VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
lucabert at lucabert.de
Guest
|
 Posted: Thu Jun 11, 2015 1:36 am Post subject: [asterisk-users] Allowing calls - maybe I'm just stupid... |
 |
|
Hi again!
About my previous E-Mail...
I though about it and I think, that maybe I'm just very stupid...
Since I called an INTERNAL number, Asterisk tried to call it.
I tried right now to call an EXTERNAL number (using my context
[myproxy]) and the behavior is NOT the same...
Not 100% correct, but it tries the right way...
Now my problem is to check in my dialplan if the peer, that originate
the call, is reachable, and if not, to give an error...
Is there any function to know if the peer is reachable?
Thanks
Luca Bertoncello
(lucabert@lucabert.de)
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
 |
asterisk_list at earth...
Guest
|
| Posted: Thu Jun 11, 2015 2:53 am Post subject: [asterisk-users] Allowing calls - maybe I'm just stupid... |
|
|
On Thursday 11 Jun 2015, Luca Bertoncello wrote:
| Quote: | Now my problem is to check in my dialplan if the peer, that originate
the call, is reachable, and if not, to give an error...
Is there any function to know if the peer is reachable?
|
The peer that *originated* the call *must* be reachable, by definition .....
--
AJS
Note: Originating address only accepts e-mail from list! If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
lucabert at lucabert.de
Guest
|
| Posted: Thu Jun 11, 2015 2:56 am Post subject: [asterisk-users] Allowing calls - maybe I'm just stupid... |
|
|
Zitat von A J Stiles <asterisk_list@earthshod.co.uk>:
| Quote: | On Thursday 11 Jun 2015, Luca Bertoncello wrote:
| Quote: | Now my problem is to check in my dialplan if the peer, that originate
the call, is reachable, and if not, to give an error...
Is there any function to know if the peer is reachable?
|
The peer that *originated* the call *must* be reachable, by definition .....
|
I can originate a call even if my peer is "UNREACHABLE" (sip show
peers say UNREACHABLE)...
But I solved using the function EXTENDED_STATE...
Regards
Luca Bertoncello
(lucabert@lucabert.de)
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
mad at madpilot.net
Guest
|
| Posted: Thu Jun 11, 2015 3:16 am Post subject: [asterisk-users] Allowing calls - maybe I'm just stupid... |
|
|
On 06/11/15 09:56, Luca Bertoncello wrote:
| Quote: | Zitat von A J Stiles <asterisk_list@earthshod.co.uk>:
| Quote: | On Thursday 11 Jun 2015, Luca Bertoncello wrote:
| Quote: | Now my problem is to check in my dialplan if the peer, that originate
the call, is reachable, and if not, to give an error...
Is there any function to know if the peer is reachable?
|
The peer that *originated* the call *must* be reachable, by definition
.....
|
I can originate a call even if my peer is "UNREACHABLE" (sip show peers
say UNREACHABLE)...
But I solved using the function EXTENDED_STATE...
|
I think the confusion here stands in the fact that registrations are for
receiving calls, a peer registers to tell asterisk "Hey, here is where
to find me in case you need to ring me".
When the same peer wants to make a call it will send an invite to
asterisk with the details for that call AND the authentication, it's
completely decoupled from registration, it just uses the same credential
but authenticates each time.
Registration then isn't like logging in to a service, or at least, it's
like that but just for getting calls, to make a call your phone has to
authenticate each time he sends an invite. That's why it works without
being registered.
So, trying to bind authentication to originate calls to registrations is
conceptually wrong in the SIP world. Maybe you can do that but that's
not the way the protocols have been engineered to work.
--
Guido Falsi <mad@madpilot.net>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
lucabert at lucabert.de
Guest
|
| Posted: Thu Jun 11, 2015 3:44 am Post subject: [asterisk-users] Allowing calls - maybe I'm just stupid... |
|
|
Zitat von Guido Falsi <mad@madpilot.net>:
| Quote: | So, trying to bind authentication to originate calls to registrations is
conceptually wrong in the SIP world. Maybe you can do that but that's
not the way the protocols have been engineered to work.
|
Hi Guido,
thanks for your answer.
Well, I decided to do that, since I have my Asterisk reachable from
Internet just for my cellphone and I want to avoid that someone guess
my password (random and long, but it's of course possible to guess
with a brute force attack) and call using my Asterisk...
Since I'll use rarely my Asterisk from Internet (maybe just if I'm in
holiday), I find this limitation meaningful.
Thanks
Luca Bertoncello
(lucabert@lucabert.de)
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
mad at madpilot.net
Guest
|
| Posted: Thu Jun 11, 2015 4:12 am Post subject: [asterisk-users] Allowing calls - maybe I'm just stupid... |
|
|
On 06/11/15 10:43, Luca Bertoncello wrote:
| Quote: | Zitat von Guido Falsi <mad@madpilot.net>:
| Quote: | So, trying to bind authentication to originate calls to registrations is
conceptually wrong in the SIP world. Maybe you can do that but that's
not the way the protocols have been engineered to work.
|
Hi Guido,
thanks for your answer.
Well, I decided to do that, since I have my Asterisk reachable from
Internet just for my cellphone and I want to avoid that someone guess my
password (random and long, but it's of course possible to guess with a
brute force attack) and call using my Asterisk...
Since I'll use rarely my Asterisk from Internet (maybe just if I'm in
holiday), I find this limitation meaningful.
|
I see, but note that if they do guess your password you're screwed anyway 
--
Guido Falsi <mad@madpilot.net>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
asterisk_list at earth...
Guest
|
| Posted: Thu Jun 11, 2015 5:42 am Post subject: [asterisk-users] Allowing calls - maybe I'm just stupid... |
|
|
On Thursday 11 Jun 2015, Luca Bertoncello wrote:
| Quote: | Well, I decided to do that, since I have my Asterisk reachable from
Internet just for my cellphone and I want to avoid that someone guess
my password (random and long, but it's of course possible to guess
with a brute force attack) and call using my Asterisk...
|
Really? How weak are your passwords, for you to be worried about brute-force attacks?
If you configure fail2ban so as to block IP addresses after a set number of false attempts and then unblock after (say) 15 minutes, you can drastically limit the rate at which such attempts can be made without running the risk of locking *yourself* out.
| Quote: | Since I'll use rarely my Asterisk from Internet (maybe just if I'm in
holiday), I find this limitation meaningful.
|
Well, Asterisk doesn't!
Did your mother ever tell you when you were younger and just beginning to expand your horizons, "Always tell a grown-up where you are going, before you go out" ? Well, that is essentially the purpose of SIP peer registration -- so your mother Asterisk knows where to find you, if an emergency arises a phone call comes in.
You always need a username and password to make a call anyway. Introducing a restriction, for you to have to be registered (using the *same* username and password) before you can even make a call, will *not* make that any more secure. Because an attacker who is guessing passwords still needs some way to check them; and it's a fair bet that they will use the guessed passwords in registration attempts. Which means that by the time they come to try to make a call using those credentials, they will already be registered anyway!
If you are going to need occasionally to make possibly expensive phone calls from random IP addresses, then you might consider using some form of out-of-band authentication. For instance, have a web page on your Asterisk server, protected by a *different* password, that must be visited to allow that IP address a window of 15 minutes to connect to port 5060. (This in itself can be problematic, if you are not extremely careful -- you absolutely do *not* want to create a situation which can lead to arbitary remote command execution as root. Anytime I have had to do root stuff from within a CGI script, I have written to a file, not the actual commands but enough information to construct them; meanwhile a root cron job run every minute reads the file, does a regexp match on the content, maybe performs the relevant commands and then wipes out the file. The downside of this is a delay before anything happens; but you can use a bit of AJAX in the script output to check every ten seconds whether anything has happened yet. No doubt others will have their own suggestions.)
It's good that you are thinking deeply about security, but beware not to get drawn down blind alleys. For instance, if you have a door with a large, single-glazed pane of 6 mm. glass, then there is little point fitting it with an expensive, hard-to-pick lock.
--
AJS
Note: Originating address only accepts e-mail from list! If replying off-list, change address to asterisk1list at earthshod dot co dot uk . |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
