread Kingsley Tart 
Hi,

I felt that fail2ban in this instance was a bit too much of a blunt
tool, so I have for now built a workaround by creating a Perl daemon
that watches the output of

ngrep -TT -d $net_if -q -W single Proxy-Authorization port 5060

where $net_if is the network interface.

If it sees more than 5 Proxy-Authorization invites with the same Call-
ID then it blocks the network route for a second.

I've also added a line in the dialplan to put the Asterisk channel name
into a custom SIP header, and if this is found in the INVITE then it
first connects to the AMI to do a Hangup(38) on that channel, which
gives the user a more accurate error.

Every 20 seconds it purges any stateful data it holds that's older than
20 seconds, in order to stop it eating RAM.

It seems to work quite well.

Cheers,
Kingsley.

On Thu, 2020-10-29 at 08:39 +0100, Olivier wrote:
> Hi,
> What if some fail2ban magic could keep OpenSIPs response from hitting
> Asterisk after N attempts ?
> 
> Le mer. 28 oct. 2020 à 18:32, Kingsley Tart - Barritel Ltd <
> kingsley.t...@barritel.com> a écrit :
> > Hi,
> > 
> > We're using Asterisk 13.17.0 with PJSIP 2.8 bundled.
> > 
> > I've found an issue when Asterisk tries to make a SIP call out
> > using
> > auth, but has the wrong credentials and keeps getting returned a
> > SIP
> > 407, in this example to an OpenSIPs server requiring user auth.
> > 
> > Basically this happens:
> > 
> >1. Asterisk sends plain INVITE to OpenSIPs
> >2. OpenSIPs responds with SIP 407 auth required with a Proxy-
> >   Authenticate header
> >3. Asterisk re-sends INVITE to OpenSIPs with Proxy-Authorization
> >   header, but has the wrong password
> >4. goto step 2 and repeat forever
[snip]


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Multiple IP addresses and using same IP for outbound calls as inbound

2020-10-30 Thread Jeff LaCoursiere 
I didn't want to post this because its kind of ugly, but we *did* 
actually do it a number of years ago to get around this issue with chan_sip.


Our original architecture was based on LXC, and we had large servers 
running hundreds of containers, each running asterisk.  The "host" ran 
asterisk too, as the gateway for all the container instances.


We once used two of those containers to run asterisk on specific host 
interfaces (one instance bridged to one nic, the other to the other).  
The host asterisk would route calls out one container or the other, with 
the effect you are looking for...


Cheers,

Jeff LaCoursiere
StratusTalk, Inc.


On 10/29/20 7:42 PM, David Cunningham wrote:

Hello,

Does anyone know a way with chan_sip to tell Asterisk to use a 
specific IP address for its end of the communication for a specific 
device? Something like:


[device]
type = friend
host = 11.22.11.22
ouraddress = 33.44.33.44

This is for use on a server with multiple IP addresses. There is the 
"extenip" setting, but it's really designed for NAT, and can only 
appear in the [general] section.


Any suggestions would be greatly appreciated.


On Sat, 24 Oct 2020 at 09:43, David Cunningham 
mailto:dcunning...@voisonics.com>> wrote:


OK, thank you George.


On Sat, 24 Oct 2020 at 03:16, George Joseph mailto:gjos...@digium.com>> wrote:



On Thu, Oct 22, 2020 at 4:13 PM David Cunningham
mailto:dcunning...@voisonics.com>>
wrote:

Hi George,

Thank you for the response. I'm a little unclear on what
you mean by a transport. We're using chan_sip, not pjsip.

Do you mean a device in sip.conf, using bindaddr to set
the address to bind for that device? We've only used
bindaddr in the [general] section before, but if it will
work in a device that could be the answer.


Sorry.  I just assume chan_pjsip these days.  Not sure how
you'd do it for chan_sip.



On Fri, 23 Oct 2020 at 00:13, George Joseph
mailto:gjos...@digium.com>> wrote:



On Wed, Oct 21, 2020 at 9:16 PM David Cunningham
mailto:dcunning...@voisonics.com>> wrote:

Hello,

We have an Asterisk server with two public IP
addresses, let's say 1.1.1.1 and 2.2.2.2. Normally
calls come in to 1.1.1.1 and are bridged with a
call dialled from Asterisk to an external
destination. The external destination sees the SIP
packet as coming from 1.1.1.1 and the media
address in the SDP is 1.1.1.1, which is great.

However if we receive a call in to 2.2.2.2 then
the call dialled from Asterisk to an external
destination still comes from 1.1.1.1, whereas we
want it to come from 2.2.2.2. The source of any
dialled call (the IP packet and the SDP media
address) should be the same as the address the
related inbound call was received to.

For example:
INVITE received to 1.1.1.1:5060
 -> Asterisk dials
destinat...@termination.com
 -> INVITE
sent from 1.1.1.1:5060  to
termination.com 
INVITE received to 2.2.2.2:5060
 -> Asterisk dials
destinat...@pstn.com 
-> INVITE sent from 2.2.2.2:5060
 to pstn.com 

Does anyone know how this can be achieved?


If termination.com  is only on
1.1.1.1 and pstn.com  is only on
2.2.2.2, create 2 transports, one specifically bound
to 1.1.1.1, transport-1.1.1.1 for instance, and
another to 2.2.2.2 :
transport-2.2.2.2.  The names aren't important as long
as you can tell the difference.  Then explicitly
configure endpoint termination.com
's "transport" parameter to
"transport-1.1.1.1" and pstn.com 's
"transport" parameter to "transport-2.2.2.2".   In
your dialplan, you can see which endpoint the call
came in on, and route it out the same endpoint.

If both providers are available from both interfaces,
you can create 2 endpoint for each provider:
termination.com-1.1.1.1, pstn.com-1.1.1.1,

Re: [asterisk-users] Multiple IP addresses and using same IP for outbound calls as inbound

2020-10-30 Thread Jeff LaCoursiere 
I didn't want to post this because its kind of ugly, but we *did* 
actually do it a number of years ago to get around this issue with chan_sip.


Our original architecture was based on LXC, and we had large servers 
running hundreds of containers, each running asterisk.  The "host" ran 
asterisk too, as the gateway for all the container instances.


We once used two of those containers to run asterisk on specific host 
interfaces (one instance bridged to one nic, the other to the other).  
The host asterisk would route calls out one container or the other, with 
the effect you are looking for...


Cheers,

Jeff LaCoursiere
StratusTalk, Inc.


On 10/29/20 7:42 PM, David Cunningham wrote:

Hello,

Does anyone know a way with chan_sip to tell Asterisk to use a 
specific IP address for its end of the communication for a specific 
device? Something like:


[device]
type = friend
host = 11.22.11.22
ouraddress = 33.44.33.44

This is for use on a server with multiple IP addresses. There is the 
"extenip" setting, but it's really designed for NAT, and can only 
appear in the [general] section.


Any suggestions would be greatly appreciated.


On Sat, 24 Oct 2020 at 09:43, David Cunningham 
mailto:dcunning...@voisonics.com>> wrote:


OK, thank you George.


On Sat, 24 Oct 2020 at 03:16, George Joseph mailto:gjos...@digium.com>> wrote:



On Thu, Oct 22, 2020 at 4:13 PM David Cunningham
mailto:dcunning...@voisonics.com>>
wrote:

Hi George,

Thank you for the response. I'm a little unclear on what
you mean by a transport. We're using chan_sip, not pjsip.

Do you mean a device in sip.conf, using bindaddr to set
the address to bind for that device? We've only used
bindaddr in the [general] section before, but if it will
work in a device that could be the answer.


Sorry.  I just assume chan_pjsip these days.  Not sure how
you'd do it for chan_sip.



On Fri, 23 Oct 2020 at 00:13, George Joseph
mailto:gjos...@digium.com>> wrote:



On Wed, Oct 21, 2020 at 9:16 PM David Cunningham
mailto:dcunning...@voisonics.com>> wrote:

Hello,

We have an Asterisk server with two public IP
addresses, let's say 1.1.1.1 and 2.2.2.2. Normally
calls come in to 1.1.1.1 and are bridged with a
call dialled from Asterisk to an external
destination. The external destination sees the SIP
packet as coming from 1.1.1.1 and the media
address in the SDP is 1.1.1.1, which is great.

However if we receive a call in to 2.2.2.2 then
the call dialled from Asterisk to an external
destination still comes from 1.1.1.1, whereas we
want it to come from 2.2.2.2. The source of any
dialled call (the IP packet and the SDP media
address) should be the same as the address the
related inbound call was received to.

For example:
INVITE received to 1.1.1.1:5060
 -> Asterisk dials
destinat...@termination.com
 -> INVITE
sent from 1.1.1.1:5060  to
termination.com 
INVITE received to 2.2.2.2:5060
 -> Asterisk dials
destinat...@pstn.com 
-> INVITE sent from 2.2.2.2:5060
 to pstn.com 

Does anyone know how this can be achieved?


If termination.com  is only on
1.1.1.1 and pstn.com  is only on
2.2.2.2, create 2 transports, one specifically bound
to 1.1.1.1, transport-1.1.1.1 for instance, and
another to 2.2.2.2 :
transport-2.2.2.2.  The names aren't important as long
as you can tell the difference.  Then explicitly
configure endpoint termination.com
's "transport" parameter to
"transport-1.1.1.1" and pstn.com 's
"transport" parameter to "transport-2.2.2.2".   In
your dialplan, you can see which endpoint the call
came in on, and route it out the same endpoint.

If both providers are available from both interfaces,
you can create 2 endpoint for each provider:
termination.com-1.1.1.1, pstn.com-1.1.1.1,

Re: [asterisk-users] Multiple IP addresses and using same IP for outbound calls as inbound

2020-10-30 Thread Dovid Bender 
Run rtp proxy on the asterisk box (not sure if it would work since you
can't use the same ports).

On Thu, Oct 29, 2020 at 11:03 PM David Cunningham 
wrote:

> Hi Dovid,
>
> We can change the SDP in Kamailio, but Asterisk will still send its RTP
> from its default address. The remote end is strict about accepting RTP from
> the specified source and won't accept it. Have you any suggestions to solve
> that problem?
>
> Thank you.
>
>
> On Fri, 30 Oct 2020 at 14:49, Dovid Bender  wrote:
>
>> Why not use OpenSips/Kamailoo in between? Where you want 1.1.1.1 you pass
>> it along as is. Where you want 2.2.2.2 change the sdp in opensips/kamailio
>>
>> On Thu, Oct 29, 2020 at 20:44 David Cunningham 
>> wrote:
>>
>>> Hello,
>>>
>>> Does anyone know a way with chan_sip to tell Asterisk to use a specific
>>> IP address for its end of the communication for a specific device?
>>> Something like:
>>>
>>> [device]
>>> type = friend
>>> host = 11.22.11.22
>>> ouraddress = 33.44.33.44
>>>
>>> This is for use on a server with multiple IP addresses. There is the
>>> "extenip" setting, but it's really designed for NAT, and can only appear in
>>> the [general] section.
>>>
>>> Any suggestions would be greatly appreciated.
>>>
>>>
>>> On Sat, 24 Oct 2020 at 09:43, David Cunningham <
>>> dcunning...@voisonics.com> wrote:
>>>
 OK, thank you George.


 On Sat, 24 Oct 2020 at 03:16, George Joseph  wrote:

>
>
> On Thu, Oct 22, 2020 at 4:13 PM David Cunningham <
> dcunning...@voisonics.com> wrote:
>
>> Hi George,
>>
>> Thank you for the response. I'm a little unclear on what you mean by
>> a transport. We're using chan_sip, not pjsip.
>>
>> Do you mean a device in sip.conf, using bindaddr to set the address
>> to bind for that device? We've only used bindaddr in the [general] 
>> section
>> before, but if it will work in a device that could be the answer.
>>
>
> Sorry.  I just assume chan_pjsip these days.  Not sure how you'd do it
> for chan_sip.
>
>
>
>>
>>
>> On Fri, 23 Oct 2020 at 00:13, George Joseph 
>> wrote:
>>
>>>
>>>
>>> On Wed, Oct 21, 2020 at 9:16 PM David Cunningham <
>>> dcunning...@voisonics.com> wrote:
>>>
 Hello,

 We have an Asterisk server with two public IP addresses, let's say
 1.1.1.1 and 2.2.2.2. Normally calls come in to 1.1.1.1 and are bridged 
 with
 a call dialled from Asterisk to an external destination. The external
 destination sees the SIP packet as coming from 1.1.1.1 and the media
 address in the SDP is 1.1.1.1, which is great.

 However if we receive a call in to 2.2.2.2 then the call dialled
 from Asterisk to an external destination still comes from 1.1.1.1, 
 whereas
 we want it to come from 2.2.2.2. The source of any dialled call (the IP
 packet and the SDP media address) should be the same as the address the
 related inbound call was received to.

 For example:
 INVITE received to 1.1.1.1:5060 -> Asterisk dials
 destinat...@termination.com -> INVITE sent from 1.1.1.1:5060 to
 termination.com
 INVITE received to 2.2.2.2:5060 -> Asterisk dials
 destinat...@pstn.com -> INVITE sent from 2.2.2.2:5060 to pstn.com

 Does anyone know how this can be achieved?

>>>
>>> If termination.com is only on 1.1.1.1 and pstn.com is only on
>>> 2.2.2.2, create 2 transports, one specifically bound to 1.1.1.1,
>>> transport-1.1.1.1 for instance, and another to 2.2.2.2:
>>> transport-2.2.2.2.  The names aren't important as long as you can tell 
>>> the
>>> difference.  Then explicitly configure endpoint termination.com's
>>> "transport" parameter to "transport-1.1.1.1" and pstn.com's
>>> "transport" parameter to "transport-2.2.2.2".   In your dialplan, you 
>>> can
>>> see which endpoint the call came in on, and route it out the same 
>>> endpoint.
>>>
>>> If both providers are available from both interfaces, you can create
>>> 2 endpoint for each provider: termination.com-1.1.1.1, pstn.com-1.1.1.1,
>>> termination.com-2.2.2.2 and pstn.com-2.2.2.2;  Then configure each with 
>>> the
>>> same transports as above.
>>>
>>>
>>>
>>>
>>>

 Thanks in advance for your help,

 --
 David Cunningham, Voisonics Limited
 http://voisonics.com/
 USA: +1 213 221 1092
 New Zealand: +64 (0)28 2558 3782
 --

 _
 -- Bandwidth and Colocation Provided by http://www.api-digital.com
 --

 Check out the new Asterisk community forum at:
 https://community.asterisk.org/

 New to Asterisk? Start here: