SIP URIs

[nojstevens]

Hello,

I am just starting to understand the SIP URI stuff, but I must admit its taking some getting my head around.

A few weeks ago I set up a free DID with ipkall, which seems to forward the call to [email protected]

When I call my ipkall number from my cellphone, my system receives the call and all my extensions ring.

But I have two questions:

If I type sip:[email protected] into the Gizmo call box I don't receive a call on my PBX system? how come?

Also, I haven't created an inbound route for this kind of call, so how does the system know how to handle calls coming in routed to [email protected]?

I am using the orgasmatron build.

Any pointers to help me understand how it works would be appreciated

Jon

 

[jroper]

Hi

To allow your PBX to be addressed as [email protected], you will have to allow SIP messages to arrive at your PBX anonymously, so you need to make sure the SIP ports are open, and pointed at the PBX. Make sure you have good alphanumeric passwords for your sip extensions.

To route the inbound calls - simply type mothership into the DID field of inbound routes, and set the destination. it'l complain about non numeric destinations, but do not worry about it.

Joe

 

[patrick_elx]

Allowing anonymous SIP has no relation with letting people hack your extensions.

You should protect your extensions with a good password no matter what, and add permit/deny policy to make sure that you will exclude registration from internet for LAN only extensions.

The only problem I see by opening anonymous SIP, is that someone can ring specifically one extension, even if you put some time condition or other inbound policy. To avoid that, I've put in extension_override_freepbx.conf

[from-pstn]
include => from-pstn-custom ; create this context in extensions_custom.conf to include customizations
include => ext-did
include => ext-did-post-custom
;include => from-did-direct ; MODIFICATOIN (PL) for findmefollow if enabled, should be bofore ext-local
include => ext-did-catchall ; THIS MUST COME AFTER ext-did
exten => fax,1,Goto(ext-fax,in_fax,1)

to comment out the from-did-direct.
Then only my inbound routes will be considered. If someone dial sip:[email protected] it will go the any/any inbound route instead.

I can still allow some specific extension bypass by just adding them in the inbound route.

 

[wardmundy]

Hi

To allow your PBX to be addressed as [email protected], you will have to allow SIP messages to arrive at your PBX anonymously...

Joe

Actually, the way the Orgasmatron has been designed, YOU DO NOT (AND SHOULD NOT) ALLOW SIP ANONYMOUSLY! That was the whole reason for adding the entries in extensions_override_freepbx.conf. Read this NV article for the design details.

If you're receiving SIP calls from IPkall, then your SIP URI is working properly. Don't fix it! Something is apparently wrong at the Gizmo5 end. Open a ticket and tell them what you said above about IPkall working fine... and give them the phone number.

 

[jroper]

If you want someone to ring you, using a SIP URI, you are going to have to allow people to reach your SIP server.

Given that you are giving this facility to anyone and everyone, does it not follow that most of the people calling will in fact be anonymous people? At least until they introduce themselves.


In the same way that when some one rings you on your Ma Bell phone, you don't know who is going to ring, or when they are going to ring - hence the caller is anonymous until they tell you who they are.


I can only assume that Ward thought I was referring to the tick box in general settings that says "Allow Anonymous Inbound SIP Calls" : I was not. I was referring to the fact that you must have your SIP ports open and pointed to the PBX if you want any anonymous person from anywhere at any time to call you.

Whether that is desirable is another matter.

So reading Ward's Link - he writes.

Second, if you have a default incoming route, do NOT change the No setting for Allow Anonymous Inbound SIP Calls in the General Setting section of FreePBX. Otherwise, anyone can access your PBX from anywhere.

This is only a small part of the story and can bear some clarification.

It may have been better to write:-

Second, if you have a default incoming route, do NOT change the No setting for Allow Anonymous Inbound SIP Calls in the General Setting section of FreePBX. Otherwise, anyone can ring your PBX from anywhere using any SIP URI formed with your hostname or IP.

All SIP calls which are not authenticated, e.g. do not come in to a registered SIP trunk, come to the context from-sip-external - you can see this line in /etc/asterisk/sip_general_addtional.conf

This then sends them to this context in extensions.conf:-

[from-sip-external]
;give external sip users congestion and hangup
; Yes. This is _really_ meant to be _. - I know asterisk whinges about it, but 
; I do know what I'm doing. This is correct.
exten => _.,1,NoOp(Received incoming SIP connection from unknown peer to ${EXTEN})
exten => _.,n,Set(DID=${IF($["${EXTEN:1:2}"=""]?s:${EXTEN})})
exten => _.,n,Goto(s,1)
exten => s,1,GotoIf($["${ALLOW_SIP_ANON}"="yes"]?from-trunk,${DID},1)
exten => s,n,Set(TIMEOUT(absolute)=15)
exten => s,n,Answer
exten => s,n,Wait(2)
exten => s,n,Playback(ss-noservice)
exten => s,n,Playtones(congestion)
exten => s,n,Congestion(5)
exten => h,1,NoOp(Hangup)
exten => i,1,NoOp(Invalid)
exten => t,1,NoOp(Timeout)

With Allow Anonymous Inbound SIP Calls set to no, the call comes in, is answered, Sorry not in service played, play congestion tones for 5 seconds then hangup.

When set to yes, the call is controlled by inbound routes. If the DID or CLI matches, the call is sent to the destination you select.

I would argue that is more secure to have a catchall or default route with "Hangup" selected for the destination and anon set to yes, and all your DID listed with proper destinations, than to have "anon" set to no.

The reason for this is that when someone calls you with anon set to no, a message is played. With the method described above, people can only call you if they know your number or they are a person you recognise on the basis of the caller ID.

Using SIPP, a person could bring PBX to its knees in fairly short order simply by sending 5000 calls a second to any SIP URI formed with your hostname or IP, and "Sorry Not In Service message" plays 5000 times concurrently. If you simply hangup the call, that is far less load on the system, and the DOS attack is going to have to work harder to stop your PBX working.

Looking at Ward's additions to this context, he bypasses the Allow Anon with the addition of these two lines in two cases:-

exten => 3366,1,Goto(from-trunk,${DID},1)
exten => demo,1,Goto(from-trunk,3366,1)

This basically says that if you ring sip/[email protected] or sip/[email protected] from anywhere on the internet, any anonymous person can get at least as far as inbound routes.

To lock down your PBX you need to look further than dial plans. As Patrick suggests, there are a number of techniques to lock down SIP access - mostly mentioned here:-

http://nerdvittles.com/index.php?p=580

The main ones are:-

• Use a firewall and IP tables to block access to all but your carriers and remote phones.
• Permit and Deny in your sip settings to only have SIP listening to authorised endpoints and carriers
• Secure passwords so that SIP dictionary attacks are likely to fail
• Fail2Ban or similar to block IP addresses that try to hack the PBX or discover passwords.

Jon, I trust that this helps to clarify SIP URI's the purpose of the Allow Annonymous SIP calls, and how they can work with inbound routes.

Joe

 

[wardmundy]

Once you open any SIP URI on your server, obviously anyone can call it as often as they like unless you block their IP address. Same goes for publishing your phone number in the phone book. However, making harassing phone calls is a crime most places. That and $4 will get you a cup of coffee at Starbuck's.

 

[sirdotcom]

I have been scratching my head on this issue for weeks, and I just can't seem to get it going.

I have used the technique of adding SIP URI 'pinholes' to specific DIDs in extensions_override_freepbx (as shown in Ward's article.) I have tried this on two different boxes, each on their own public IPs and full DMZ to them (just for testing purposes of course!) I have tried allowing anonymous SIP calls, and much more, but I still get no response (unreachable) when dialing my own ISN number 1240*1240. However, I have IPKall DID's on BOTH servers that dial into the box to their own SIP URI's and these work fine. No other SIP URI works, unless I dial it on the same machine, i.e. dialing 1240*1240 or [email protected] on the 'myhost.com' box (essentially a loopback I guess!) I have tried everything I can imagine, and the CLI never shows any activity, suggesting that the calls never even reach the boxes. But IPKall always works! When I dial my IPKall numbers I get:

-- Executing [713@from-sip-external:1] NoOp("SIP/66.54.140.46-00000000", "Received incoming SIP connection from unknown peer to 713") in new stack

All other inbound SIP calls don't even show up.

Thanks for any wise thoughts!

Steve

 

[w1ve]

SIP URI's

- My PIAF is hosted, on a public IP.
- I DO NOT enable Anonymous SIP.
- I DO HAVE long alphanumeric passwords.
- I DO use extensions_override_freepbx.conf to enable SPECIFIC URIs.
Example:
[from-sip-external]
exten => callanoutboundnumber,1,Dial(local/1413XXXXXX@from-internal)

//this would dial the outbound number 1413XXXXXXX when you call the SIP URI callanoutboundnumber@mypiaf.

- I DO use Country-IP filtering to prevent specific countries (like China) from connecting to my system.

- I DO use SRV records on multiple domains so that I can dial SIP URIs for my domain addresses.

- I HAVE NEVER had a security breech that I do of (and I have logs emailed to me every day)

Take the appropriate precautions and SIP URI dialing can be great.

Please note that many people have trouble dialing SIP URIs from clients. Your PIAF has to be set up to dial SIP URIs.
X-lite registered with a PIAF will not be able to dial a SIP URI directly.

Many softphones are pretty useless at dialing URIs directly, including the gizmo5 client.

It's unfortunate that peer-to-peer SIP URI dialing seems to get a bad rap. It's fantastic for making free calls. I have a short code with SIPBroker (www.sipBroker.com); when I have friends/family/business associates who are travelling around the world, I simply give them the SipBroker local PSTN number, and have them call me via SIP. Cool stuff.

BTW, if you have a DID with voip.ms, you automatically get a SIP URI without any security hassle. The URI is [email protected]. Your PBX will see the call just like any standard incoming call.


Gerry

 

[wardmundy]

FYI: $.001 per minute for SIP URI calls through voip.ms.