[asterisk-dev] Asterisk / pjsip: Request and example: increase security of a running asterisk instance

Michael Maier m1278468 at mailbox.org
Fri May 14 02:35:56 CDT 2021 

Hello!

If you're currently running an asterisk instance, you are always forced to create a listener - even if you don't need it all. Therefore you are forced to "secure" this unnecessary listener 
port afterwards by other means. This shouldn't be the way to handle it.

A much better way to do it, is: just don't open listeners at all you don't need. Pjsip supports such a behavior.


What's the use case (one example):
You have a multihomed (or not - that doesn't matter) asterisk system, which on the one hand accepts registrations from devices on an internal network on tcp/5060 (-> listener transport needed) 
and acts as tls trunk for outbound registration (client transport needed - but no listener) on the other hand.

Attached is a working patch example (based on Asterisk 18.4), which shows the necessary different parts to achieve the desired behavior (tested).


A few words to the different patches:
- 73433a5-add-correct-port-to-sip-header.diff
   see https://issues.asterisk.org/jira/browse/ASTERISK-29241

- allow-port-0.diff
   This patch allows to use port 0 in the transport bind configuration

- nolistener.diff
   This patch enables Asterisk to use a new transport option "nolistener", which prevents creating a listener on starting the transport. Asterisk must be built using the compile time switch 
PJSIP_TCP_TRANSPORT_DONT_CREATE_LISTENER

- res_pjsip_nat.c.diff, res_pjsip_session.c.diff
   Those two patches are NAT related when using external_media_address= and external_signaling_address= parameters. They fix the problem, that not always the correct IP address is added to SIP 
header or SDP.

- f213833-rev-partial-transport-reload.diff
   This patch reverts ASTERISK-29354 (came with 18.4), because it just doesn't work (for me): After a "core reload", the defined values for external_*_address aren't applied to any outgoing 
package any more.


How to use it? That's an example how it should be used in the transport configuration:

[example-nat-tls-transport]
type=transport
protocol=tls
bind=192.168.13.24:0
ca_list_file=/etc/pki/tls/certs/ca-bundle.crt
method=tlsv1_2
verify_server=yes
allow_reload=no
external_media_address=external.host.com
external_signaling_address=external.host.com
local_net=192.168.0.0/16
nolistener=1
^^^^^^^^^^^^

or an example for a traditional transport including listener:

[192.168.27.28-internal-tcp]
type=transport
protocol=tcp
bind=192.168.27.28
allow_reload=no


How to prove if it's working? Take a look at the pjsip.log. If you see entries like this, you see, that it's working:

Example example-nat-tls-transport
[2021-05-14 07:28:05] DEBUG[12836] pjproject:                  tlstp:0 SIP TLS is ready (client only)

Example 192.168.27.28-internal-tcp
[2021-05-14 07:28:05] DEBUG[12836] pjproject:               tcptp:5060 SIP TCP is ready (client only)
[2021-05-14 07:28:05] DEBUG[12836] pjproject:               tcptp:5060 SIP TCP listener ready for incoming connections at 192.168.27.28:5060


Thanks
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nolistener.tar.gz
Type: application/gzip
Size: 3257 bytes
Desc: not available
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20210514/3eca51e8/attachment.gz>

More information about the asterisk-dev mailing list