[asterisk-dev] Asterisk / pjsip: Request and example: increase security of a running asterisk instance
m1278468 at mailbox.org
Fri May 14 02:35:56 CDT 2021
If you're currently running an asterisk instance, you are always forced to create a listener - even if you don't need it all. Therefore you are forced to "secure" this unnecessary listener
port afterwards by other means. This shouldn't be the way to handle it.
A much better way to do it, is: just don't open listeners at all you don't need. Pjsip supports such a behavior.
What's the use case (one example):
You have a multihomed (or not - that doesn't matter) asterisk system, which on the one hand accepts registrations from devices on an internal network on tcp/5060 (-> listener transport needed)
and acts as tls trunk for outbound registration (client transport needed - but no listener) on the other hand.
Attached is a working patch example (based on Asterisk 18.4), which shows the necessary different parts to achieve the desired behavior (tested).
A few words to the different patches:
This patch allows to use port 0 in the transport bind configuration
This patch enables Asterisk to use a new transport option "nolistener", which prevents creating a listener on starting the transport. Asterisk must be built using the compile time switch
- res_pjsip_nat.c.diff, res_pjsip_session.c.diff
Those two patches are NAT related when using external_media_address= and external_signaling_address= parameters. They fix the problem, that not always the correct IP address is added to SIP
header or SDP.
This patch reverts ASTERISK-29354 (came with 18.4), because it just doesn't work (for me): After a "core reload", the defined values for external_*_address aren't applied to any outgoing
package any more.
How to use it? That's an example how it should be used in the transport configuration:
or an example for a traditional transport including listener:
How to prove if it's working? Take a look at the pjsip.log. If you see entries like this, you see, that it's working:
[2021-05-14 07:28:05] DEBUG pjproject: tlstp:0 SIP TLS is ready (client only)
[2021-05-14 07:28:05] DEBUG pjproject: tcptp:5060 SIP TCP is ready (client only)
[2021-05-14 07:28:05] DEBUG pjproject: tcptp:5060 SIP TCP listener ready for incoming connections at 192.168.27.28:5060
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3257 bytes
Desc: not available
More information about the asterisk-dev