sr-users August 2022

sr-users@lists.kamailio.org

37 participants
50 discussions

by HimaBindu G

Hi, Problem Description: Customer security scan returned unconfined services on Kamailio. Unconfined processes run in unconfined domains Rationale: For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them Solution Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them. Notes: Occasionally certain daemons such as backup or centralized management software may require running unconfined. Any such software should be carefully analyzed and documented before such an exception is made. See Also https://workbench.cisecurity.org/files/2485 For Kamailio ====== The command returned : 00 kamailio 00 kamailio 00 kamailio 00 kamailio 00 kamailio 10 kamailio 10 kamailio 10 kamailio 10 kamailio 00 kamailio 00 kamailio 00 kamailio 00 kamailio 33 kamailio 33 kamailio 33 kamailio 32 kamailio 17 kamailio 16 kamailio 33 kamailio 00 kamailio 00 kamailio 03 kamailio 05 kamailio 18 kamailio 17 kamailio 18 kamailio 18 kamailio 07 kamailio 00 sleep is any security context available to assign kamailio processes ? theses services can be run as confined services ? Please suggest us with resolution, thanks in advance. Thanks & Regards, Hima Bindu.

2 years, 3 months

Kamailio World Conference - Sep 7-8, 2022 - Online

by Daniel-Constantin Mierla

For the 3rd year, we are planning an online version of Kamailio World Conference! At the beginning of 2022, the situation was not clear in terms of whether pandemic would decrease enough in intensity and we would be allowed to organize an on-site event late spring/beginner of summer, when the usual Kamailio Conference took place in Berlin, therefore we chose the safety path. But we hope that next year we will return in-person to the beautiful Berlin city center! The event this year, to happen in 4 weeks from now (Sep 7-8, 2022), follows the structure from previous edition, being two afternoons with presentations about Kamailio, sharing technical solutions and open discussions, allowing the community to interact and reconnect. The website of the event: - https://kamailioworld.com/k10-online/ There is no registration required, the event will happen on live video conferencing, also streamed to youtube. A text chatting channel will be made available as well. If you want to present, just send me the title and a short description -- we encourage community members to step forward and share their knowledge. It has to be related to Kamailio and fit within a 30min slot (including the questions). The agenda will be released in the near future. The event will be used also to celebrate 21 years of Kamailio project development, first commit being done on Sep 3, 2001. Two other major celebrations for 2022 to make the party bigger: - 20 years of open source for the project -- after one year of internal development, GPL was added on Sep 19, 2002 and source code was released to public - the 10th edition of Kamailio World Conference Book the dates in your agenda! I am looking forward to a very interesting event and (re-)connecting with many of you! Daniel -- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda

2 years, 3 months

set source port of TCP socket in Contact header

by Maarten Ureel

Hello I want to set the correct source port in an outgoing message over TCP. Is it possible? I can't find a pseudo-variable for this. Currently we have no port number in the contact header, and the other party is sending their BYE to port 5060 instead of to the source port from which the outgoing TCP connection was made. Regards Maarten

2 years, 3 months

Syncing Registration Database across Kamailio Pairs

by harneet singh

Hi Experts, We have been using Kamailio in an Active/Standby Pair(with Keepalived under the rugs moving the single Virtual IP to access the Active Kamailio) for sometime now. *Kamailio also acts as a Registrar for our webrtc endpoints. * It has been serving the purpose pretty well and now we have a requirement where we need to be syncing the Registration DB between Two Pairs of Kamailios. Kamailio-Active(*Pair 1*) -------- Kamailio-Standby(*Pair 1*) || Kamailio-Active(*Pair 2*) -------- Kamailio-Standby(*Pair 2*) We generally keep the counterpart in the same Pair as a notifier( *modparam("dmq", "notification_address", "sip:PEER1_IP:5060")* ) so as to sync the dialogs and the userloc data too( *modparam("dmq_usrloc", "enable", 1) * ). In order to achieve the said requirement with the other Pair, we added another "*notification_address*" in the kamailio cfg. At this point, we ran into weird issues. *1. *With Kamailio ver *5.3.2, *the subsequent *notification_address *line in the cfg file, seemed to be overriding the previous one. Hence we see only the latter peer in the dmq list nodes. Example: modparam("dmq", "notification_address", "sip:*172.27.45.77* :5090") modparam("dmq", "notification_address", "sip:*172.27.45.200* :5090") In this case, the "*kamcmd dmq.list_nodes*" would show the local Machine and 172.27.45.200 as the only nodes in the output, ie *172.27.45.77 is not showing up at all,* which is problematic, since the local machine(172.27.45.243 in our case) would not been able to send any dmq sync info to its peer(172.27.45.77) in the same Pair. To see if the above issue might have been addressed in later release, we upgraded to the latest Kamailio ver *5.6.0* *To our respite, the above issue no longer exists in the new version*(though not sure which immediate release after v 5.3.2 it would have been initially fixed.) This is where we have a new issue explained below: *2. *The registration data does get synced to the peer Kamailio in the same Pair, and also to the Kamailio instances in the other Pair. However, the *Socket* Parameter in "*kamctl ul show*" output shows *[not set] *even on the side where the websocket connection actually exists. [root@localhost ~]# *kamctl ul show * { "jsonrpc": "2.0", "result": { "Domains": [{ "Domain": { "Domain": "location", "Size": 1024, "AoRs": [{ "Info": { "AoR": "9008077221", "HashID": 1952082106, "Contacts": [{ "Contact": { "Address": "sip:Harneet_qifir@172.24.58.210", "Expires": 159, "Q": -1, "Call-ID": "vfli2uv8du3ppda73q5ppe", "CSeq": 106, "User-Agent": "EngageDigital", "Received": "sip:172.27.44.252:60070;transport=ws", "Path": "[not set]", "State": "CS_NEW", "Flags": 0, "CFlags": 0, * "Socket": "[not set]", <<<<<<<<<<<<<<<<<<<<<<* "Methods": 7071, "Ruid": "uloc-62f26e3b-2677-1", "Instance": "<urn:uuid:4fbd3e96-b4de-497b-886d-1ca8ffa016a4>", "Reg-Id": 1, "Server-Id": 0, "Tcpconn-Id": -1, "Keepalive": 0, "Last-Keepalive": 1660063892, "KA-Roundtrip": 0, "Last-Modified": 1660063892 } }] } } ], In order to confirm that the socket actually exists on this Kamailio instance, I am pasting the below outputs from the same machine, where ws dump and even the native netstat confirms that. [root@localhost ~]# *netstat -tunelap | grep 60070* tcp 0 0 172.27.45.199:8080 172.27.44.252:*60070* *ESTABLISHED* 994 17322355 16230/kamailio [root@localhost ~]# *kamcmd ws.dump* { connections: { 1: ws:172.27.44.252:*60070* -> ws:172.27.45.199:8080 (state: *OPEN*, last used 24s ago, sub-protocol: sip) } info: { wscounter: 1 truncated: no } } We do need to distinguish the actual Kamailio instance where the websocket connection actually exists, so as to route the call ahead from the same instance, or if it does not exist(and it's merely a sync'ed registration data received over DMQ Channel), then the Kamailio should route the call ahead to the Kamailio instance in the other Pair, which can then route it ahead to the Registered webrtc endpoint. We were hoping to use the Socket Parameter output, but for the said problem, unable to use the same as an indicator. *So what would be the best way to identify which Kamailio has the websocket connection with the Actual endpoint*? Should we rely on the output of netstat or ws.dump to infer that? I mean this needs to be done in kamailio.cfg for each call, so want to know the best way, or if there is completely different approach that can be suggested? Apologies for the long email, but any pointers will be much helpful. Thanks & Regards, Harneet Singh -- "Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth" - Sir Arthur Conan Doyle

2 years, 3 months

recompute distribution list

by David Villasmil

Hello guys, Is it possible to have dispatcher recompute the distribution list? i.e. one server goes down, all traffic for that server goes to the next one, doubling traffic on that one. Is there a way of, when a host becomes unreachable, recompute the whole list? Regards, David Villasmil email: david.villasmil.work(a)gmail.com phone: +34669448337

2 years, 3 months

Contact header modification - Kamailio

by Ankit Jayswal

Hello Team, I am in need to modify the contact header in Kamailio before sending an INVITE request to the SIP trunk provider. Basically the IP address I need to modify in the contact header. Please suggest a better way to do this. Below is an example. *OLD (Existing):* Contact: <sip:009169240xxx@*45.118.162.x:5080*;alias=10.52.26.102~5080~1> *NEW (Needed):* Contact: <sip:00912269240xxx@*10.52.26.98:5060 <http://10.52.26.98:5060>*> I tried various functions from the textops module but no hope. I am looking for a function that can replace the contact header's value. Please help me with this. -- Thanks & Regards, *Ankit Jayswal* | Specialist - Software Development

2 years, 3 months

Support of ECDHE cipher suites for tls connection in kamailio

by Илья Болмосов

Hello. I have a question about support of ECDHE cipher suites in kamailio-5.6.0 in centos7 with installed OpenSSL 1.0.2k-fips. We received kamailio with its modules from https://rpm.kamailio.org/. Our client can use only cipher suites: TLS_AES_256_GCM_SHA384 (0x1302) TLS_CHACHA20_POLY1305_SHA256 (0x1303) TLS_AES_128_GCM_SHA256 (0x1301) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) And some of them are supported by our openssl: $ openssl cipher -V ... 0xC0,0x14 - ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 0xC0,0x0A - ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ... 0xC0,0x13 - ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 0xC0,0x09 - ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ... But when trying to connect with, for example, cipher suite ECDHE-RSA-AES256-SHA (the same with other 3 cipher suites), we receive, that it is not allowed: $ openssl s_client -connect ${kamailio-serper-ip}:${kamailio-server-port} -cipher ECDHE-RSA-AES256-SHA ... SSL handshake has read 7 bytes and written 121 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 ... To exclude the influence of other factors, I installed nginx on the same machine with usage of the same tls certificate and it can use cipher suites ECDHE-RSA-AES256-SHA and ECDHE-RSA-AES128-SHA. $ openssl s_client -connect ${nginx-serper-ip}:${nginx-server-port} -cipher ECDHE-RSA-AES256-SHA ... SSL handshake has read 3271 bytes and written 406 bytes Verification: OK --- New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA ... So, the reason of failed handshake is, probably, kamailio. Tried to add cipher_list modparam: modparam("tls", "cipher_list", "ECDHE-RSA-AES256-SHA") but result is the same: $ openssl s_client -connect ${kamailio-serper-ip}:${kamailio-server-port} -cipher ECDHE-RSA-AES256-SHA ... SSL handshake has read 7 bytes and written 121 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 ... Can you, please, help me to add support of cipher suites ECDHE-RSA-AES256-SHA and ECDHE-RSA-AES128-SHA to kamailio?

2 years, 3 months

Newbie - Installation Issue - ERROR: could not load the script in /usr/lib/kamailio//kamctl/kamdbctl.mysql for database engine MYSQL

by p.t.crossley＠gmail.com

I suspect this must have been addressed before but I couldn't find a way of searching Archives. I'm using Alpine Linux. Used "apk add kamailio" to install Kamailio 5.5.4-r1 Following the Instructions on https://kamailio.org/docs/tutorials/5.5.x/kamailio-install-guide-git/ At the section for "Creating MySQL database" I modify the file and then run kamdbctl create ERROR: could not load the script in /usr/lib/kamailio//kamctl/kamdbctl.mysql for database engine MYSQL ERROR: database engine not loaded - tried 'MYSQL' I checked the /usr/lib/kamailio//kamctl/ directory and the file wasn't there I suspect I'm missing a module but there aren't any other packages listed for Kamailio at pkgs.alpinelinux.org Thanks for your help P Crossley

2 years, 3 months

Limit cps per destination gw

by Jon Bonilla (Manwe)

Hi I'm thinking on having a cps preference for each pstn gw that I can check. I've started thinking in the pike module but it won't allow me to set custom cps per peer. seems that the threshold is global. Ratelimit module needs the queues to be set as modparam, not dynamic AFAICS. Any hints? cheers, Jon -- PekePBX, the multitenant PBX solution https://pekepbx.com

2 years, 3 months

Sharing Database between three kamailios

by Waqar 40

I have three Kamailios in three different servers which are dispatching calls to 9 asterisks in three different servers using load balancing. All these Kamailios are using databases installed on that servers. As the entries of the dispatcher table are the same for all the Kamailio, so I want that these Kamailio use a single database installed on one of the servers. All these Kamailios instances should use the same database which is common between them. And also I want these Kamailios to write into the database by creating a table that stores all the active calls in three Kamailios. Is it possible? How can I do it? Please guide me with somewhat explanation as I am not this much expert in Kamailio. Waiting for a quick response. Regards VoIP Engineer Vicky

2 years, 3 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

sr-users August 2022