VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
a_villacis at palosant...
Guest
|
 Posted: Thu Feb 20, 2014 1:48 pm Post subject: [asterisk-users] How to configure asterisk to only accept SI |
 |
|
I have a setup with asterisk-11.7.0 and kamailio-4.1.1. I am following the setup guide at http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . I want to run asterisk and kamailio on the same server, with SIP realtime configuration
(MySQL database) so that kamailio authenticates and then forwards the registration to asterisk on localhost. The setup calls for asterisk to be configured to listen for SIP traffic on all interfaces, on a nonstandard port (I chose 5080). It also calls for
blanking of the password for the SIP peer (in my case, a softphone), so that it will not request for authentication again. I have managed to make a call with working audio from the softphone to an extension on asterisk through kamailio.
My concern is that asterisk is left listening for SIP through all interfaces and with no SIP passwords. I want to secure the setup against directed traffic to the asterisk UDP port (5080), that bypasses the kamailio process. I tried setting
bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on localhost, but this has the side effect of also removing audio - the call appears to be successful on the softphone and on the asterisk logs, but no audio is actually heard. My theory is
that the RTP traffic is being sent to kamailio instead of the softphone.
How can I set up asterisk so that it can send RTP anywhere but reject any SIP traffic that does not come from the kamailio process on localhost?
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
 |
universe at truemetal.org
Guest
|
| Posted: Thu Feb 20, 2014 3:07 pm Post subject: [asterisk-users] How to configure asterisk to only accept SI |
|
|
Am 20.02.2014 19:48, schrieb Alex Villacís Lasso:
| Quote: | My concern is that asterisk is left listening for SIP through all
interfaces and with no SIP passwords. I want to secure the setup against
directed traffic to the asterisk UDP port (5080), that bypasses the
kamailio process. I tried setting bindaddr=127.0.0.1 so asterisk will
only listen for SIP traffic on localhost, but this has the side effect
of also removing audio - the call appears to be successful on the
softphone and on the asterisk logs, but no audio is actually heard. My
theory is that the RTP traffic is being sent to kamailio instead of the
softphone.
|
Theories are nice, but you should check whether they are true using,
e.g., tcpdump 
I would check with, for example:
tcpdump -nnnqt -s 0 -A -i eth0 port 5060
or instead of "port 5060" (or 5080) try "udp" to see what is going on
with RTP. Change from eth0 to lo to see if there is really RTP going to
nowhere. When looking at port 5060/5080, check the SDP header to see
what kamilio/Asterisk/your softphone announce in terms of RTP.
I thought kamailio is a SIP server/proxy only and is not involved in RTP
at all.
In any case, if you want to only allow only certain connections from
somewhere to somewhere (including from/to certain ports), iptables is
your friend if you are using Linux.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
a_villacis at palosant...
Guest
|
| Posted: Thu Feb 20, 2014 4:52 pm Post subject: [asterisk-users] How to configure asterisk to only accept SI |
|
|
El 20/02/14 15:07, Markus escribió:
| Quote: | Am 20.02.2014 19:48, schrieb Alex Villacís Lasso:
| Quote: | My concern is that asterisk is left listening for SIP through all
interfaces and with no SIP passwords. I want to secure the setup against
directed traffic to the asterisk UDP port (5080), that bypasses the
kamailio process. I tried setting bindaddr=127.0.0.1 so asterisk will
only listen for SIP traffic on localhost, but this has the side effect
of also removing audio - the call appears to be successful on the
softphone and on the asterisk logs, but no audio is actually heard. My
theory is that the RTP traffic is being sent to kamailio instead of the
softphone.
|
Theories are nice, but you should check whether they are true using, e.g., tcpdump
I would check with, for example:
tcpdump -nnnqt -s 0 -A -i eth0 port 5060
or instead of "port 5060" (or 5080) try "udp" to see what is going on with RTP. Change from eth0 to lo to see if there is really RTP going to nowhere. When looking at port 5060/5080, check the SDP header to see what kamilio/Asterisk/your softphone
announce in terms of RTP.
I thought kamailio is a SIP server/proxy only and is not involved in RTP at all.
|
From a wireshark capture, what the softphone sees when contacting kamailio (in the bindaddr=127.0.0.1 configuration) is that the media negotiation in the OK package contains a random UDP port (as expected) but indicates that the IP for RTP is 127.0.0.1 .
I have also tried deny=0.0.0.0/0.0.0.0 permit=127.0.0.1/255.0.0.0 , but the softphone then gets denied through the kamailio too. It seems deny/permit restricts the IP of the original contact, not the IP the SIP traffic was received through.
| Quote: | In any case, if you want to only allow only certain connections from somewhere to somewhere (including from/to certain ports), iptables is your friend if you are using Linux.
|
I know iptables would solve my issue, and I will certainly use it, but I do not want to rely on iptables as the *only* thing that prevents the sip proxy bypass. I want an asterisk configuration that will only accept SIP signaling traffic coming from a
specific IP (in my case, 127.0.0.1), but will then negotiate RTP across any interface that will contact the softphone. I want this to work with the IP of the original contact.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
kwem at gmx.de
Guest
|
| Posted: Tue Feb 25, 2014 8:32 am Post subject: [asterisk-users] How to configure asterisk to only accept SI |
|
|
Hi Alex,
Am Donnerstag, den 20.02.2014, 13:48 -0500 schrieb Alex VillacÃÂs Lasso:
| Quote: | I have a setup with asterisk-11.7.0 and kamailio-4.1.1. I am following
the setup guide at
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . I want to run asterisk and kamailio on the same server, with SIP realtime configuration
(MySQL database) so that kamailio authenticates and then forwards the
registration to asterisk on localhost. The setup calls for asterisk to
be configured to listen for SIP traffic on all interfaces, on a
nonstandard port (I chose 5080). It also calls for
blanking of the password for the SIP peer (in my case, a softphone),
so that it will not request for authentication again. I have managed
to make a call with working audio from the softphone to an extension
on asterisk through kamailio.
My concern is that asterisk is left listening for SIP through all
interfaces and with no SIP passwords. I want to secure the setup
against directed traffic to the asterisk UDP port (5080), that
bypasses the kamailio process. I tried setting
bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on
localhost, but this has the side effect of also removing audio - the
call appears to be successful on the softphone and on the asterisk
logs, but no audio is actually heard. My theory is
that the RTP traffic is being sent to kamailio instead of the
softphone.
How can I set up asterisk so that it can send RTP anywhere but reject
any SIP traffic that does not come from the kamailio process on
localhost?
|
If You bind asterisk to 127.0.0.1 I think the media connection is set
for this IP. Your Softphone can not reach the correct 127.0.0.1
(localhost is everywhere).
I would suggest, You setup asterisk on eth0 address or 0.0.0.0. In the
sip.conf You could secure Your setup with
deny = 0.0.0.0/0.0.0.0
permit = Your-LAN-Adress
This way asterisk accepts SIP from Your box only.
HTH,
Karsten
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
a_villacis at palosant...
Guest
|
| Posted: Tue Feb 25, 2014 1:06 pm Post subject: [asterisk-users] How to configure asterisk to only accept SI |
|
|
El 25/02/14 08:30, Karsten Wemheuer escribió:
| Quote: | Hi Alex,
Am Donnerstag, den 20.02.2014, 13:48 -0500 schrieb Alex VillacÃÂs Lasso:
| Quote: | I have a setup with asterisk-11.7.0 and kamailio-4.1.1. I am following
the setup guide at
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . I want to run asterisk and kamailio on the same server, with SIP realtime configuration
(MySQL database) so that kamailio authenticates and then forwards the
registration to asterisk on localhost. The setup calls for asterisk to
be configured to listen for SIP traffic on all interfaces, on a
nonstandard port (I chose 5080). It also calls for
blanking of the password for the SIP peer (in my case, a softphone),
so that it will not request for authentication again. I have managed
to make a call with working audio from the softphone to an extension
on asterisk through kamailio.
My concern is that asterisk is left listening for SIP through all
interfaces and with no SIP passwords. I want to secure the setup
against directed traffic to the asterisk UDP port (5080), that
bypasses the kamailio process. I tried setting
bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on
localhost, but this has the side effect of also removing audio - the
call appears to be successful on the softphone and on the asterisk
logs, but no audio is actually heard. My theory is
that the RTP traffic is being sent to kamailio instead of the
softphone.
How can I set up asterisk so that it can send RTP anywhere but reject
any SIP traffic that does not come from the kamailio process on
localhost?
|
If You bind asterisk to 127.0.0.1 I think the media connection is set
for this IP. Your Softphone can not reach the correct 127.0.0.1
(localhost is everywhere).
I would suggest, You setup asterisk on eth0 address or 0.0.0.0. In the
sip.conf You could secure Your setup with
deny = 0.0.0.0/0.0.0.0
permit = Your-LAN-Adress
This way asterisk accepts SIP from Your box only.
|
This might work, but would need to touch sip.conf every time the IP address changes. It would be nice to have a configuration that can be set up once and not modified again. That is why I wanted to set up localhost.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
kwem at gmx.de
Guest
|
| Posted: Wed Feb 26, 2014 4:20 am Post subject: [asterisk-users] How to configure asterisk to only accept SI |
|
|
Hi Alex,
Am Dienstag, den 25.02.2014, 13:04 -0500 schrieb Alex VillacÃÂs Lasso:
| Quote: | El 25/02/14 08:30, Karsten Wemheuer escribió:
| Quote: | Hi Alex,
Am Donnerstag, den 20.02.2014, 13:48 -0500 schrieb Alex VillacÃÂs Lasso:
| Quote: | I have a setup with asterisk-11.7.0 and kamailio-4.1.1. I am following
the setup guide at
http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . I want to run asterisk and kamailio on the same server, with SIP realtime configuration
(MySQL database) so that kamailio authenticates and then forwards the
registration to asterisk on localhost. The setup calls for asterisk to
be configured to listen for SIP traffic on all interfaces, on a
nonstandard port (I chose 5080). It also calls for
blanking of the password for the SIP peer (in my case, a softphone),
so that it will not request for authentication again. I have managed
to make a call with working audio from the softphone to an extension
on asterisk through kamailio.
My concern is that asterisk is left listening for SIP through all
interfaces and with no SIP passwords. I want to secure the setup
against directed traffic to the asterisk UDP port (5080), that
bypasses the kamailio process. I tried setting
bindaddr=127.0.0.1 so asterisk will only listen for SIP traffic on
localhost, but this has the side effect of also removing audio - the
call appears to be successful on the softphone and on the asterisk
logs, but no audio is actually heard. My theory is
that the RTP traffic is being sent to kamailio instead of the
softphone.
How can I set up asterisk so that it can send RTP anywhere but reject
any SIP traffic that does not come from the kamailio process on
localhost?
|
If You bind asterisk to 127.0.0.1 I think the media connection is set
for this IP. Your Softphone can not reach the correct 127.0.0.1
(localhost is everywhere).
I would suggest, You setup asterisk on eth0 address or 0.0.0.0. In the
sip.conf You could secure Your setup with
deny = 0.0.0.0/0.0.0.0
permit = Your-LAN-Adress
This way asterisk accepts SIP from Your box only.
|
This might work, but would need to touch sip.conf every time the IP
address changes. It would be nice to have a configuration that can be
set up once and not modified again. That is why I wanted to set up
localhost.
|
It is the LAN address of Your Server, where asterisk and kamailio are
running. The permit entry allows communication between kamailio and
asterisk. Why would You change this address? Maybe I don't understand
Your setup.
Karsten
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
