1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.

SipToSis-Skype Gateway Tips

Discussion in 'Add-On Install Instructions' started by Ktool, Feb 18, 2009.

  1. Ktool New Member

    I am trying out the new skype gateway that was featured in nerdvittles yesterday. I have setup everything as per instructions (only for outgoing calls - don't need skype incoming so have not done any SIP uri).

    Everything is running as instructed in x - skype in background and SipToSis_linux. I have java 1.6 installed. I did allow siptosis access to skype when prompted and checked the box for skype to remember this setting.

    Now when I make a call from my softphones, I can see the call is passed to siptosis on the console but it fails with "handlesipcall - rejected call".

    I have attached PDF file with siptosis status and messages. What am I doing wrong?

    Attached Files:

  2. wardmundy Nerd Uno

    There seems to be a bug in the Skype option to "remember" the authorized connection to siptosis. You can deauthorize it in the Skype setup. Then manually authorize the connection after you restart Skype and then run siptosis.
  3. Ktool New Member

    It looked like that from the error and I tried to start skype again but it starts minimized now and I cant seem to figure out how to get it on the screen - sorry am a Windows user...
  4. wardmundy Nerd Uno

    The easiest way...

    Reboot your machine. Then...

    cd /root
    rm -r .Skype
    xinit
    skype

    Then log in and set it up again for autologin and to run minimized. Stop Skype. Then...

    skype &
    cd /siptosis
    ./SipToSis_linux

    Answer Yes when prompted whether to allow external use of Skype but don't check the remember option.
  5. Ktool New Member

    Tried that with several combination - same error. I even ran skype in background but not minimized and then siptosis and checked skype options for allowed API. Skypeforjava was listed there in allowed box.
  6. drsatch New Member

    I had this problem, too. A google search led me to this:

    Found here:
    http://www.mhspot.com/stsblog/blog....eSkype-SIP-Skype-Gateway-Update-20081101.html


    Now...if I can just figure out how to get this to run at boot, I'd be all set.
  7. Ktool New Member

    It works!

    Thanks drsatch. Yup that was it. My incoming sip call was using my public IP address and my SipToSkypeAuth.props has my loopback IP in place of the third *. I replaced it with a * and it worked. I will try and change that value to my actual public IP only in hopes to make it secure by restricting only to my pub IP - Is it a security threat in any way? (I am behind a router without port forwarding).

    Ward. I noticed that skype does remember the allowed application setting for siptosis.

    I think everything works as expected - Now the only error I get is from skype about my audio device not being setup right -but thats because I am running PIAF in VM and will have to fiddle to see what's the issue with the sound devices.

    Thanks both of you guys for your help.
  8. wardmundy Nerd Uno

    This setup would be EXTREMELY DANGEROUS. There was a reason we restricted access to just localhost. :cryin:
  9. Ktool New Member

    Yes I have read how many posts we have here about peoples open PBX taken for a ride... and that's why I am looking to restrict it either by using my actual public IP address or making some config changes in siptosis so that it does not pickup my public IP instead of my localhost when placing calls from my softphones...

    siptosis log looks like:
    incoming sip call from "my CID" <sip:myCID@my_pub_IP> callee=<sip:dialed_no.@127.0.0.1:5070

    How to change that first part from my actual public IP to localhost - both the PBX and skype/siptosis are on the same machine.
  10. drsatch New Member

    I meant it for testing purposes only. But, now that I'm thinking about it...would it be dangerous if it's firewalled?

    Seems the problem is that it doesn't allow if it sees a connection from the external IP. Looks like it reads it from the externip= in sip_nat.conf or sip_nat_custom.conf. This poses a problem for people with dynamic IP's.

    Any idea how to get all this to start at boot without having physically connected monitor, keyboard and mouse? Maybe I'm just brain-dead today. :eek:
  11. wardmundy Nerd Uno

    Kinda depends on who designed and tested the firewall and whether anyone down the road "improves" it. ;)
  12. drsatch New Member

    Cisco did mine..haha
  13. wardmundy Nerd Uno

    My rule of thumb goes like this... The more layers of protection you have, the better off you are particularly when some of the layers are not in your immediate control.

    In a former life, we had hundreds of Cisco routers that were maintained by a telecommunications company that professed to be an expert in all things Cisco.

    A few years later when we hired a Cisco engineer locally, it took him under 5 minutes to guess the password... and it turned out the network wizards had used the same password on every single router in the organization... nationwide. That made us all sleep well. :eek:opsb:
  14. drsatch New Member

    UNCLE! UNCLE! (Ward that is)

    I Was just trying to be funny. Don't want to hijack a thread either.

    Maybe you have some insight to the externip issue and the starting at boot? I have it working correctly...even sounds good. But at this point I don't have a monitor hooked up to it and when I close an ssh connection, all stops.

    I've tried:
    skype &
    nohup skype &
    xterm skype &
  15. Ktool New Member

    works with pub ip entry too

    I put my public IP in SipToSkypeAuth.props:
    *,*,xx.xxx.xxx.xxx,calleeid

    and it works. As I understand it, this will only allow connections from my public ip address. So really how can someone outside my network with different pub ip address be granted? I don't know if IP address can be spoofed.
  16. drsatch New Member

    Ya I get that, but how does this affect someone with a Dynamic IP? Can a hostname be used instead?
  17. drsatch New Member

    Ok, I have no idea how to have this start at boot.

    Here's what I did:

    Installed tightvnc-server and connected from my desktop. (Used a non root account on both desktop and pbx)

    terminal came up

    typed skype &
    ran the siptosis script

    closed vnc window

    This works for me as I very rarely have to reboot.

    Hope that gives some insight.
  18. jroper Guru

    In respect of dynamic IP addresses, there is a script available which will update your externip every few minutes. Have a search round and you will find something.

    Starting something in an SSH screen, then closing the SSH screen stops whatever you started (unless its a service).

    Investigate the command "screen" if you want to start something and leave it running when you disconnect the putty session.

    Alternatively, put the commands to start whatever you want to start in /etc/rc.d/rc.local, then it will start on boot.


    In respect of security, there are a number of layers to consider.

    The first one is at the application itself. If an application is set only to listen to "localhost" then provided that there are no security holes in the application, then whether there is a firewall present or not, it should not be possible to get into the system via that route, because its not listening.

    e.g. we can leave the MySQL database with the default root password of passw0rd, because to get in, you need to have the password, and be connecting from 127.0.0.1. The same would apply to the asterisk Manager, with its password of amp109, and the asteriskuser MySQL password amp111. The security is that those usernames are only listening to connections on the local box. Indeed you could argue that the presence of a password on those accounts is surplus to requirements, as everyone knows them anyway.

    This is a powerful way of locking down extensions, make them listen to a range of ip addresses determined by you using deny and permit, which stops the application (asterisk in this case) listening, and therefore responding.

    If something is listening to the outside world, then we need to use a form of security which is very secure - e.g. a password.

    The next layer is the firewall or IP tables. If you have done the job properly, then nothing should be listening. but there are a whole load of applications on a Centos box, and anyone of them may have a security flaw yet to be discovered. So the firewall ensures that packets destined for ports where nothing should listening are dropped, and then we don't have to worry about them.

    Finally, there is your external firewall, which should stop stuff getting to the PBX in the first place, unless you want it there.

    So when you add or configure something new, it's good practice to :-

    1. Make sure it's only listening and responding to addresses you want it to listen to, set IP tables to only allow connections from that address as well as a belt and braces approach.

    2. If you need it to listen to everyone and anyone, - e.g. your webserver, then make sure that it has a good password, and the application itself is suited to being exposed to the outside world.

    3. If a port does not need access, then close it down with IPTables to prevent anyone having a go, and exploiting a a yet undiscovered security flaw.

    Joe
  19. bbhenry New Member

    SipToSis_Linux keeps looping with error messages

    Hi people
    do I “have to” launch the SipToSis_Linux under the siptosis directory. I tried launching it form / with the following command:
    /siptosis/SipToSis_Linux
    But it keeps looping and gives me errors, and force me to reboot the machine to stop it from looping. By the way, launching the program under siptosis directory works just fine. but now since I would like to make it work on boot. I really don't want to put 2 lines of script into my rc.local.

    Did anyone run into the same issue here? I am suspecting that it might be that I did not specify where java home is. But since I am not familiar with java apps on linux, I can't be sure if that's the issue.
  20. drsatch New Member

    Yes I ran into the same problem. I had to run it from the /siptosis directory.

    I couldn't get anything to work at boot time and even tried some rc.local entries, so I decided to do it through VNC server. It worked just like if I had a monitor plugged into the server itself.

    I connected through VNC and was given a simple x-window and followed the directions Ward posted. I was then able to close the window and everything stayed running.

    It would be nice to be able to have everything start at boot, but it just doesn't look like an option.

Share This Page