Unpair the extension number from the registration username. One account for many extensions

codabat · February 24, 2022, 11:59am

Hello to all,
I am not an expert on Asterisk. Some concepts are not clear to me, and I am not completely clear.
Both for simplicity but also for security reasons, I would like to have the following configuration:

Accounts for SIP REGISTER
extension to define phones.

An account could authenticate itself from multiple phones.

In addition, the username of the account that is sent to the sip register could also be complex would increase the difficulty of an unauthorized REGISTER. Therefore, the attacker should guess the username (alphanumeric, instead of a banal internal number) and the password.

Is it possible to do that?

I miss the parameter username in pjsip, I thought it might help decouple number extension from authentication username.

Here is a sample:
[2001]
type=endpoint
context=phones
disallow=all
allow=ulaw
auth=2001-auth
aors=2001

[2001-auth]
type=auth
auth_type=userpass
password=mysecret
username=myusername

[2001]
type=aor
max_contacts=10

But this does not work. To work username must be valid 2001.

Thanks for your help.

david551 · February 24, 2022, 12:34pm

There is no username parameter in chan_sip. What used to be called username is now called defaultuser, and it is only used for outbound calls when registrations are incoming, and before any registration, so is rarely useful.

The official advice, although rarely obeyed, is that the user field in incoming SIP requests should not be the extension number, and that is how to get the improvement in security that you suggest.

The weakness of authorisation user (which I can be used as a match criterion in pjsip, as well, is that it is not sent in the initial INVITE.

codabat · February 24, 2022, 12:41pm

Thank you for your reply.
But defualtuser can I use it in pjsip.con? However, does it have to match the extension number?
Could you explain better what you mean when you say:
The official advice, although rarely obeyed, is that the user field in incoming SIP requests should not be the extension number, and that is how to get the improvement in security that you suggest. "

So there is no way to have an account decoupled from the internal concept.

Thanks again.

david551 · February 24, 2022, 12:48pm

Your terminology seems confused here. I think you are referring to having multiple endpoints having the same authentication parameters. This doesn’t sound very sensible, as compromising one phone will compromise all those with the same parameters.

chan_pjsip allows multiple phones to share an address of record, and multiple address of records to share an endpoint, which is where authentication is done.

The Asterisk core allows a many to many relationship between extensions and endpoints (and extensions are only meaningful for outbound calls, as they are dialplan constructs). WIth more work this can extend down to AORs and even individual registrants.

jcolp · February 24, 2022, 12:48pm

From a SIP protocol level and PJSIP configuration level it is supported, however each endpoint has to support the difference - and many don’t because it simplifies configuration. Many assume that the username you put in is used EVERYWHERE.

Using the same name is what many people do and is easiest, and provided your password is reasonably complex it’s generally fine. Other people also use things like fail2ban to firewall after failed authentication attempts.

david551 · February 24, 2022, 12:57pm

Please explain what you think the parameter does, because I’m pretty sure that you misunderstand it; it is very frequently misunderstood.

I’m not sure if chan_pjsip supports the chan_sip concept, but if if does, I imagine it is done by having both literal contacts and max contacts settings in the type=aor section (generally there are some details of matching and authentication that are under documented, at least under Asterisk (I’m not sure if the pjproject documentation describes a clearer model of how REGISTER and REGISTER are matched, etc.

codabat · February 24, 2022, 1:19pm

Hi @david551,
surely my lack of experience is probably confusing me.
I am trying to configure only two extensions. At the moment, the two extensions only need to communicate with each other.
The following questions came to me thinking about the security level.

I start with order my pjsip.conf is defined as follows:

[transport-udp]
type = transport
protocol = udp; udp, tcp, tls, ws, wss
bind = 0.0.0.0: 15061

And then for the part of the two interiors:

[2000]
type = endpoint
context = phoneintcall
disallow = all
allow = ulaw
auth = 2000-auth
aors = 2000

[2000-auth]
type = auth
auth_type = userpass
password = mysecret
username = 2000

[2000]
type = aor
max_contacts = 10

[2001]
type = endpoint
context = phoneintcall
disallow = all
allow = ulaw
auth = 2001-auth
aors = 2001

[2001-auth]
type = auth
auth_type = userpass
password = mysecret
username = 2001

[2001]
type = aor
max_contacts = 10

In my file extension.conf
[phoneintcall]
exten => 2XXX, 1, Dial (SIP / $ {EXTEN}, 20)
exten => 2XXX, 2, Hangup ()

I thought that username determined an account to register for associated extensions. This would be a great safety advantage but also great flexibility. With one account, I could register a desk phone and a mobile phone with different extensions simultaneously. I understand that with asterisk, it is not possible.

However, when the extensions I mentioned above try to connect, they get a Wrong password error.

So how should I think correctly of the username parameter regarding the definition of the context? [xxxx].
Will the register be username @ IP_ASTERISK and not XXXX @ IP_ASTERISK?

How can I decline an INVITE from an extension not previously registered?

I apologize, but I have little experience.

Thank you very much!

david551 · February 24, 2022, 1:37pm

Definitely not the case in chan_sip. I’m not entirely sure how it is handled for inbound authentication in chan_pjsip.

2001 in pjsip.conf is not an extension. It is an endpoint. The security guidance document, which no-one seems to read, advises making this different form any associated extension number.

github.com

asterisk/asterisk/blob/master/README-SERIOUSLY.bestpractices.md

# Best Practices

The purpose of this document is to define best practices when working with
Asterisk in order to minimize possible security breaches and to provide tried
examples in field deployments. This is a living document and is subject to
change over time as best practices are defined.

* [Filtering Data]:
        How to protect yourself from redial attacks
* [Proper Device Naming]:
        Why to not use numbered extensions for devices
* [Secure Passwords]:
        Secure passwords limit your risk to brute force attacks
* [Reducing Pattern Match Typos]:
        Using the 'same' prefix, or using Goto()
* [Manager Class Authorizations]:
        Recognizing potential issues with certain classes of authorization
* [Avoid Privilege Escalations]:
        Disable the ability to execute functions that may escalate privileges
* [Important Security Considerations]:

This file has been truncated. show original

Look for the “Proper Device Naming” section (unfortunately not a named anchor, so I can’t directly link it).

This does complicate the dialplan, although you only need to use the explicit extension number or one line, and I think there is a function to get the hint dialstring, so that an double as the hint.

BlazeStudios · February 24, 2022, 1:38pm

You are using SIP which is for chan_SIP. You need to use PJSIP/2000.

https://wiki.asterisk.org/wiki/display/AST/Dialing+PJSIP+Channels

david551 · February 24, 2022, 1:41pm

I’d also add that there are spaces in a number of places which should not have them, although I’m not sure to what extent the parser tolerates them.

codabat · February 24, 2022, 10:06pm

Thank you @david551 ,
conceptually, it seems to me that this is what I would like. But that my little knowledge did not allow me to realize. I’m still trying to understand. But then this is possible to achieve it with the formalism provided by pjsip_wizard.con?
I guess I have to use hints in both pjsip_wizard-conf and extensions.conf as well.
But the very useful link you gave me doesn’t specifically mention pjsip_wizard
Thank you so much!

codabat · February 24, 2022, 10:08pm

Thank you!
it’s right!!

david551 · February 24, 2022, 10:33pm

Most of the documentation is for the standard configuration files.

codabat · February 24, 2022, 10:38pm

Hello @david551 ,
thanks for your feedback.
Using pjsip.conf I failed. I get error. The problem is that in extension.conf you have to somehow create a link between, for example, mac address and the extension number.
I will try to deepen.
Thank you very much.

david551 · February 24, 2022, 11:04pm

Following is untested.

[phoneintcall]
exten => 2000,hint,PJSIP/xxxxxxxx
exten => 2001,hint,PJSIP/yyyyyyyy
exten => _2XXX,1,Dial(${HINT(${EXTEN}@phoneintcall)}, 20)
exten => _2XXX,2,Hangup()

or

[phoneintcall]
exten => 2000,1,Dial(PJSIP/xxxxxxx, 20)
exten => 2001,s,Dial(PJSIP/yyyyyyy, 20)
exten => _2XXX,s,Set(DIALSTATUS=UNAVAILABLE)
exten => _2XXX,n,Hangup ()

BlazeStudios · February 25, 2022, 1:22pm

Fixed it, since you can’t pattern match without the _ in front.

david551 · February 25, 2022, 3:05pm

Thanks. Also fixed a comma that I lost.

codabat · February 25, 2022, 5:03pm

Thank you @david551 @BlazeStudios ,
You have both been very helpful. Before I start putting your teachings into practice in my pjsip.conf, I have a doubt.
Where do I declare the hint and how?
An endpoint will have to declare a hint to allow calling with the usual extension numbers. Am I wrong?

One last thing, but maybe I should open a new topic: after years of not using Asterisk, I managed to make it work in a very minimal way, and I’m happy. But there is something strange: I have my Asterisk installed on a Cloud server, and in the office, I have a software phone on my PC (connected via wifi) and a softphone on my mobile phone. If my mobile phone is connected via wifi, everything is OK, but if I connect to the 4G / 5G network, the phone on my PC hears correctly, but the mobile phone does not hear the audio transmitted by the desk phone. NAT problem? I don’t understand well. Taking a capture from my PC, I only see the RTP packets of my PC and not those of the phone. Sorry for this supplement.

Thank you very much!

david551 · February 25, 2022, 5:16pm

It doesn’t have to. The suggestion about hints was that you may well want them, anyway, in order to support busy lamp fields on the phones, so you might as well use them to encode the lookup table. The second variant didn’t use any hints.

codabat · February 25, 2022, 5:45pm

Hi @david551,
I’m sorry, I don’t think I understand.
For the second solution you refer to:

[phoneintcall]
exten => 2000,1, Dial (PJSIP / xxxxxxx, 20)
exten => 2001, s, Dial (PJSIP / yyyyyyy, 20)
exten => _2XXX, s, Set (DIALSTATUS = UNAVAILABLE)
exten => _2XXX, n, Hangup ()

What do xxxx and yyyyyy mean? How do they tie in with pjsip configurations?

I would not like to declare all the interiors. I would like to use the notation
exten => _2XXX, 1, Dial (PJSIP / ???, 20)

Assuming that in pjsip it has:
[LOGICNAME]
type = endpoint
context = internal
disallow = all
allow = ulaw
aors = 6001
auth = authLOGICNAME
direct_media = no

[LOGICNAME]
type = aor
max_contacts = 3

[authLOGICNAME]
type = auth
auth_type = userpass
password = 270870
username = LOGICNAME

How do I configure extension.conf?
How can I indicate that LOGICNAME is an extension (for example 2000) and wants to call the extension 2001?

I apologize very much and thank you so much.