Using CSipSimple With OBi
ianobi:
Security is always an issue worth considering. Looking at InboundCallRoutes we have three parts that we can use:
Caller>callee:terminal
If we look at the “Direct Calling” method of using CSipSimple described here, then we can see a typical InboundCallRoute:
http://www.obitalk.com/forum/index.php?topic=6211.msg39466#msg39466
Voice Services > SP1 Service > X_InboundCallRoute (typical example):
{(Mcot)>(Msp1),(Mcot)>(<**1:>(Msp1)):sp1},{(Mcot)>(<**2:>(Msp2)):sp2},{(Mcot)>(<**8:>(Mli)):li},{(Mcot)>(<**9:>(Mpp)):pp},{(Mcot)>**0:aa},{(Mcot)>0:ph},{>1787856:ph}
Mcot contains the list of allowed CallerIDs. These can be quite complex made up of numbers, lower and upper case letters (beware of “reserved characters”). The OBi is case sensitive whan it deals with CallerIDs. For example you might have a CallerID of 62Hf17nN4kd3. Hackers and scanners are not easily going to break that sort of CallerID. I’m not sure how many characters long a CallerID can be, but long enough for our purposes!
Callee is used differently. The last rule above {>1787856:ph} is a typical use of the “Oleg Method”. An incoming service or DID is allowed to call the target (phone in this case) if they are using the correct callee. The callee in this case might be your phone number or SIP identity. In this case callers only get access to ring your phone, no through dialling is allowed.
Callee in a more complex rule above such as {(Mcot)>(<**2:>(Msp2)):sp2} is (<**2:>(Msp2)). In this case the number dialled has to begin with **2 and match the DigitMap Msp2. We use **2 to make it the same as dialling from the phone attached to the OBi. However, if you wished to make things more difficult for hackers, you could use any combination such as (<**2*8:>(Msp2)). The problem here is that you are making things difficult for yourself! You could be extra clever and use CSipSimple’s filters to add these odd codes for you.
Next we have terminal. Not much you can do here, although a blank terminal can be used to send unwanted callers to the “bit bucket” as in this rule:
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):}
This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".
Finally we have the SIP “listening ports”. The OBi knows them as UserAgentPorts. I recommend always changing them to something obscure well away from 5060, 5061 etc. It’s not a sure way to stop scanners, but it’s another level of security to add to the others.
I’ve been using CSipSimple for direct calling into my OBi for quite a while and have had no hacker / scanner problems. I do use most of the methods described above.
May the OBi force be with you :)
Usetheforceobiwan:
May the force with you too ianobi :o And thanks for your reply.
OK, so if I am reading this correctly, the security is provided by four factors - IP address, UserAgentPort, Caller ID and the dialing instructions.
That is, for a SIP connection / call to made to and through your OBi box, the only way the connection can result in a call being made through one of your trunks is if all of the following conditions are met:
1) The connection attempt goes to the correct IP address whether it's a public IP or DNS / NAT.
2) The connection uses the proper UserAgentPort corresponding to the Spx you are using for the relay. Your router has to have this port open.
3) The CallerID matches a string in the COT (circle of trust) you create.
4) The dialing instructions included in this connection's call setup have the proper prefix that matches the routing instructions in your InboundCallRoute.
Looking at these conditions for call placement, I see where it would be fairly difficult to get all four factors correct at the same time. I mean IP and port are more easily obtained but also having the correct CallerID and dialing instructions are not.
ianobi:
Yes, you are correct about the four factors with regard to single-stage through dialling.
I keep my prefixes (**1, **2 etc) as standard because I use the same InboundCallRoute for CSipSimple, softphones and another OBi. If you only use the InboundCallRoute for CSipSimple, then you could use its filters to add quite complex prefixes and have OBi remove them before dialling.
"cot" is simply a User Defined Digit Map. You can put the CallerIDs directly in the InboundCallRoute rules, but that makes the rules long and complex. Also using "cot" means that you only have one place to make any changes.
medscy:
Hello,
I have tried the direct method posted here.. It worked like a charm on my home network....but failed the moment I go on 4G network or from other wifi network.
I realise that the ACK messages from CSIPSimple never reaches my router on the Internet.... As a result, I can only hear audio from my CSipSimple client to my home phone via Obi...but there is no return audio from Obi back onto CSIPSimple....
Below is the SIP trace on my CSIPSimple client. Note that the "Contact" field contains the private address of my OBI... my guess is that the ACK message got sent to the private address which got lost on the Internet..... that explains why it works for my wifi but not on 4G.... Anyone has any suggestion how to alter that field?
8.8.8.100:1234:
SIP/2.0 200 OK
Call-ID: TtDF7xJN7uvUo-1c3X88BrYVHVJRCbZR
CSeq: 7423 INVITE
Content-Length: 359
From: "test" <sip:test@127.0.0.1>;tag=0nt0zDKLhbNrMH8k0i8mkuQAIP3wFzfa
To: <sip:**0@me.dyndns.org>;tag=SP1243eb3644ac3da40
Via: SIP/2.0/UDP 118.61.22.18:33639;branch=z9hG4bKPjKjIQPqxT0.U2ZobtCY.yz71ZkexApIEY;received=118.61.22.18;rport=33639
Server: OBIHAI/OBi110-1.3.0.2824
Contact: <sip:obi110@192.168.1.100:5060>
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Content-Type: application/sdp
v=0
o=- 544003 1 IN IP4 8.8.8.100
s=-
c=IN IP4 8.8.8.100
t=0 0
m=audio 16602 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
a=ptime:20
a=xg726bitorder:big-endian
a=candidate:1 1 UDP 2113929216 192.168.1.100 16602 typ host
a=candidate:2 1 UDP 2097152000 8.8.8.100 16602 typ srflx
ianobi:
medscy,
This is a common problem using an OBi with peer to peer type configurations. The problem it to get the OBi to declare its external ip address rather than its internal ip address. Did you try this method:
http://www.obitalk.com/forum/index.php?topic=6211.msg39466#msg39466
It piggy-backs on an existing registered SIP account. This forces the OBi to use its external ip address.
The other way if you have a fixed external ip address is to change these settings:
Service Providers -> ITSP Profile X -> SIP -> X_DiscoverPublicAddress: Unchecked
Service Providers -> ITSP Profile X -> SIP -> X_PublicIPAddress: Insert your public IP address
There's quite a few posts regarding this problem. Look for posts by hwittenb and azrobert.
My setup just now has two accounts. I use the direct method to effectively use my cell phone as a wifi phone around the home. I use the indirect method via sip2sip to call into my obi from anywhere in the world. If using 3g, then its well worth buying the G729 codec for CSipSimple.
Navigation
[0] Message Index
[#] Next page
[*] Previous page