SipToSis-Skype Gateway Tips

Ktool

New Member
Joined
Feb 5, 2009
Messages
11
Reaction score
0
I am trying out the new skype gateway that was featured in nerdvittles yesterday. I have setup everything as per instructions (only for outgoing calls - don't need skype incoming so have not done any SIP uri).

Everything is running as instructed in x - skype in background and SipToSis_linux. I have java 1.6 installed. I did allow siptosis access to skype when prompted and checked the box for skype to remember this setting.

Now when I make a call from my softphones, I can see the call is passed to siptosis on the console but it fails with "handlesipcall - rejected call".

I have attached PDF file with siptosis status and messages. What am I doing wrong?
 

Attachments

  • siptosis.pdf
    15.6 KB · Views: 55

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
There seems to be a bug in the Skype option to "remember" the authorized connection to siptosis. You can deauthorize it in the Skype setup. Then manually authorize the connection after you restart Skype and then run siptosis.
 

Ktool

New Member
Joined
Feb 5, 2009
Messages
11
Reaction score
0
It looked like that from the error and I tried to start skype again but it starts minimized now and I cant seem to figure out how to get it on the screen - sorry am a Windows user...
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
The easiest way...

Reboot your machine. Then...

cd /root
rm -r .Skype
xinit
skype

Then log in and set it up again for autologin and to run minimized. Stop Skype. Then...

skype &
cd /siptosis
./SipToSis_linux

Answer Yes when prompted whether to allow external use of Skype but don't check the remember option.
 

Ktool

New Member
Joined
Feb 5, 2009
Messages
11
Reaction score
0
Tried that with several combination - same error. I even ran skype in background but not minimized and then siptosis and checked skype options for allowed API. Skypeforjava was listed there in allowed box.
 

drsatch

New Member
Joined
Feb 25, 2008
Messages
41
Reaction score
0
I had this problem, too. A google search led me to this:

This has two possible causes.
The first would be the SIP caller is not authorized in SipToSkypeAuth.props.
The second would be no destination was able to be extracted from the sip callee url - which can be caused by an incorrect dial plan.
Look for incoming sip call from ????? callee=?????

In SipToSkypeAuth.props try this:
*,*,*,calleeid
This will allow access from any IP address.
Found here:
http://www.mhspot.com/stsblog/blog....eSkype-SIP-Skype-Gateway-Update-20081101.html


Now...if I can just figure out how to get this to run at boot, I'd be all set.
 

Ktool

New Member
Joined
Feb 5, 2009
Messages
11
Reaction score
0
It works!

In SipToSkypeAuth.props try this:
*,*,*,calleeid
This will allow access from any IP address. .

Thanks drsatch. Yup that was it. My incoming sip call was using my public IP address and my SipToSkypeAuth.props has my loopback IP in place of the third *. I replaced it with a * and it worked. I will try and change that value to my actual public IP only in hopes to make it secure by restricting only to my pub IP - Is it a security threat in any way? (I am behind a router without port forwarding).

Ward. I noticed that skype does remember the allowed application setting for siptosis.

I think everything works as expected - Now the only error I get is from skype about my audio device not being setup right -but thats because I am running PIAF in VM and will have to fiddle to see what's the issue with the sound devices.

Thanks both of you guys for your help.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
In SipToSkypeAuth.props try this:
*,*,*,calleeid
This will allow access from any IP address.

This setup would be EXTREMELY DANGEROUS. There was a reason we restricted access to just localhost. :cryin:
 

Ktool

New Member
Joined
Feb 5, 2009
Messages
11
Reaction score
0
Yes I have read how many posts we have here about peoples open PBX taken for a ride... and that's why I am looking to restrict it either by using my actual public IP address or making some config changes in siptosis so that it does not pickup my public IP instead of my localhost when placing calls from my softphones...

siptosis log looks like:
incoming sip call from "my CID" <sip:myCID@my_pub_IP> callee=<sip:[email protected]:5070

How to change that first part from my actual public IP to localhost - both the PBX and skype/siptosis are on the same machine.
 

drsatch

New Member
Joined
Feb 25, 2008
Messages
41
Reaction score
0
This setup would be EXTREMELY DANGEROUS. There was a reason we restricted access to just localhost. :cryin:

I meant it for testing purposes only. But, now that I'm thinking about it...would it be dangerous if it's firewalled?

Seems the problem is that it doesn't allow if it sees a connection from the external IP. Looks like it reads it from the externip= in sip_nat.conf or sip_nat_custom.conf. This poses a problem for people with dynamic IP's.

Any idea how to get all this to start at boot without having physically connected monitor, keyboard and mouse? Maybe I'm just brain-dead today. :eek:
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Kinda depends on who designed and tested the firewall and whether anyone down the road "improves" it. ;)
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
My rule of thumb goes like this... The more layers of protection you have, the better off you are particularly when some of the layers are not in your immediate control.

In a former life, we had hundreds of Cisco routers that were maintained by a telecommunications company that professed to be an expert in all things Cisco.

A few years later when we hired a Cisco engineer locally, it took him under 5 minutes to guess the password... and it turned out the network wizards had used the same password on every single router in the organization... nationwide. That made us all sleep well. :eek:opsb:
 

drsatch

New Member
Joined
Feb 25, 2008
Messages
41
Reaction score
0
UNCLE! UNCLE! (Ward that is)

I Was just trying to be funny. Don't want to hijack a thread either.

Maybe you have some insight to the externip issue and the starting at boot? I have it working correctly...even sounds good. But at this point I don't have a monitor hooked up to it and when I close an ssh connection, all stops.

I've tried:
skype &
nohup skype &
xterm skype &
 

Ktool

New Member
Joined
Feb 5, 2009
Messages
11
Reaction score
0
works with pub ip entry too

Seems the problem is that it doesn't allow if it sees a connection from the external IP. Looks like it reads it from the externip= in sip_nat.conf or sip_nat_custom.conf. This poses a problem for people with dynamic IP's.

I put my public IP in SipToSkypeAuth.props:
*,*,xx.xxx.xxx.xxx,calleeid

and it works. As I understand it, this will only allow connections from my public ip address. So really how can someone outside my network with different pub ip address be granted? I don't know if IP address can be spoofed.
 

drsatch

New Member
Joined
Feb 25, 2008
Messages
41
Reaction score
0
Ya I get that, but how does this affect someone with a Dynamic IP? Can a hostname be used instead?
 

drsatch

New Member
Joined
Feb 25, 2008
Messages
41
Reaction score
0
Ok, I have no idea how to have this start at boot.

Here's what I did:

Installed tightvnc-server and connected from my desktop. (Used a non root account on both desktop and pbx)

terminal came up

typed skype &
ran the siptosis script

closed vnc window

This works for me as I very rarely have to reboot.

Hope that gives some insight.
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
In respect of dynamic IP addresses, there is a script available which will update your externip every few minutes. Have a search round and you will find something.

Starting something in an SSH screen, then closing the SSH screen stops whatever you started (unless its a service).

Investigate the command "screen" if you want to start something and leave it running when you disconnect the putty session.

Alternatively, put the commands to start whatever you want to start in /etc/rc.d/rc.local, then it will start on boot.


In respect of security, there are a number of layers to consider.

The first one is at the application itself. If an application is set only to listen to "localhost" then provided that there are no security holes in the application, then whether there is a firewall present or not, it should not be possible to get into the system via that route, because its not listening.

e.g. we can leave the MySQL database with the default root password of passw0rd, because to get in, you need to have the password, and be connecting from 127.0.0.1. The same would apply to the asterisk Manager, with its password of amp109, and the asteriskuser MySQL password amp111. The security is that those usernames are only listening to connections on the local box. Indeed you could argue that the presence of a password on those accounts is surplus to requirements, as everyone knows them anyway.

This is a powerful way of locking down extensions, make them listen to a range of ip addresses determined by you using deny and permit, which stops the application (asterisk in this case) listening, and therefore responding.

If something is listening to the outside world, then we need to use a form of security which is very secure - e.g. a password.

The next layer is the firewall or IP tables. If you have done the job properly, then nothing should be listening. but there are a whole load of applications on a Centos box, and anyone of them may have a security flaw yet to be discovered. So the firewall ensures that packets destined for ports where nothing should listening are dropped, and then we don't have to worry about them.

Finally, there is your external firewall, which should stop stuff getting to the PBX in the first place, unless you want it there.

So when you add or configure something new, it's good practice to :-

1. Make sure it's only listening and responding to addresses you want it to listen to, set IP tables to only allow connections from that address as well as a belt and braces approach.

2. If you need it to listen to everyone and anyone, - e.g. your webserver, then make sure that it has a good password, and the application itself is suited to being exposed to the outside world.

3. If a port does not need access, then close it down with IPTables to prevent anyone having a go, and exploiting a a yet undiscovered security flaw.

Joe
 

bbhenry

New Member
Joined
Sep 25, 2008
Messages
19
Reaction score
0
SipToSis_Linux keeps looping with error messages

Hi people
do I “have to” launch the SipToSis_Linux under the siptosis directory. I tried launching it form / with the following command:
/siptosis/SipToSis_Linux
But it keeps looping and gives me errors, and force me to reboot the machine to stop it from looping. By the way, launching the program under siptosis directory works just fine. but now since I would like to make it work on boot. I really don't want to put 2 lines of script into my rc.local.

Did anyone run into the same issue here? I am suspecting that it might be that I did not specify where java home is. But since I am not familiar with java apps on linux, I can't be sure if that's the issue.
 

drsatch

New Member
Joined
Feb 25, 2008
Messages
41
Reaction score
0
Yes I ran into the same problem. I had to run it from the /siptosis directory.

I couldn't get anything to work at boot time and even tried some rc.local entries, so I decided to do it through VNC server. It worked just like if I had a monitor plugged into the server itself.

I connected through VNC and was given a simple x-window and followed the directions Ward posted. I was then able to close the window and everything stayed running.

It would be nice to be able to have everything start at boot, but it just doesn't look like an option.
 

Members online

Forum statistics

Threads
25,782
Messages
167,509
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top