Hello, Is this part of your setup to allow anyone to call any extension, but handle this unauthenticated calls in a different context? If so, will the following entry works for you?
Create a peer of kamailio in sip.conf [kamailio] Type=peer Host=kamailio ip Port= kamailio port . . . context= some context where all calls should be handled. In extensions.conf [context] exten => _X.,1, GotoIf([condition for checking call authentication]?:auth:unauth) Same = n(auth),Goto(context of authenticated call) Same = n(unauth),Goto(context of unauthenticated call) . . . Cibin > On 19-Jul-2014, at 7:20 pm, Teijo Burman <g.aloi...@gmail.com> wrote: > > Yes, you are correct. But let's say that user A is online. Now somebody from > somewhere calls sip:5...@my.public.ip.address. What happens is as follows: > Suppose that 5000 is extension which should only has limited access, for > example users A and B have this extension in their contexts. Now however, > when A is online, any unauthenticated call is handled in A's context so > anybody could get A's privileges. > > Best, > > Teijo > > 19.7.2014 15:30, Cibin Paul kirjoitti: >> Hello, >> >> Let me understand this. You have an extension 4000 which is online. If some >> one which is not even a registered user calls the extension 4000 using >> 4...@your.public.ip.address, the call will get connected. Correct if I am >> wrong. >> As far as I understand , you have configured this box as a PBX where only >> registered users can communicate. If that is the case, can you do a lookup >> in location table wether the originating caller is actually online? By this >> you can check wether the originating call is from a valid source. If not, >> Hangup the call. >> >> Regards >> Cibin >> >> >>> On 19-Jul-2014, at 5:30 pm, Teijo <g.aloi...@gmail.com> wrote: >>> >>> Hello, >>> >>> The problem are unauthenticated calls - calls from somebody from outside >>> to my server. Kamailio accepts these calls, because destination is my >>> server. This happen if somebody calls to >>> some_extens...@my.public.ip.address. My public IP refers to the address >>> both Kamailio and Asterisk are listening to. This is not problem if there >>> are no online friends/peers in Asterisk, because then incoming call goes to >>> context I have defined for incoming calls. But if there are online >>> friends/peers in Asterisk, calls goes to online friend's/peer's context. I >>> think this happens because one of the methods Asterisk decides to put >>> incoming calls to given context is IP address. Now all the calls come from >>> Kamailio - ie. from the same IP. I think that when Asterisk is considering >>> what to do with incoming call, it detects that there is registration(s) >>> from Kamailio's IP, and concludes that this incoming call belongs to >>> thiskinds of peer's context, and this causes problem. Likely Asterisk put >>> it to the peer's context who has in the first place in its registered peers >>> list. >>> >>> I do not know what to do for this in Asterisk. I think - but I'm not sure >>> at all - that refusing to forward such calls to Asterisk whose domain is >>> Kamailio's IP - could solve this. But if this would be the solution, I do >>> not know what I should do in Kamailio. Well, I suppose that if statement in >>> kamailio.cfg: >>> >>> # if caller is not local subscriber, then check if it calls >>> # a local destination, otherwise deny, not an open relay here >>> if (from_uri!=myself && uri!=myself) >>> >>> is the place where I should do modification, but what the modified if >>> statement should exactly be, I am not sure. >>> >>> Best, >>> >>> Teijo >>> >>> 19.7.2014 14:16, Cibin Paul kirjoitti: >>>> Hello, >>>> >>>> Can you elaborate on your issue. who is handling registration and how is >>>> the call flow? >>>> >>>> Regards >>>> Cibin >>>> >>>> >>>>> On 19-Jul-2014, at 4:34 pm, Teijo <g.aloi...@gmail.com> wrote: >>>>> >>>>> Hello, >>>>> >>>>> Well, this is still problem for me. >>>>> >>>>> Best, >>>>> >>>>> Teijo >>>>> >>>>> 17.7.2014 11:22, g.aloi...@gmail.com kirjoitti: >>>>>> Hello, >>>>>> >>>>>> I have: >>>>>> >>>>>> allowguest=no >>>>>> contactpermit=kamailio.ip.addr.ess >>>>>> >>>>>> I also have tried the approach that I have peer kamailio, but then all >>>>>> calls seems to go to to the context defined for kamailio peer. I do not >>>>>> know how I could in that case handle individual calls - for example >>>>>> determine if given phone can call to given number or not. >>>>>> >>>>>> Best, >>>>>> >>>>>> Teijo >>>>>> >>>>>> 17.7.2014 10:48, Cibin Paul kirjoitti: >>>>>>> Hello, >>>>>>> >>>>>>> Try allow* allowguest=no *in sip.conf [general] context and create a >>>>>>> peer for kamailio in sip.comf >>>>>>> >>>>>>> >>>>>>> Regards >>>>>>> Cibin >>>>>>> >>>>>>> >>>>>>> >>>>>>> 17.7.2014 10:22, g.aloi...@gmail.com kirjoitti: >>>>>>>> Hello, >>>>>>>> >>>>>>>> There is a message "Possible Security issue with Kamailio - Asterisk >>>>>>>> Realtime integration" in Asterisk users mailing list: >>>>>>>> >>>>>>>> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html >>>>>>>> >>>>>>>> I think the problem I have is somewhat similar. >>>>>>>> >>>>>>>> Should I suppose that there is a security risk in Kamailio - Asterisk >>>>>>>> realtime integration, and if this is a case what I can do to eliminate >>>>>>>> this risk? >>>>>>>> >>>>>>>> Best, >>>>>>>> >>>>>>>> Teijo >>>>>>>> >>>>>>>> 16.7.2014 9:44, g.aloi...@gmail.com kirjoitti: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> Has anybody any solution or suggestion? >>>>>>>>> >>>>>>>>> If I for example launch MicroSIP (no doubt it could be some other SIP >>>>>>>>> client), and simply call: >>>>>>>>> >>>>>>>>> sip:some_extens...@my.public.ip.address >>>>>>>>> >>>>>>>>> call is established, if there is online user/users. Naturally this >>>>>>>>> incoming call should be handled by Asterisk in context where I have >>>>>>>>> defined unauthorized calls are handled, but in stead, the call goes >>>>>>>>> online user's context. >>>>>>>>> >>>>>>>>> To get this situation I don't need to define any account information >>>>>>>>> in >>>>>>>>> MicroSIP. >>>>>>>>> >>>>>>>>> I have not set passwords for users in Asterisk to avoid double >>>>>>>>> authorization. May this cause the behavior? I have not set default >>>>>>>>> user >>>>>>>>> or from user in my peer definitions. I am not registering Kamailio to >>>>>>>>> Asterisk - I mean I have no peer definition for Kamailio in sip.conf. >>>>>>>>> >>>>>>>>> I do not know what direction to go to. I would be happy, if I should >>>>>>>>> not >>>>>>>>> go to the trial and error path so any help is welcome. >>>>>>>>> >>>>>>>>> Thanks in advance, >>>>>>>>> >>>>>>>>> Teijo >>>>>>>>> >>>>>>>>> >>>>>>>>> 14.7.2014 9:06, g.aloi...@gmail.com kirjoitti: >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> If one places call, and tell that "my from domain is your Kamailio's >>>>>>>>>> IP", call is established, because Asterisk accepts requests from >>>>>>>>>> Kamailio. One problem is that it's unpredictable in this case what is >>>>>>>>>> the context where thiskind of call is handled by Asterisk. >>>>>>>>>> >>>>>>>>>> This situation requires that I change something in my setup. If I >>>>>>>>>> decide >>>>>>>>>> accept calls only from my users, I suppose that it can be quite >>>>>>>>>> easily >>>>>>>>>> done by modifying if statement referred below or at least by applying >>>>>>>>>> instructions found here: >>>>>>>>>> >>>>>>>>>> http://www.kamailio.org/dokuwiki/doku.php/examples:restrict-calls-to-registered-users >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> However, I'm somewhat unsure what should I do, if I decide to accept >>>>>>>>>> calls from any caller - not only from my users. >>>>>>>>>> >>>>>>>>>> Best, >>>>>>>>>> >>>>>>>>>> Teijo >>>>>>>>>> >>>>>>>>>> 12.7.2014 19:36, Muhammad Shahzad kirjoitti: >>>>>>>>>>> Well, this >>>>>>>>>>> >>>>>>>>>>> *if (from_uri!=myself && uri!=myself)* >>>>>>>>>>> >>>>>>>>>>> Means neither source nor destination is our user. Which implies that >>>>>>>>>>> if our >>>>>>>>>>> domain is A, then call from domain "B to C" is not possible. >>>>>>>>>>> However, >>>>>>>>>>> calls >>>>>>>>>>> from "B or C to A" and "A to B or C" are possible. That is way an >>>>>>>>>>> unauthorized user gets passed and reaches asterisk. Asterisk >>>>>>>>>>> accepts it >>>>>>>>>>> since call is coming from kamailio and tries to route it back to >>>>>>>>>>> kamailio, >>>>>>>>>>> where kamailio finds user online and thus it goes through. >>>>>>>>>>> >>>>>>>>>>> You should really break down this, >>>>>>>>>>> >>>>>>>>>>> *if (from_uri!=myself && uri!=myself)* >>>>>>>>>>> >>>>>>>>>>> into something like this for clarity, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *if (from_uri!=myself) { * >>>>>>>>>>> * if (uri!=myself) {* >>>>>>>>>>> * # neither source nor destination is our user* >>>>>>>>>>> * } else {* >>>>>>>>>>> * # source is not our user but destination is our user* >>>>>>>>>>> * };* >>>>>>>>>>> *} else {* >>>>>>>>>>> * if (uri!=myself) {* >>>>>>>>>>> * # source is our user but destination is not our user* >>>>>>>>>>> * } else {* >>>>>>>>>>> * # both source and destination are our users* >>>>>>>>>>> * };* >>>>>>>>>>> *};* >>>>>>>>>>> >>>>>>>>>>> Hope this helps. >>>>>>>>>>> >>>>>>>>>>> Thank you. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> On Fri, Jul 11, 2014 at 5:36 PM, <g.aloi...@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hello, >>>>>>>>>>>> >>>>>>>>>>>> I'm using Kamailio version 4.1.4+precise (amd64). >>>>>>>>>>>> >>>>>>>>>>>> I have followed "Kamailio 4.0.x and Asterisk 11.3.0 Realtime >>>>>>>>>>>> Integration >>>>>>>>>>>> using Asterisk Database" (http://kb.asipto.com/ >>>>>>>>>>>> asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb). One main >>>>>>>>>>>> difference in my setup compared to that one is that I continued >>>>>>>>>>>> use of >>>>>>>>>>>> Kamailio's database. >>>>>>>>>>>> >>>>>>>>>>>> The problem is as follows: >>>>>>>>>>>> >>>>>>>>>>>> I decided to put Kamailio and through it Asterisk reachable from >>>>>>>>>>>> internet. >>>>>>>>>>>> I have tried to configure Asterisk so that only calls of registered >>>>>>>>>>>> users >>>>>>>>>>>> would be possible, and they could only call to other registered >>>>>>>>>>>> users or >>>>>>>>>>>> conference rooms and echo test number. >>>>>>>>>>>> >>>>>>>>>>>> Then I took the following steps: >>>>>>>>>>>> >>>>>>>>>>>> I ensured that there was no online users with kamctl online. Then I >>>>>>>>>>>> launched MicroSIP (www.microsip.org), but I did not defined >>>>>>>>>>>> account, I >>>>>>>>>>>> simply set the protocol to tls and media encryption to mandatory, >>>>>>>>>>>> because >>>>>>>>>>>> I'm using these. >>>>>>>>>>>> >>>>>>>>>>>> I called to extension with x...@my.public.ip.address (where xxx is >>>>>>>>>>>> extension) getting "unauthorized". And that was what I wanted. >>>>>>>>>>>> >>>>>>>>>>>> But if there is online users, calls go through, and incoming call >>>>>>>>>>>> is >>>>>>>>>>>> coming from Asterisk (in syslog I can find out that >>>>>>>>>>>> src_user=asterisk). >>>>>>>>>>>> >>>>>>>>>>>> Kamailio and Asterisk are listening the same IP address, but >>>>>>>>>>>> different >>>>>>>>>>>> port. I have refused connections to the Asterisk's port with >>>>>>>>>>>> iptables. >>>>>>>>>>>> >>>>>>>>>>>> I have defined my public IP address as domain in sip.conf. There is >>>>>>>>>>>> also >>>>>>>>>>>> other domain defined which corresponds to users' domain I am using >>>>>>>>>>>> in >>>>>>>>>>>> Kamailio's database. >>>>>>>>>>>> >>>>>>>>>>>> In kamailio.cfg there is if statement which prevents Kamailio not >>>>>>>>>>>> to be >>>>>>>>>>>> open relay: >>>>>>>>>>>> >>>>>>>>>>>> if (from_uri!=myself && uri!=myself) >>>>>>>>>>>> ... >>>>>>>>>>>> >>>>>>>>>>>> If I change this for example: >>>>>>>>>>>> >>>>>>>>>>>> if (from_uri!=myself || uri!=myself) >>>>>>>>>>>> >>>>>>>>>>>> I get what I want this time: no calls from outside, but I somewhat >>>>>>>>>>>> think >>>>>>>>>>>> that this is not a final solution. >>>>>>>>>>>> >>>>>>>>>>>> I have not found from log files such information which would have >>>>>>>>>>>> helped >>>>>>>>>>>> me. I have not yet investigated this problem so much that I could >>>>>>>>>>>> tell the >>>>>>>>>>>> logic behind the selection of online user's identity which is used. >>>>>>>>>>>> However, if I make a call to conference room I notice that >>>>>>>>>>>> Asterisk is >>>>>>>>>>>> thinking that one of online users has joined the conference. >>>>>>>>>>>> >>>>>>>>>>>> If I can recall correctly, I started with Kamailio version 3.2, and >>>>>>>>>>>> integrated it with Asterisk 11 (currently 11.10.2). Is there >>>>>>>>>>>> something >>>>>>>>>>>> which has changed in Kamailio, but what I have not changed in my >>>>>>>>>>>> setup >>>>>>>>>>>> which could explain this. >>>>>>>>>>>> >>>>>>>>>>>> Best, >>>>>>>>>>>> >>>>>>>>>>>> Teijo >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing >>>>>>>>>>>> list >>>>>>>>>>>> sr-users@lists.sip-router.org >>>>>>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Tämä viestin rungon osa siirretään pyydettäessä. >>>>> >>>>> _______________________________________________ >>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list >>>>> sr-users@lists.sip-router.org >>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>>> >>>> _______________________________________________ >>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list >>>> sr-users@lists.sip-router.org >>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>> _______________________________________________ >>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list >>> sr-users@lists.sip-router.org >>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >> >> _______________________________________________ >> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list >> sr-users@lists.sip-router.org >> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users