sr-users December 2013

sr-users@lists.kamailio.org

70 participants
131 discussions

by davy

Hi all, we all enjoy our FAIL2BAN and snippets of our Kamailio config when we see it successfully fight off the "friendly-scanner", and multiple futile attempts to fool our systems. But it got me thinking… What is a sufficient level of security on our Kamailio machinery… ? Are we all just doing whatever, or is the nature of the beast, that every setup is different? Eventually while having a beer, we will end up in the discussion Kamailio is as good (and even much better) as most of the commercially available SBCs. But, imho, that all depends on the configuration. There are a few good reads available, and on the security front I personally love Pike, Topoh, Dnssec, Htable and recently I think I'm doing rather clever stuff with CNXCC… And I do feel comfortable on my setups, them won't be hacked… But do we have a-sort -of stake in the ground example configuration which we can consider as being more than sufficiently secure? Some config where we can tick off all the known security risks for SIP (as chapter 26 of rfc3261 gives a state of the art back in 2002) Or would that be a nice idea for a micro project? Grtz, Davy

10 years, 9 months

Memory Leaks with Kamailio using SEAS module

by ziad habchi

Dear Support, I am having an "out of memory" problem while using kamailio with SEAS module. After using Kamailio with the SEAS module for few hours with a high load , I am getting "out of memory" error that I believe is caused from a memory leak. I would like your help interpreting this error. The output of kamailio -v is : version: kamailio 4.0.4 (i386/linux) cabe58 flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 4MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: cabe58 compiled on 14:23:27 Dec 2 2013 with gcc 4.1.2 kamctl ps : Process:: ID=0 PID=31191 Type=attendant Process:: ID=1 PID=31192 Type=udp receiver child=0 sock=193.100.200.18:5070 Process:: ID=2 PID=31193 Type=udp receiver child=1 sock=193.100.200.18:5070 Process:: ID=3 PID=31194 Type=udp receiver child=2 sock=193.100.200.18:5070 Process:: ID=4 PID=31195 Type=udp receiver child=3 sock=193.100.200.18:5070 Process:: ID=5 PID=31196 Type=slow timer Process:: ID=6 PID=31197 Type=timer Process:: ID=7 PID=31198 Type=ctl handler Process:: ID=8 PID=31199 Type=MI FIFO Process:: ID=9 PID=31200 Type=SEAS Process:: ID=10 PID=31201 Type=tcp receiver (generic) child=0 Process:: ID=11 PID=31202 Type=tcp receiver (generic) child=1 Process:: ID=12 PID=31203 Type=tcp receiver (generic) child=2 Process:: ID=13 PID=31204 Type=tcp receiver (generic) child=3 Process:: ID=14 PID=31205 Type=tcp main process kamcmd pkg.stats: { entry: 0 pid: 31191 rank: 0 used: 72480 free: 4091840 real_used: 102448 } { entry: 1 pid: 31192 rank: 1 used: 80624 free: 4083696 real_used: 110592 } { entry: 2 pid: 31193 rank: 2 used: 80624 free: 4083696 real_used: 110592 } { entry: 3 pid: 31194 rank: 3 used: 80624 free: 4083696 real_used: 110592 } { entry: 4 pid: 31195 rank: 4 used: 80624 free: 4083696 real_used: 110592 } { entry: 5 pid: 31196 rank: -1 used: 2276560 free: 4083744 real_used: 17770256 } { entry: 6 pid: 31197 rank: -1 used: 1787296 free: 4083744 real_used: 17280992 } { entry: 7 pid: 31198 rank: -2 used: 77760 free: 4086544 real_used: 107744 } { entry: 8 pid: 0 rank: 0 used: 89920 free: 4074352 real_used: 119936 } { entry: 9 pid: 0 rank: 0 used: 0 free: 0 real_used: 0 } { entry: 10 pid: 31201 rank: 5 used: 140240 free: 4023728 real_used: 170560 } { entry: 11 pid: 31202 rank: 6 used: 140240 free: 4023712 real_used: 170576 } { entry: 12 pid: 31203 rank: 7 used: 140240 free: 4023856 real_used: 170432 } { entry: 13 pid: 31204 rank: 8 used: 140240 free: 4023712 real_used: 170576 } { entry: 14 pid: 31205 rank: -4 used: 3877344 free: 4030176 real_used: 19269056 } As you can see above , the output of the SEAS module is not showing (pid 31200) Moreover , I can see that the real_used value in the kamcmd core.shmmem keep on increasing , and free decrease until I finally get an error "out of memory" When my SEAS client exit the output of kamcmd core.shmmem : { total: 33554432 free: 16273440 used: 1787296 real_used: 17280992 max_used: 33553520 fragments: 8098 } The traffic is a simple SIP MESSAGE from a seagull simulator, with a 200OK reply from my SEAS client. I appreciate your support, Thank you in advance, Ziad Habchi

10 years, 10 months

Implementing the Presence module(Kamailio) to work with websockets (sipML5)

by אורן אברהם

Dear List, I have some strange error when using sipML5 client (over websockets) with Kamailio 4.0 server when sending a SUBSCRIBE request. here is my log print: Apr 18 02:55:21 oren-ubuntu /usr/sbin/kamailio[26476]: WARNING: <core> [msg_translator.c:2499]: TCP/TLS connection (id: 0) for WebSocket could not be found (tcp:10.0.0.4:8080) Apr 18 02:55:21 oren-ubuntu /usr/sbin/kamailio[26476]: ERROR: tm [t_msgbuilder.c:1367]: assemble_via: via building failed Apr 18 02:55:21 oren-ubuntu /usr/sbin/kamailio[26476]: ERROR: tm [t_msgbuilder.c:1540]: build_uac_req(): Error while assembling Via Apr 18 02:55:21 oren-ubuntu /usr/sbin/kamailio[26476]: ERROR: tm [uac.c:338]: t_uac: Error while building message Apr 18 02:55:21 oren-ubuntu /usr/sbin/kamailio[26476]: ERROR: presence [notify.c:1591]: in function tmb.t_request_within Apr 18 02:55:21 oren-ubuntu /usr/sbin/kamailio[26476]: ERROR: presence [notify.c:1678]: sending Notify not successful Apr 18 02:55:21 oren-ubuntu /usr/sbin/kamailio[26476]: ERROR: presence [subscribe.c:678]: Could not send notify Apr 18 02:55:21 oren-ubuntu /usr/sbin/kamailio[26476]: ERROR: presence [subscribe.c:713]: occured Apr 18 02:55:21 oren-ubuntu /usr/sbin/kamailio[26476]: ERROR: presence [subscribe.c:994]: in update_subscription Could anyone help here ? I think it is only some configuration problem, but i'm not sure how to solve it.

10 years, 10 months

t_reply in failure route with dialog module

by Efelin Novak

Hi, when I use t_reply("505", "Error"); in my failure route, the response is not forwarded and following is written into a log: kamailio[26216]: WARNING: tm [t_lookup.c:1559]: t_unref(): WARNING: script writer didn't release transaction plus next line is written exactly 416000 times into a log afterwards: kamailio[32685]: CRITICAL: dialog [dlg_hash.c:794]: log_next_state_dlg(): bogus event 4 in state 5 for dlg 0xb4af6588 [2575:7017] with clid '121d44f0-6555f4c8' and tags 'd12546d053aadc68o2' '' My point is to change the incoming code from users and append a Q.850 reason code. Is there any other way how to do this or a way how to fix this? I'm using Kamilio 4.0.4 on Debian 7.1 The code is as follows: failure_route[MANAGE_FAILURE] { if (t_is_canceled()) { exit; } if($T_reply_code == 408 && isflagset(10)) { xlog("Ringing timeout"); append_to_reply("Reason: Q.850;cause=28\r\n"); t_reply("505", "Error"); } }

10 years, 10 months

Missing Route headers in locally generated BYE

by Efelin Novak

Hi, I locally generate BYE using dlg_end_dlg. When I want to end a call that is "transport layer" bridged, the BYE is not sent to first hop in route_set but directly to the endpoint. In such BYE there are no Route headers. In non-bridging calls Routes are correctly placed and the message is routed to the first "hop". When the error happens, this is written to a log: WARNING: rr [loose.c:821]: after_loose(): no socket found for match second RR Here ([SR-Users] no socket found for match second RR) I have read this is only a warning, but in my configuration it seriously influences the message routing. My setup is phone1(192.168.10.3) <--TCP--> kamailio1(192.168.10.2) <--UDP--> kamailio2(192.168.5.3) <--UDP--> phone2 On kamailio1 I generate dlg_end_dlg and the BYE is sent to phone1 and phone2 directly. I'm using Kamailio 4.0.4 on Debian machines. How can I make the Kamailio1 to send the BYE to kamailio2 in the transport layer bridging scenario? Do I have some misconfiguration or this is not a correct behaviour? Thanks for answer Efelin

10 years, 10 months

tmrec_match function is not working

by José Seabra

Hi there, I'm trying use tmrec_match in order to create routing rules based on time, but without sucess, please have a look at my code and the errors that i got: Code block: if(tmrec_match("20130101T080500|24H|weekly|||MO,TU,WE,TH,FR")) { xlog("L_INFO", "time match R=$ru ID=$ci\n"); } Error: ERROR: <core> [tmrec.c:1320]: tr_parse_recurrence_string(): failed to parse time recurrence [20130101T080500|24H] My server has the following date/hour Seg Dez 30 18:35:57 WET 2013 Thank for your help -- Cumprimentos José Seabra

10 years, 10 months

Happy New Year!

by Daniel-Constantin Mierla

Another year packed in the archive, thanks everyone for filling it with excellent achievements and, along them, keeping Kamailio project moving forward! I expect another wonderful year ahead for the project and I am looking forward to collaborating further within this brilliant community as well as meeting many of you at Kamailio World and other events worldwide. I wish everyone a prosperous and successful 2014! Happy new year! Daniel -- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda

10 years, 10 months

Re: [SR-Users] Kamailio 4.1, Debian Squeeze, RTPProxy 1.2.1 Segfault

by Jr Richardson

> > Hello, > > you should enable core dumping - that should be via running 'ulimit -c > unlimited' before you start rtpproxy. > > If you get the coredump, then grab the backtrace with gdb, it should > show where rtpproxy crashed. With that info, maybe we can spot a fix for it. > > Hopefully rtpproxy package is with debug symbols, if not, the look for a > rtpproxy-dbg package and install it if found. > > Cheers, > Daniel > > On 20/12/13 18:59, Jr Richardson wrote: >> Hi All, >> root@sip-router3-ve206:/etc/kamailio# kamailio -V >> version: kamailio 4.1.0 (x86_64/linux) 350d2e >> Doing some testing, can't seem to get rtpproxy to not segfault. I've >> loaded version from deb-squeeze pkg, from source >> http://b2bua.org/chrome/site/rtpproxy-1.2.1.tar.gz and from >> git://sippy.git.sourceforge.net/gitroot/sippy/rtpproxy >> <http://sippy.git.sourceforge.net/gitroot/sippy/rtpproxy> (which >> should be the latest) but all versions segfault as soon as a call sets up. >> I've configured each versions control socket for both udp or unix, >> kamailio starts and sees the rtpproxy fine with no errors, but when a >> call hits, rtpproxy segfaults. >> I've run rtpproxy in the forground with degug and get this response >> (IP's washed x.x.x): >> ------------------ >> DBUG:handle_command: received command "7505_12 USIEc0,101 >> 0adb2f8449b8c9026f993a0a7db9ab5d(a)x.x.x.76 x.x.x.76 23388 as33dd7c98;1" >> INFO:handle_command: new session >> 0adb2f8449b8c9026f993a0a7db9ab5d(a)x.x.x.76, tag as33dd7c98;1 requested, >> type strong >> Segmentation fault >> ------------------ >> root@sip-router3-ve206:/etc/kamailio# more /etc/default/rtpproxy >> # Defaults for rtpproxy >> # The control socket. >> CONTROL_SOCK="unix:/var/run/rtpproxy/rtpproxy.sock" >> # To listen on an UDP socket, uncomment this line: >> #CONTROL_SOCK="udp:127.0.0.1:7722 <http://127.0.0.1:7722>" >> # Additional options that are passed to the daemon. >> EXTRA_OPTS="-l x.x.x.20" >> kamailio.cfg: >> loadmodule "rtpproxy.so" >> modparam("rtpproxy", "rtpproxy_sock", "udp:127.0.0.1:7722 >> <http://127.0.0.1:7722>") >> inside route[] >> >> add_path_received(); >> rtpproxy_manage("cwei"); >> record_route(); >> Any guidance on further identifying the issue? >> Thanks. >> JR I'm not very familiar with gdb, but did manage to get a core dump and here are the results: ------------------------------------------- root@rtpproxy:/usr/src/rtpproxy-git# gdb /usr/src/rtpproxy-git/rtpproxy -c /usr/src/rtpproxy-git/core GNU gdb (GDB) 7.0.1-debian Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/src/rtpproxy-git/rtpproxy...done. [New Thread 11256] warning: Can't read pathname for load map: Input/output error. Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done. Loaded symbols for /lib/libpthread.so.0 Reading symbols from /lib/libm.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib/libnss_compat.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libnss_compat.so.2 Reading symbols from /lib/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libnss_nis.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libnss_nis.so.2 Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libnss_files.so.2 Core was generated by `./rtpproxy -f -l x.x.x.x -s udp:x.x.x.x 7722 -p /var/run/rtpproxy/rtp'. Program terminated with signal 11, Segmentation fault. #0 create_twinlistener (cf=0x7fff957ec2d0, ia=0x0, port=<value optimized out>, fds=<value optimized out>) at rtpp_command.c:97 97 fds[i] = socket(ia->sa_family, SOCK_DGRAM, 0); (gdb) bt #0 create_twinlistener (cf=0x7fff957ec2d0, ia=0x0, port=<value optimized out>, fds=<value optimized out>) at rtpp_command.c:97 #1 create_listener (cf=0x7fff957ec2d0, ia=0x0, port=<value optimized out>, fds=<value optimized out>) at rtpp_command.c:143 #2 0x000000000040967d in handle_command (cf=0x7fff957ec2d0, controlfd=<value optimized out>, cmd=0x7f73bf148d00, dtime=<value optimized out>) at rtpp_command.c:837 #3 0x000000000040bc9d in process_commands (cf=0x7fff957ec2d0, controlfd_in=3, dtime=<value optimized out>) at rtpp_command_async.c:63 #4 0x000000000040bd75 in rtpp_cmd_queue_run (arg=<value optimized out>) at rtpp_command_async.c:92 #5 0x00007f73bff6e8ca in start_thread () from /lib/libpthread.so.0 #6 0x00007f73bfa53b6d in clone () from /lib/libc.so.6 #7 0x0000000000000000 in ?? () (gdb) --------------------------------------------------------------------------------- I could not find an rtpproxy debug package and the install notes do not tell how to compile with debugging symbols. Thanks. JR -- JR Richardson Engineering for the Masses

10 years, 10 months

RTP streaming problem (No Audio)

by Nandini madhu

Dear All, I am working on Kamailio (V 4.0), installed and configured on ubuntu (12.04) System and it runs on Private IP address. I have also configured Media proxy with the Server. I have two Kinds of SIP clients : One is SIP hard phones and Another is IMSDroid clients. But the problem is its strange behaviour, that i didnt get : --> When i call Between Two SIP Hardphones, calls are OK.But when i tried to call between two Soft clients (IMSDroid), the very first time is fine without any problems. After that first session ends, and again if i call between two soft Clients, there is NO AUDIO both the sides. --> Through SIP Hardphones Audio would OK, But once the first call between Soft-Clients(IMSDroid) ends , thereafter No calls will stream RTP packets through this SIP Hardphones also. But the SIP Session is successfully establishing between All the clients, but ends with No audio. I know that kamailio Server will not negotiate any RTP streams, its only a proxy server. But somewhere is going wrong, can anybody guess what may be the reason for No audio ? Any Help will greatly appreciate. Regards, Nandini

10 years, 10 months

How can I block friendly-scanner?

by Visetel LLC

I added the following rules on iptables, but it does not work. iptables -A INPUT -j BLACKLIST iptables -A BLACKLIST -p udp -m udp --dport 5060 -m string --string 'friendly-scanner' --algo bm -m comment --comment 'friendly-scanner' -j DROP Any suggestions will be appreciated.

10 years, 10 months

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

sr-users December 2013