Hello,

Is this part of your setup to allow anyone to call any extension, but handle 
this unauthenticated calls in a different context? If so, will the following 
entry works for you?

Create a peer of kamailio in sip.conf
[kamailio]
Type=peer
Host=kamailio ip
Port= kamailio port
.
.
.
context= some context where all calls should be handled.

In extensions.conf

[context]
exten => _X.,1, GotoIf([condition for checking call 
authentication]?:auth:unauth)
Same = n(auth),Goto(context of authenticated call)
Same = n(unauth),Goto(context of unauthenticated call)
.
.
.

Cibin


> On 19-Jul-2014, at 7:20 pm, Teijo Burman <g.aloi...@gmail.com> wrote:
> 
> Yes, you are correct. But let's say that user A is online. Now somebody from 
> somewhere calls sip:5...@my.public.ip.address. What happens is as follows: 
> Suppose that 5000 is extension which should only has limited access, for 
> example users A and B have this extension in their contexts. Now however, 
> when A is online, any unauthenticated call is handled in A's context so 
> anybody could get A's privileges.
> 
> Best,
> 
> Teijo
> 
> 19.7.2014 15:30, Cibin Paul kirjoitti:
>> Hello,
>> 
>> Let me understand this. You have an extension 4000 which is online. If some 
>> one which is not even a registered user calls the extension 4000 using 
>> 4...@your.public.ip.address, the call will get connected. Correct if I am 
>> wrong.
>> As far as I understand , you have configured this box as a PBX where only 
>> registered users can communicate. If that is the case, can you do a lookup 
>> in location table wether the originating caller is actually online? By this 
>> you can check wether  the originating call is from a valid source. If not, 
>> Hangup the call.
>> 
>> Regards
>> Cibin
>> 
>> 
>>> On 19-Jul-2014, at 5:30 pm, Teijo <g.aloi...@gmail.com> wrote:
>>> 
>>> Hello,
>>> 
>>> The problem are unauthenticated calls - calls from somebody  from outside 
>>> to my server. Kamailio accepts these calls, because destination is my 
>>> server. This happen if somebody calls to 
>>> some_extens...@my.public.ip.address. My public IP refers to the address 
>>> both Kamailio and Asterisk are listening to. This is not problem if there 
>>> are no online friends/peers in Asterisk, because then incoming call goes to 
>>> context I have defined for incoming calls. But if there are online 
>>> friends/peers in Asterisk, calls goes to online friend's/peer's context. I 
>>> think this happens because one of the methods Asterisk decides to put 
>>> incoming calls to given context is IP address. Now all the calls come from 
>>> Kamailio - ie. from the same IP. I think that when Asterisk is considering 
>>> what to do with incoming call, it detects that there is registration(s) 
>>> from Kamailio's IP, and concludes that this incoming call belongs to 
>>> thiskinds of peer's context, and this causes problem. Likely Asterisk put 
>>> it to the peer's context who has in the first place in its registered peers 
>>> list.
>>> 
>>> I do not know what to do for this in Asterisk. I think - but I'm not sure 
>>> at all - that refusing to forward such calls to Asterisk whose domain is 
>>> Kamailio's IP - could solve this. But if this would be the solution, I do 
>>> not know what I should do in Kamailio. Well, I suppose that if statement in 
>>> kamailio.cfg:
>>> 
>>>    # if caller is not local subscriber, then check if it calls
>>>    # a local destination, otherwise deny, not an open relay here
>>>    if (from_uri!=myself && uri!=myself)
>>> 
>>> is the place where I should do modification, but what the modified if 
>>> statement should exactly be, I am not sure.
>>> 
>>> Best,
>>> 
>>> Teijo
>>> 
>>> 19.7.2014 14:16, Cibin Paul kirjoitti:
>>>> Hello,
>>>> 
>>>> Can you elaborate on your issue. who is handling registration and how is 
>>>> the call flow?
>>>> 
>>>> Regards
>>>> Cibin
>>>> 
>>>> 
>>>>> On 19-Jul-2014, at 4:34 pm, Teijo <g.aloi...@gmail.com> wrote:
>>>>> 
>>>>> Hello,
>>>>> 
>>>>> Well, this is still problem for me.
>>>>> 
>>>>> Best,
>>>>> 
>>>>> Teijo
>>>>> 
>>>>> 17.7.2014 11:22, g.aloi...@gmail.com kirjoitti:
>>>>>> Hello,
>>>>>> 
>>>>>> I have:
>>>>>> 
>>>>>> allowguest=no
>>>>>> contactpermit=kamailio.ip.addr.ess
>>>>>> 
>>>>>> I also have tried the approach that I have peer kamailio, but then all
>>>>>> calls seems to go to to the context defined for kamailio peer. I do not
>>>>>> know how I could in that case handle individual calls - for example
>>>>>> determine if given phone can call to given number or not.
>>>>>> 
>>>>>> Best,
>>>>>> 
>>>>>> Teijo
>>>>>> 
>>>>>> 17.7.2014 10:48, Cibin Paul kirjoitti:
>>>>>>> Hello,
>>>>>>> 
>>>>>>> Try allow* allowguest=no *in sip.conf [general] context and create a
>>>>>>> peer for kamailio in sip.comf
>>>>>>> 
>>>>>>> 
>>>>>>> Regards
>>>>>>> Cibin
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 17.7.2014 10:22, g.aloi...@gmail.com kirjoitti:
>>>>>>>> Hello,
>>>>>>>> 
>>>>>>>> There is a message "Possible Security issue with Kamailio - Asterisk
>>>>>>>> Realtime integration" in Asterisk users mailing list:
>>>>>>>> 
>>>>>>>> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
>>>>>>>> 
>>>>>>>> I think the problem I have is somewhat similar.
>>>>>>>> 
>>>>>>>> Should I suppose that there is a security risk in Kamailio - Asterisk
>>>>>>>> realtime integration, and if this is a case what I can do to eliminate
>>>>>>>> this risk?
>>>>>>>> 
>>>>>>>> Best,
>>>>>>>> 
>>>>>>>> Teijo
>>>>>>>> 
>>>>>>>> 16.7.2014 9:44, g.aloi...@gmail.com kirjoitti:
>>>>>>>>> Hello,
>>>>>>>>> 
>>>>>>>>> Has anybody any solution or suggestion?
>>>>>>>>> 
>>>>>>>>> If I for example launch MicroSIP (no doubt it could be some other SIP
>>>>>>>>> client), and simply call:
>>>>>>>>> 
>>>>>>>>> sip:some_extens...@my.public.ip.address
>>>>>>>>> 
>>>>>>>>> call is established, if there is online user/users. Naturally this
>>>>>>>>> incoming call should be handled by Asterisk in context where I have
>>>>>>>>> defined unauthorized calls are handled, but in stead, the call goes
>>>>>>>>> online user's context.
>>>>>>>>> 
>>>>>>>>> To get this situation I don't need to define any account information 
>>>>>>>>> in
>>>>>>>>> MicroSIP.
>>>>>>>>> 
>>>>>>>>> I have not set passwords for users in Asterisk to avoid double
>>>>>>>>> authorization. May this cause the behavior? I have not set default 
>>>>>>>>> user
>>>>>>>>> or from user in my peer definitions. I am not registering Kamailio to
>>>>>>>>> Asterisk - I mean I have no peer definition for Kamailio in sip.conf.
>>>>>>>>> 
>>>>>>>>> I do not know what direction to go to. I would be happy, if I should 
>>>>>>>>> not
>>>>>>>>> go to the trial and error path so any help is welcome.
>>>>>>>>> 
>>>>>>>>> Thanks in advance,
>>>>>>>>> 
>>>>>>>>> Teijo
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 14.7.2014 9:06, g.aloi...@gmail.com kirjoitti:
>>>>>>>>>> Hello,
>>>>>>>>>> 
>>>>>>>>>> If one places call, and tell that "my from domain is your Kamailio's
>>>>>>>>>> IP", call is established, because Asterisk accepts requests from
>>>>>>>>>> Kamailio. One problem is that it's unpredictable in this case what is
>>>>>>>>>> the context where thiskind of call is handled by Asterisk.
>>>>>>>>>> 
>>>>>>>>>> This situation requires that I change something in my setup. If I 
>>>>>>>>>> decide
>>>>>>>>>> accept calls only from my users, I suppose that it can be quite 
>>>>>>>>>> easily
>>>>>>>>>> done by modifying if statement referred below or at least by applying
>>>>>>>>>> instructions found here:
>>>>>>>>>> 
>>>>>>>>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> However, I'm somewhat unsure what should I do, if I decide to accept
>>>>>>>>>> calls from any caller - not only from my users.
>>>>>>>>>> 
>>>>>>>>>> Best,
>>>>>>>>>> 
>>>>>>>>>> Teijo
>>>>>>>>>> 
>>>>>>>>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti:
>>>>>>>>>>> Well, this
>>>>>>>>>>> 
>>>>>>>>>>> *if (from_uri!=myself && uri!=myself)*
>>>>>>>>>>> 
>>>>>>>>>>> Means neither source nor destination is our user. Which implies that
>>>>>>>>>>> if our
>>>>>>>>>>> domain is A, then call from domain "B to C" is not possible. 
>>>>>>>>>>> However,
>>>>>>>>>>> calls
>>>>>>>>>>> from "B or C to A" and "A to B or C" are possible. That is way an
>>>>>>>>>>> unauthorized user gets passed and reaches asterisk. Asterisk 
>>>>>>>>>>> accepts it
>>>>>>>>>>> since call is coming from kamailio and tries to route it back to
>>>>>>>>>>> kamailio,
>>>>>>>>>>> where kamailio finds user online and thus it goes through.
>>>>>>>>>>> 
>>>>>>>>>>> You should really break down this,
>>>>>>>>>>> 
>>>>>>>>>>> *if (from_uri!=myself && uri!=myself)*
>>>>>>>>>>> 
>>>>>>>>>>> into something like this for clarity,
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> *if (from_uri!=myself) { *
>>>>>>>>>>> *   if (uri!=myself) {*
>>>>>>>>>>> *       # neither source nor destination is our user*
>>>>>>>>>>> *   } else {*
>>>>>>>>>>> *       # source is not our user but destination is our user*
>>>>>>>>>>> *   };*
>>>>>>>>>>> *} else {*
>>>>>>>>>>> *   if (uri!=myself) {*
>>>>>>>>>>> *       # source is our user but destination is not our user*
>>>>>>>>>>> *   } else {*
>>>>>>>>>>> *      # both source and destination are our users*
>>>>>>>>>>> *   };*
>>>>>>>>>>> *};*
>>>>>>>>>>> 
>>>>>>>>>>> Hope this helps.
>>>>>>>>>>> 
>>>>>>>>>>> Thank you.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> On Fri, Jul 11, 2014 at 5:36 PM, <g.aloi...@gmail.com> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> Hello,
>>>>>>>>>>>> 
>>>>>>>>>>>> I'm using Kamailio version 4.1.4+precise (amd64).
>>>>>>>>>>>> 
>>>>>>>>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime
>>>>>>>>>>>> Integration
>>>>>>>>>>>> using Asterisk Database" (http://kb.asipto.com/
>>>>>>>>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main
>>>>>>>>>>>> difference in my setup compared to that one is that I continued 
>>>>>>>>>>>> use of
>>>>>>>>>>>> Kamailio's database.
>>>>>>>>>>>> 
>>>>>>>>>>>> The problem is as follows:
>>>>>>>>>>>> 
>>>>>>>>>>>> I decided to put Kamailio and through it Asterisk reachable from
>>>>>>>>>>>> internet.
>>>>>>>>>>>> I have tried to configure Asterisk so that only calls of registered
>>>>>>>>>>>> users
>>>>>>>>>>>> would be possible, and they could only call to other registered
>>>>>>>>>>>> users or
>>>>>>>>>>>> conference rooms and echo test number.
>>>>>>>>>>>> 
>>>>>>>>>>>> Then I took the following steps:
>>>>>>>>>>>> 
>>>>>>>>>>>> I ensured that there was no online users with kamctl online. Then I
>>>>>>>>>>>> launched MicroSIP (www.microsip.org), but I did not defined 
>>>>>>>>>>>> account, I
>>>>>>>>>>>> simply set the protocol to tls and media encryption to mandatory,
>>>>>>>>>>>> because
>>>>>>>>>>>> I'm using these.
>>>>>>>>>>>> 
>>>>>>>>>>>> I called to extension with x...@my.public.ip.address (where xxx is
>>>>>>>>>>>> extension) getting "unauthorized". And that was what I wanted.
>>>>>>>>>>>> 
>>>>>>>>>>>> But if there is online users, calls go through, and incoming call 
>>>>>>>>>>>> is
>>>>>>>>>>>> coming from Asterisk (in syslog I can find out that
>>>>>>>>>>>> src_user=asterisk).
>>>>>>>>>>>> 
>>>>>>>>>>>> Kamailio and Asterisk are listening the same IP address, but 
>>>>>>>>>>>> different
>>>>>>>>>>>> port. I have refused connections to the Asterisk's port with 
>>>>>>>>>>>> iptables.
>>>>>>>>>>>> 
>>>>>>>>>>>> I have defined my public IP address as domain in sip.conf. There is
>>>>>>>>>>>> also
>>>>>>>>>>>> other domain defined which corresponds to users' domain I am using 
>>>>>>>>>>>> in
>>>>>>>>>>>> Kamailio's database.
>>>>>>>>>>>> 
>>>>>>>>>>>> In kamailio.cfg there is if statement which prevents Kamailio not
>>>>>>>>>>>> to be
>>>>>>>>>>>> open relay:
>>>>>>>>>>>> 
>>>>>>>>>>>> if (from_uri!=myself && uri!=myself)
>>>>>>>>>>>> ...
>>>>>>>>>>>> 
>>>>>>>>>>>> If I change this for example:
>>>>>>>>>>>> 
>>>>>>>>>>>> if (from_uri!=myself || uri!=myself)
>>>>>>>>>>>> 
>>>>>>>>>>>> I get what I want this time: no calls from outside, but I somewhat
>>>>>>>>>>>> think
>>>>>>>>>>>> that this is not a final solution.
>>>>>>>>>>>> 
>>>>>>>>>>>> I have not found from log files such information which would have
>>>>>>>>>>>> helped
>>>>>>>>>>>> me. I have not yet investigated this problem so much that I could
>>>>>>>>>>>> tell the
>>>>>>>>>>>> logic behind the selection of online user's identity which is used.
>>>>>>>>>>>> However, if I make a call to conference room I notice that 
>>>>>>>>>>>> Asterisk is
>>>>>>>>>>>> thinking that one of online users has joined the conference.
>>>>>>>>>>>> 
>>>>>>>>>>>> If I can recall correctly, I started with Kamailio version 3.2, and
>>>>>>>>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is there 
>>>>>>>>>>>> something
>>>>>>>>>>>> which has changed in Kamailio, but what I have not changed in my 
>>>>>>>>>>>> setup
>>>>>>>>>>>> which could explain this.
>>>>>>>>>>>> 
>>>>>>>>>>>> Best,
>>>>>>>>>>>> 
>>>>>>>>>>>> Teijo
>>>>>>>>>>>> 
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>>>>>>>>> list
>>>>>>>>>>>> sr-users@lists.sip-router.org
>>>>>>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> Tämä viestin rungon osa siirretään pyydettäessä.
>>>>> 
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>>> sr-users@lists.sip-router.org
>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>> 
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>> sr-users@lists.sip-router.org
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users@lists.sip-router.org
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>> 
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users@lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> 
> 
> 
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Reply via email to