Connecting Peer If The Peer Is Already Connected
Hi list!
I’m working hard to securing my Asterisk… Now I deleted all possibility to access the node as “anonymous” and every call through the proxy will be checked (just known peers are allowed to use it). Furthermore, I restricted the registration of my home phones to the Network I
reserved for them and I changed the port on my Firewall, so that I don’t use
5060 anymore.
Now I have the problem for my cellphone… I need to register from almost any IP (at least in Europe), so I can’t restrict it. Well, the password is NOT simple and random.
Now, I tried to register the user of my cellphone using a PC, as my cellphone was already registered. And Asterisk accepted this registration… 🙁
Unfortunately, I didn’t found any option to restrict this try… How can I do it? And, very important, how can I trigger an event
(Shell-Script) if someone tries to register as a peer, that is already registered or if the login was NOT successful, or even if my cellphone successfully registered (for example, to send me an E-Mail)?
Thanks Luca Bertoncello
(lucabert@lucabert.de)
4 thoughts on - Connecting Peer If The Peer Is Already Connected
Zitat von A J Stiles:
Well, I’m not sure… But I can’t remember to have configured somewhat for “accept more
registration”… Reading an Answer in this list a couple of day ago, I thought, it is
not allowed per default…
This will not work, since the Firewall is NOT on the Server running
Asterisk…
Thanks Luca Bertoncello
(lucabert@lucabert.de)
Did you actually reboot the server, as opposed to simply reloading your firewall configuration and stopping and restarting asterisk? I’ve known some moderate to severe weirdnesses that seemed to be caused by the kernel remembering out-of-date routing details.
(I’m sure there is a simple command that will flush and rebuild the kernel’s routing information without needing the big red switch, but that was nearer
…..)
Take a look at fail2ban. It monitors log files for error messages, and can add firewall rules to disconnect IP addresses involved in suspicious activity.
Were you trying to register the PC using the *correct* credentials used by your phone (the right username and password), or *incorrect*
credentials (wrong password)?
If your PC offered up the correct credentials, then I believe it’s entirely normal behavior for Asterisk to accept this registration, and
“bump off” the previous registration which used these same credentials.
Asterisk (and most SIP servers) will treat this situation as an “Oh, this is a valid user of mine who has moved to a different IP address.”
The same thing would happen if your cellphone were (for example) to switch from cellular IP to WiFi, or vice versa, or (in many cases) moved from one service area to another.
The way you avoid confusion between multiple devices, is use different
(unique) credentials for each SIP client… and, of course, use strong, difficult-to-guess passwords.
Any time you try to share credentials between two or more distinct devices, confusion *will* occur if both devices are on-line at the same time. You can never tell which of the two will succeed in establishing and holding a registration… although it will typically be the one which forces through a registration packet the most frequently.
If you were to somehow tell Asterisk “Don’t accept a different registration for my cellphone user XXXX, if user XXXX is already registered”, you could quite easily find yourself unable to register the cellphone with Asterisk for a prolonged period of time… the PC could lock you out, and the cellphone could lock *itself* out every time it moved from one IP network to another.
Dave Platt schrieb:
Of course, with the CORRECT credentials… 🙂
Right! This is what happens… And what I’d like to correct…
Well, if I’m on WiFi I surely don’t need my cellphone in Asterisk, since I
use it only to receive calls if I’m not at home (holiday)
All client have different credentials and the password are random (32 chars).
Well, as I said, this is not a problem for me… How can I do that? And, how can I for example send an E-Mail if the client connect?
Thanks Luca Bertoncello
(lucabert@lucabert.de)