Hello, Let me understand this. You have an extension 4000 which is online. If some one which is not even a registered user calls the extension 4000 using 4...@your.public.ip.address, the call will get connected. Correct if I am wrong. As far as I understand , you have configured this box as a PBX where only registered users can communicate. If that is the case, can you do a lookup in location table wether the originating caller is actually online? By this you can check wether the originating call is from a valid source. If not, Hangup the call.
Regards Cibin On 19-Jul-2014, at 5:30 pm, Teijo <g.aloi...@gmail.com> wrote: > Hello, > > The problem are unauthenticated calls - calls from somebody from outside to > my server. Kamailio accepts these calls, because destination is my server. > This happen if somebody calls to some_extens...@my.public.ip.address. My > public IP refers to the address both Kamailio and Asterisk are listening to. > This is not problem if there are no online friends/peers in Asterisk, because > then incoming call goes to context I have defined for incoming calls. But if > there are online friends/peers in Asterisk, calls goes to online > friend's/peer's context. I think this happens because one of the methods > Asterisk decides to put incoming calls to given context is IP address. Now > all the calls come from Kamailio - ie. from the same IP. I think that when > Asterisk is considering what to do with incoming call, it detects that there > is registration(s) from Kamailio's IP, and concludes that this incoming call > belongs to thiskinds of peer's context, and this causes problem. Likely > Asterisk put it to the peer's context who has in the first place in its > registered peers list. > > I do not know what to do for this in Asterisk. I think - but I'm not sure at > all - that refusing to forward such calls to Asterisk whose domain is > Kamailio's IP - could solve this. But if this would be the solution, I do not > know what I should do in Kamailio. Well, I suppose that if statement in > kamailio.cfg: > > # if caller is not local subscriber, then check if it calls > # a local destination, otherwise deny, not an open relay here > if (from_uri!=myself && uri!=myself) > > is the place where I should do modification, but what the modified if > statement should exactly be, I am not sure. > > Best, > > Teijo > > 19.7.2014 14:16, Cibin Paul kirjoitti: >> Hello, >> >> Can you elaborate on your issue. who is handling registration and how is the >> call flow? >> >> Regards >> Cibin >> >> >> On 19-Jul-2014, at 4:34 pm, Teijo <g.aloi...@gmail.com> wrote: >> >>> Hello, >>> >>> Well, this is still problem for me. >>> >>> Best, >>> >>> Teijo >>> >>> 17.7.2014 11:22, g.aloi...@gmail.com kirjoitti: >>>> Hello, >>>> >>>> I have: >>>> >>>> allowguest=no >>>> contactpermit=kamailio.ip.addr.ess >>>> >>>> I also have tried the approach that I have peer kamailio, but then all >>>> calls seems to go to to the context defined for kamailio peer. I do not >>>> know how I could in that case handle individual calls - for example >>>> determine if given phone can call to given number or not. >>>> >>>> Best, >>>> >>>> Teijo >>>> >>>> 17.7.2014 10:48, Cibin Paul kirjoitti: >>>>> Hello, >>>>> >>>>> Try allow* allowguest=no *in sip.conf [general] context and create a >>>>> peer for kamailio in sip.comf >>>>> >>>>> >>>>> Regards >>>>> Cibin >>>>> >>>>> >>>>> >>>>> 17.7.2014 10:22, g.aloi...@gmail.com kirjoitti: >>>>>> >>>>>> Hello, >>>>>> >>>>>> There is a message "Possible Security issue with Kamailio - Asterisk >>>>>> Realtime integration" in Asterisk users mailing list: >>>>>> >>>>>> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html >>>>>> >>>>>> I think the problem I have is somewhat similar. >>>>>> >>>>>> Should I suppose that there is a security risk in Kamailio - Asterisk >>>>>> realtime integration, and if this is a case what I can do to eliminate >>>>>> this risk? >>>>>> >>>>>> Best, >>>>>> >>>>>> Teijo >>>>>> >>>>>> 16.7.2014 9:44, g.aloi...@gmail.com kirjoitti: >>>>>>> Hello, >>>>>>> >>>>>>> Has anybody any solution or suggestion? >>>>>>> >>>>>>> If I for example launch MicroSIP (no doubt it could be some other SIP >>>>>>> client), and simply call: >>>>>>> >>>>>>> sip:some_extens...@my.public.ip.address >>>>>>> >>>>>>> call is established, if there is online user/users. Naturally this >>>>>>> incoming call should be handled by Asterisk in context where I have >>>>>>> defined unauthorized calls are handled, but in stead, the call goes >>>>>>> online user's context. >>>>>>> >>>>>>> To get this situation I don't need to define any account information in >>>>>>> MicroSIP. >>>>>>> >>>>>>> I have not set passwords for users in Asterisk to avoid double >>>>>>> authorization. May this cause the behavior? I have not set default user >>>>>>> or from user in my peer definitions. I am not registering Kamailio to >>>>>>> Asterisk - I mean I have no peer definition for Kamailio in sip.conf. >>>>>>> >>>>>>> I do not know what direction to go to. I would be happy, if I should not >>>>>>> go to the trial and error path so any help is welcome. >>>>>>> >>>>>>> Thanks in advance, >>>>>>> >>>>>>> Teijo >>>>>>> >>>>>>> >>>>>>> 14.7.2014 9:06, g.aloi...@gmail.com kirjoitti: >>>>>>>> Hello, >>>>>>>> >>>>>>>> If one places call, and tell that "my from domain is your Kamailio's >>>>>>>> IP", call is established, because Asterisk accepts requests from >>>>>>>> Kamailio. One problem is that it's unpredictable in this case what is >>>>>>>> the context where thiskind of call is handled by Asterisk. >>>>>>>> >>>>>>>> This situation requires that I change something in my setup. If I >>>>>>>> decide >>>>>>>> accept calls only from my users, I suppose that it can be quite easily >>>>>>>> done by modifying if statement referred below or at least by applying >>>>>>>> instructions found here: >>>>>>>> >>>>>>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> However, I'm somewhat unsure what should I do, if I decide to accept >>>>>>>> calls from any caller - not only from my users. >>>>>>>> >>>>>>>> Best, >>>>>>>> >>>>>>>> Teijo >>>>>>>> >>>>>>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti: >>>>>>>>> Well, this >>>>>>>>> >>>>>>>>> *if (from_uri!=myself && uri!=myself)* >>>>>>>>> >>>>>>>>> Means neither source nor destination is our user. Which implies that >>>>>>>>> if our >>>>>>>>> domain is A, then call from domain "B to C" is not possible. However, >>>>>>>>> calls >>>>>>>>> from "B or C to A" and "A to B or C" are possible. That is way an >>>>>>>>> unauthorized user gets passed and reaches asterisk. Asterisk accepts >>>>>>>>> it >>>>>>>>> since call is coming from kamailio and tries to route it back to >>>>>>>>> kamailio, >>>>>>>>> where kamailio finds user online and thus it goes through. >>>>>>>>> >>>>>>>>> You should really break down this, >>>>>>>>> >>>>>>>>> *if (from_uri!=myself && uri!=myself)* >>>>>>>>> >>>>>>>>> into something like this for clarity, >>>>>>>>> >>>>>>>>> >>>>>>>>> *if (from_uri!=myself) { * >>>>>>>>> * if (uri!=myself) {* >>>>>>>>> * # neither source nor destination is our user* >>>>>>>>> * } else {* >>>>>>>>> * # source is not our user but destination is our user* >>>>>>>>> * };* >>>>>>>>> *} else {* >>>>>>>>> * if (uri!=myself) {* >>>>>>>>> * # source is our user but destination is not our user* >>>>>>>>> * } else {* >>>>>>>>> * # both source and destination are our users* >>>>>>>>> * };* >>>>>>>>> *};* >>>>>>>>> >>>>>>>>> Hope this helps. >>>>>>>>> >>>>>>>>> Thank you. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Jul 11, 2014 at 5:36 PM, <g.aloi...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I'm using Kamailio version 4.1.4+precise (amd64). >>>>>>>>>> >>>>>>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime >>>>>>>>>> Integration >>>>>>>>>> using Asterisk Database" (http://kb.asipto.com/ >>>>>>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main >>>>>>>>>> difference in my setup compared to that one is that I continued use >>>>>>>>>> of >>>>>>>>>> Kamailio's database. >>>>>>>>>> >>>>>>>>>> The problem is as follows: >>>>>>>>>> >>>>>>>>>> I decided to put Kamailio and through it Asterisk reachable from >>>>>>>>>> internet. >>>>>>>>>> I have tried to configure Asterisk so that only calls of registered >>>>>>>>>> users >>>>>>>>>> would be possible, and they could only call to other registered >>>>>>>>>> users or >>>>>>>>>> conference rooms and echo test number. >>>>>>>>>> >>>>>>>>>> Then I took the following steps: >>>>>>>>>> >>>>>>>>>> I ensured that there was no online users with kamctl online. Then I >>>>>>>>>> launched MicroSIP (www.microsip.org), but I did not defined account, >>>>>>>>>> I >>>>>>>>>> simply set the protocol to tls and media encryption to mandatory, >>>>>>>>>> because >>>>>>>>>> I'm using these. >>>>>>>>>> >>>>>>>>>> I called to extension with x...@my.public.ip.address (where xxx is >>>>>>>>>> extension) getting "unauthorized". And that was what I wanted. >>>>>>>>>> >>>>>>>>>> But if there is online users, calls go through, and incoming call is >>>>>>>>>> coming from Asterisk (in syslog I can find out that >>>>>>>>>> src_user=asterisk). >>>>>>>>>> >>>>>>>>>> Kamailio and Asterisk are listening the same IP address, but >>>>>>>>>> different >>>>>>>>>> port. I have refused connections to the Asterisk's port with >>>>>>>>>> iptables. >>>>>>>>>> >>>>>>>>>> I have defined my public IP address as domain in sip.conf. There is >>>>>>>>>> also >>>>>>>>>> other domain defined which corresponds to users' domain I am using in >>>>>>>>>> Kamailio's database. >>>>>>>>>> >>>>>>>>>> In kamailio.cfg there is if statement which prevents Kamailio not >>>>>>>>>> to be >>>>>>>>>> open relay: >>>>>>>>>> >>>>>>>>>> if (from_uri!=myself && uri!=myself) >>>>>>>>>> ... >>>>>>>>>> >>>>>>>>>> If I change this for example: >>>>>>>>>> >>>>>>>>>> if (from_uri!=myself || uri!=myself) >>>>>>>>>> >>>>>>>>>> I get what I want this time: no calls from outside, but I somewhat >>>>>>>>>> think >>>>>>>>>> that this is not a final solution. >>>>>>>>>> >>>>>>>>>> I have not found from log files such information which would have >>>>>>>>>> helped >>>>>>>>>> me. I have not yet investigated this problem so much that I could >>>>>>>>>> tell the >>>>>>>>>> logic behind the selection of online user's identity which is used. >>>>>>>>>> However, if I make a call to conference room I notice that Asterisk >>>>>>>>>> is >>>>>>>>>> thinking that one of online users has joined the conference. >>>>>>>>>> >>>>>>>>>> If I can recall correctly, I started with Kamailio version 3.2, and >>>>>>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is there >>>>>>>>>> something >>>>>>>>>> which has changed in Kamailio, but what I have not changed in my >>>>>>>>>> setup >>>>>>>>>> which could explain this. >>>>>>>>>> >>>>>>>>>> Best, >>>>>>>>>> >>>>>>>>>> Teijo >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing >>>>>>>>>> list >>>>>>>>>> sr-users@lists.sip-router.org >>>>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Tämä viestin rungon osa siirretään pyydettäessä. >>>> >>> >>> >>> _______________________________________________ >>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list >>> sr-users@lists.sip-router.org >>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >> >> >> _______________________________________________ >> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list >> sr-users@lists.sip-router.org >> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >> > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
