FILE DESCRIPTORS

FILE DESCRIPTORS

Depending on the size of your system and your configuration, Asterisk can consume a large number of file descriptors. In UNIX, file descriptors are used for more than just files on disk. File descriptors are also used for handling network communication (e.g. SIP, IAX2, or H.323 calls) and hardware access (e.g. analog and digital trunk hardware). Asterisk accesses many on-disk files for everything from configuration information to voicemail storage.

Most systems limit the number of file descriptors that Asterisk can have open at one time. This can limit the number of simultaneous calls that your system can handle. For example, if the limit is set at 1024 (a common default value) Asterisk can handle approximately 150 SIP calls simultaneously. To change the number of file descriptors follow the instructions for your system below:

PAM-BASED LINUX SYSTEM

If your system uses PAM (Pluggable Authentication Modules) edit /etc/security/limits.conf. Add these lines to the bottom of the file:

root            soft    nofile          4096
root            hard    nofile          8196
asterisk        soft    nofile          4096
asterisk        hard    nofile          8196

(adjust the numbers to taste). You may need to reboot the system for these changes to take effect.

GENERIC UNIX SYSTEM

If there are no instructions specifically adapted to your system above you can try adding the command ulimit -n 8192 to the script that starts Asterisk.

MORE INFORMATION

See the doc directory for more documentation on various features. Again, please read all the configuration samples that include documentation on the configuration options.

Finally, you may wish to visit the support site and join the mailing list if you're interested in getting more information.

Welcome to the growing worldwide community of Asterisk users!

        Mark Spencer, and the Asterisk.org development community

The WWW-Authenticate header

The WWW-Authenticate header consists of at least one challenge that indicates the authentication scheme(s) and parameters applicable to the Request-URI. More...

http://sofia-sip.sourceforge.net/refdocs/sip/group__sip__www__authenticate.html

https://allenluker.wordpress.com/2014/07/16/sip-digest-authentication-part-1-sip-registration-method/

An analysis of SIP Digest Authentication used in the SIP Registration Method

July 16, 2014 by allenluker

SIP authentication model based on the HTTP digest authentication described in the RFC 2617

This post is intended to be a neutral in its analysis of the vendors SIP registration process and the various vendors registration responses as analyzed in wire shark using the Conterpath free X lite soft phone. I have to admit that I am not very neutral about Counter path products I think there SIP soft phones are the best to benchmark other SIP phones.

I registered the X lite phone to a Cisco ISR gateway that is enabled as sip registrar, an Avaya Session Manager and for more comparisons a lab Cisco Call Manager and a version 5 Nortel NRS. The IP addresses used in these labs have been changed so that there is no possibility if revealing any proprietary information. You may also noticed paste overs on some of the screenshots, this also to avoid revealing any proprietary information.

You will see how Digest Access Authentication is used the SIP account password will be sent encrypted (normally as md5 hash of the password and some other values) and not sent in clear text.

Two types of SIP authentication that uses Digest authorization with MD5

• Registration method

When a SIP User Agent sends Registration Request to SIP Registrar Server it will respond with a 401 Unauthorized with a challenge to provide credentials.

• Proxy Authentication of outbound calls (which I will cover in another post)

When a SIP User Agent sends an Invite to a SIP server that will proxy the invite to a SIP Gateway, the SIP server will send back 407 Proxy Authentication Required

A RFC compliant SIP User-Agent will either: 1) Send ACK response to the server response to close the transaction. Or 2) Repeat the initial request and provide additional Authorization (for 401) or Proxy-Authorization (for 407) header in this message. This request must be sent with the same Call-ID and To, From headers as the original one and the CSeq (Command Seq) value must be incremented as seen in the wire shark trace below: 

 SIP Authentication Headers

The “WWW-Authenticate” header

• Used by SIP Registrar Server this header is in the 401 unauthorized challenge for credentials from the User-Agent when the User Agent has made a request for registration

The “Proxy-Authenticate” header( will talk about this in another post)

• Used typically when Proxy server is sending request to a gateway that has access to the PSTN network. But it is any call that goes over a SIP trunk to another PBX, Registrar Server that an endpoint exists.

SIP Server (User Agent Server) Challenge Strings

Here is a challenge string taken from a wire shark trace of a Xlite phone registering to a Cisco Gateway:     Server: Cisco-SIPGateway/IOS-15.2.4.M4 WWW-Authenticate: Digest realm=””,nonce=”1ADF55F80288CBA4″,algorithm=MD5,qop=”auth”

Here is the analysis of the string which is color coded to match color of text in string:

Challenge type used by the SIP Registrar server is: “WWW-Authenticate” Indicator of Authentication Scheme which is “Digest” Realm is the Protection Domain/or what I call the Dialing Domain ( in this string that I captured from a phone registered to a Cisco gateway no realm was configured) Nonce(Number Once) that can only be used one time. Every 401/407 challenge will contain a unique Nonce which means any data encrypted with it as only good for a single transaction.  Those encrypted credentials become completely worthless after a single use. Hash algorithm (which is MD5) qopIndicates what “quality of protection” the client has applied to the message. Typically it is always”auth” or “auth-int”

Challenge from Avaya Session Manager Server: AVAYA-SM-6.3.4.0.634014

Now the Avaya Session Manager string has a few more items in its Challenge string

WWW-Authenticate: Digestrealm=”sip.test.com”,qop=”auth”,opaque=”1234567890abcedef”,nonce=”145f5ca9aac6f0b9f93433188d446ae0d9f91a6ff80“,algorithm=MD5,stale=true

As with the Cisco Gateway challenge string type is “WWW-Authenticate”  This time the realm is defined as it is required in Avaya Session Manager and the realm is “sip.test.com” A new option in the string is opaque=”1234567890abcedef” I find that neither the Cisco Gateway (ISR router) or Cisco Call Manager use the opaque option.

A second new option is “stale” notice in the Avaya SM capture that it is set to true. Typically if the “stale” element is in the string the value will be false. Hold the thought on this will explain why it is set to true in the next section “User Agent Client Response to challenge” opaque A string of data, specified by the server, which should be returned by the client unchanged.( This an extra mechanism that rogue phone would not know when it tried hack the call in progress). The opaque actually makes no sense to me as all Avaya Session Manager captures I have looked at it is always “1234567890abcedef” Stale is either True or false This used to for Server to track when client tries to re-use a Nonce which happens when endpoint Re-registers.

When I tested an old Nortel NRS version 5 it also has an opaque and stale WWW-Authenticate: Digest realm=”sip.lab.com”, nonce=”3f3b346de1b216b59b05daaec5b4b603″, opaque=”62bf8eaf6c0d967565423c4e47a39a8f”, stale=false, algorithm=MD5, qop=”auth”

User Agent Client Response to challenge

Xlite phone response to the challenge from the Cisco SIP gateway

Digest username=”4427″,realm=””,nonce=”63110EC902893319″,uri=”sip:192.168.15.101″,response=”c50963fa128e8db5069e262f176292fe”, cnonce=”a36f404a118bce981fe948ff26be22d4″,nc=00000001, qop=auth,algorithm=MD5 In second Registration request from the User Agent Client (Xlite SIP phone) is the response to the SIP server challenge the: the realm and Nonce are repeated back, then the following new values are added:

• username is provided
• The SIP URI is supplied
• Response contains the encrypted password
• CNONCE (Client NONCE) UAC supplied Nonce to effect final hash algorithm

Xlite phone response to Challenge from Avaya Session Manager User-Agent: X-Lite release 4.5.5  stamp 71236   The

Xlite response to the Avaya SM challenge has additional component in the string: NC this is the NONCE count of requests sent by the client and supposedly must be present if qop is present. The nonce-count is used to avoid reply-attacks.

Now to my earlier observation looking at the wireshark snippets below “A second new option is “stale” notice in the Avaya SM capture that it is set to true. ”

WWW-Authenticate: Digest realm=”sip.test.com”,qop=”auth”,opaque=”1234567890abcedef”,nonce=”145f5ca9aac6f0b9f93433188d446ae0d9f91a6ff80″,algorithm=MD5,stale=trueIn this snippet from the wire shark trace we see the Xlite phone (line number 25 and source is 192.168.200.167) initiating a registration attempt with nonce that had been used in a previous registration attempt to Session Manager 192.168.148.164 (destination), notice it is also sending a  nc=00000002. This indicates that nonce is being more than one time. Now on line 26 Session Manager responds with a new challenge, notice the nonce value and the stale flag being “true” On line 27 we see that Xlite phone responds to the WWW-authenticate challenge by providing the credentials with the new nonce

Wire Shark Summary of SIP registration

Advertisements

REPORT THIS AD

REPORT THIS AD

Share this:

• Twitter
• Facebook
• Google

This entry was tagged SIP, SIP Registrar, SIP server, WWW-Authenticate. Bookmark the permalink.

rtp audio video profile

https://en.wikipedia.org/wiki/RTP_audio_video_profile

option request log

<--- Transmitting SIP request (462 bytes) to UDP:54.172.60.3:5060 --->
OPTIONS sip:asteriskpjsip.pstn.us1.twilio.com:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.101.99:5066;rport;branch=z9hG4bKPj6280c4e9-e1e3-4231-9690-757d3902a9d3
From: <sip:twilio@192.168.101.99>;tag=7d6268d8-ac8c-44e4-aa9c-83a30558c19c
To: <sip:asteriskpjsip.pstn.us1.twilio.com>
Contact: <sip:twilio@192.168.101.99:5066>
Call-ID: 70d477f6-c823-4293-8b95-91deff2c7030
CSeq: 48289 OPTIONS
Max-Forwards: 70
User-Agent: Asterisk PBX 16.1.0
Content-Length:  0


<--- Received SIP response (417 bytes) from UDP:54.172.60.3:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.101.99:5066;received=217.15.39.46;rport=35921;branch=z9hG4bKPj6280c4e9-e1e3-4231-9690-757d3902a9d3
From: <sip:twilio@192.168.101.99>;tag=7d6268d8-ac8c-44e4-aa9c-83a30558c19c
To: <sip:asteriskpjsip.pstn.us1.twilio.com>;tag=51026399c684defae5dc2ecd5fc38069.b474
Call-ID: 70d477f6-c823-4293-8b95-91deff2c7030
CSeq: 48289 OPTIONS
Server: Twilio Gateway
Content-Length: 0

sip BYE

BYE sip:172.18.15.132:5060 SIP/2.0
Via: SIP/2.0/UDP 45.77.203.6:5066;rport;branch=z9hG4bKPja4d691b6-4605-459d-bc88-ca811b33084a
From: "Ambiorix" <sip:18095608344@45.77.203.6>;tag=f14b225b-58b4-48de-8254-78d939e6141b
To: <sip:+13052362323@asteriskpjsip.pstn.us1.twilio.com>;tag=18426641_6772d868_e74bb600-520d-46de-ad77-822985dec5dc
Call-ID: 9834c53d-54a3-497f-92d5-f9ae0f94bf2d
CSeq: 15065 BYE
Route: <sip:54.172.60.3:5060;lr;ftag=f14b225b-58b4-48de-8254-78d939e6141b>
Reason: Q.850;cause=16
Max-Forwards: 70
User-Agent: Asterisk PBX 16.0.0
Content-Length:  0


  == Spawn extension (internal, 913052362323, 3) exited non-zero on 'PJSIP/6005-00000034'
  == MixMonitor close filestream (mixed)
  == End MixMonitor Recording PJSIP/6005-00000034
<--- Received SIP response (497 bytes) from UDP:54.172.60.3:5060 --->
SIP/2.0 200 OK
CSeq: 15065 BYE
Call-ID: 9834c53d-54a3-497f-92d5-f9ae0f94bf2d
From: "Ambiorix" <sip:18095608344@45.77.203.6>;tag=f14b225b-58b4-48de-8254-78d939e6141b
To: <sip:+13052362323@asteriskpjsip.pstn.us1.twilio.com>;tag=18426641_6772d868_e74bb600-520d-46de-ad77-822985dec5dc
Via: SIP/2.0/UDP 45.77.203.6:5066;received=45.77.203.6;rport=5066;branch=z9hG4bKPja4d691b6-4605-459d-bc88-ca811b33084a
Server: Twilio
X-Twilio-CallSid: CA877bfb05ce4cdc1ed4f3a0a75b3bc88e
Content-Length: 0
-----------------

---------------------------------------------------------------------------------
BYE sip:400@186.149.22.50:61001 SIP/2.0
Via: SIP/2.0/UDP 45.77.203.6:5065;rport;branch=z9hG4bKPj1a4a1ccf-23d4-4f99-9ffb-d5fc361702b7
From: "Ambiorix" <sip:6005@45.77.203.6>;tag=d3dc3eff-b697-4896-aff6-6be9217181e1
To: <sip:8095445555@186.149.22.50>;tag=2ea088a078906330
Call-ID: 38005182-8b9d-469d-8703-0ec651cf0b30
CSeq: 26006 BYE
Reason: Q.850;cause=16
Max-Forwards: 70
User-Agent: Asterisk PBX 16.0.0
Content-Length:  0


  == Spawn extension (internal, 8095445555, 2) exited non-zero on 'PJSIP/6005-00000036'
  == MixMonitor close filestream (mixed)
  == End MixMonitor Recording PJSIP/6005-00000036
<--- Received SIP response (702 bytes) from UDP:186.149.22.50:61001 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 45.77.203.6:5065;rport;branch=z9hG4bKPj1a4a1ccf-23d4-4f99-9ffb-d5fc361702b7
From: "Ambiorix" <sip:6005@45.77.203.6>;tag=d3dc3eff-b697-4896-aff6-6be9217181e1
To: <sip:8095445555@186.149.22.50>;tag=2ea088a078906330
Call-ID: 38005182-8b9d-469d-8703-0ec651cf0b30
CSeq: 26006 BYE
User-Agent: Grandstream GXW4104 (HW 1.0, Ch:1) 1.4.1.5
Session-Expires: 180;refresher=uac
Min-SE: 180
Require: timer
Warning: 399 186.149.22.50 "detected NAT type is port restricted cone"
Contact: <sip:400@186.149.22.50:61001;transport=udp>
Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE,PRACK
Supported: replaces, timer, 100rel, pat

Asterisk realtime centos 7

sudo yum install epel-release
Install dependencies
yum install unixODBC-devel
yum install unixODBC
yum install python-devel
yum install python-pip
yum install MySQL-python


yum install unixODBC unixODBC-devel libtool-ltdl libtool-ltdl-devel
yum install mysql-connector-odbc

LAMP

https://hostadvice.com/how-to/how-to-install-lamp-stack-on-centos-7/

ODBC

http://asteriskdocs.org/en/3rd_Edition/asterisk-book-html-chunk/installing_configuring_odbc.html


Install php 7.2

https://www.tecmint.com/install-php-7-in-centos-7/



Real time

https://wiki.asterisk.org/wiki/display/AST/Setting+up+PJSIP+Realtime#SettingupPJSIPRealtime-InstallingDependencies

Asterisk 16 installation on Centos 7

   1 MAKE SURE SELINUX IS DISABLED
   2  sestatus
   3   yum -y update

    4   yum -y groupinstall core base "Development Tools"

    5  yum install -y make wget openssl-devel ncurses-devel  newt-devel libxml2-devel kernel-devel gcc gcc-c++ sqlite-devel

    6  cd /usr/src/
    7  wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-16-current.tar.gz
   8  tar zxvf asterisk*
   9   cd /usr/src/asterisk*

   contrib/scripts/install_prereq install

   10  ./configure --libdir=/usr/lib64 --with-pjproject-bundled --with-jansson-bundled && make menuselect && make && make install

   11  make samples
   12  make config
   13  ldconfig
   14  service asterisk start
   15  asterisk -rvvvvvvvvvvvvv

SIP INVITE header fields

   

Understanding common header fields in a SIP INVITE

The SIP INVITE is the foundation for every SIP phone call. It is simple and flexible, but often poorly understood by users. The purpose of this article is to provide a quick and easy reference to the critical headers in a SIP INVITE.

The SIP INVITE request is the message sent by the calling party, inviting the recipient for a session. The SIP headers included in this SIP INVITE request provide information about the message.

Consider the following SIP message, with the common SIP headers highlighted:

INVITE sip:bob@biloxi.example.com SIP/2.0
Via: SIP/2.0/TCP client.atlanta.example.com:5060;branch=z9hG4bK74bf9
Max-Forwards: 70
From: Alice <sip:alice@atlanta.example.com>;tag=9fxced76sl
To: Bob <sip:bob@biloxi.example.com>
Call-ID: 3848276298220188511@atlanta.example.com
CSeq: 2 INVITE
Contact: <sip:alice@client.atlanta.example.com;transport=tcp>
Diversion: Carol <sip:carol@atlanta.example.com>;privacy=off;reason=no-answer;counter=1;screen=no
Remote-Party-ID: Alice <sip:alice@atlanta.example.com>
P-Asserted-Identity: Alice <sip:alice@atlanta.example.com>
P-Charge-Info: <sip:eve@atlanta.example.com>
P-Source-Device: 216.3.128.12
Content-Type: application/sdp
Content-Length: 151
X-BroadWorks-DNC: network-address=sip:+9876543210@127.0.0.101;user=phone
User-Agent: X-Lite release 1104o stamp 56125 v=0 o=alice 2890844526 2890844526 IN IP4 client.atlanta.example.com s=- c=IN IP4 192.0.2.101 t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000

The following sections explain these header fields.

Request URI

INVITE sip:bob@biloxi.example.com SIP/2.0

The Request URI is the contact information of the next hop in the call route. In the above example, the username of the next hop is bob, who is hosted by biloxi.example.com.

Via

Via: SIP/2.0/TCP client.atlanta.example.com:5060;branch=z9hG4bK74bf9
Max-Forwards: 70

The Via header field indicates the path taken by the request so far and helps in routing the responses back along the same path. If the SIP INVITE passed through multiple SIP proxies, there will be multiple VIA headers. In the given example, the responses will be sent back to client.atlanta.example.com at the port 5060.

From

From: Alice <sip:alice@atlanta.example.com>;tag=9fxced76sl

The From header field indicates contact information of the initiator of the SIP INVITE request, Alice in this case.

To

To: Bob <sip:bob@biloxi.example.com>

The To header field contains the information about the called party or the recipient of the request, Bob in this example.

Call-ID

Call-ID: 3848276298220188511@atlanta.example.com

The Call-ID header field is a unique ID identifying the SIP call. All messages containing this call-id will be assigned to the same SIP call.

Contact

Contact: <sip:alice@client.atlanta.example.com;transport=tcp>

The Contact header field provides a SIP or SIPS URI that should be used to contact the sender of the INVITE, Alice.

Diversion

Diversion: Carol <sip:carol@atlanta.example.com>;privacy=off;reason=no-answer;counter=1;screen=no

The diversion header contains the redirection information of the call. It includes the contact information of the device that forwards the INVITE, and also the reason for diversion.

Remote Party ID

Remote-Party-ID: Alice <sip:alice@atlanta.example.com>

This SIP header is considered obsolete, but is still used to convey the calling telephone number and source IP address.

P-Asserted-Identity

P-Asserted-Identity: Alice <sip:alice@atlanta.example.com>

The P-Asserted-Identity header field is an important SIP header used among trusted SIP entities (typically intermediaries) to carry the identity of the user sending a SIP message as it was verified by authentication. This header is commonly used in call centers who need to present the calling number of its customer, rather than it actual telephone number.

P-Charge-Info

P-Charge-Info: <sip:eve@atlanta.example.com>

The P-Charge-Info header is used to convey billing information about the party to be charged.

P-Source-Device

>P-Source-Device: 216.3.128.12
Content-Type: application/sdp
Content-Length: 151

This is a special header and includes the IP address of the source device through a Back to Back User Agent

X-Header

X-BroadWorks-DNC: network-address=sip:+9876543210@127.0.0.101;user=phone

A SIP header that begins with X can be used to convey any information. For example, An X-Header in a SIP INVITE is often used to convey a subscriber account number for billing.

User-Agent

User-Agent: X-Lite release 1104o stamp 56125

The User-Agent header field contains information about the UAC originating the request. It describes the source device that generated the SIP INVITE.

Connection Information

c= IN IP4 192.0.2.101

This is the source IP address and connection type for the audio stream.

This was one of the simpler SIP INVITE requests, and it could be more complex depending on the call flow.

The SIP INVITE is an important request method, and the information it contains could be used not just for session initiation, but also for such crucial applications as fraud detection. A SIP Analytics-driven Fraud Detection allows for real-time call blocking or call diversion.

pjsip realtime

https://wiki.asterisk.org/wiki/display/AST/Setting+up+PJSIP+Realtime#SettingupPJSIPRealtime-InstallingDependencies


https://wiki.asterisk.org/wiki/display/AST/Setting+up+PJSIP+Realtime

https://wiki.asterisk.org/wiki/display/AST/Sorcery

sudo apt-get install python-setuptools

For Python 3.x

sudo apt-get install python3-setuptools

Admin GUI Dashboard Error after module update today

fwconsole ma upgrade dashboard --edge

https://community.freepbx.org/t/admin-gui-dashboard-error-after-module-update-today/53703

Ubuntu 18 Asterisk CDR ODBC

https://community.asterisk.org/t/call-detail-records-are-not-saving-in-cdr/76743/6

Install packages
apt-get install unixodbc-dev unixodbc-bin unixodbc

/etc/odbc.ini
[asterisk-mysql]
Description = MySQL connection to ‘asterisk’ database
Driver = MySQL
Database = asterisk
Server = localhost
UserName = root
Password = ‘’
Port = 3306
Socket = /var/run/mysqld/mysqld.sock

This lib need to be downloaded from MYSQL SITE

/etc/odbcinst.ini
[MySQL]
Description = ODBC for MySQL
Driver = /usr/lib/x86_64-linux-gnu/odbc/libmyodbc8a.so
Setup = /usr/lib/x86_64-linux-gnu/odbc/libmyodbc8S.so
FileUsage = 1

/etc/asterisk/cdr_adaptive_odbc.conf

[asterisk-mysql]
connection=asterisk-mysql
table=cdr
alias start => calldate

/etc/asterisk/res_odbc.conf
[asterisk-mysql]
enabled => yes
dsn => asterisk-mysql
username => root
password => ‘’
pre-connect => yes

assuming asterisk db exist create the table

CREATE TABLE cdr (
calldate datetime NULL ,
clid varchar(80) NOT NULL default ‘’,
src varchar(80) NOT NULL default ‘’,
dst varchar(80) NOT NULL default ‘’,
dcontext varchar(80) NOT NULL default ‘’,
channel varchar(80) NOT NULL default ‘’,
dstchannel varchar(80) NOT NULL default ‘’,
lastapp varchar(80) NOT NULL default ‘’,
lastdata varchar(80) NOT NULL default ‘’,
duration int(11) NOT NULL default ‘0’,
billsec int(11) NOT NULL default ‘0’,
disposition varchar(45) NOT NULL default ‘’,
amaflags int(11) NOT NULL default ‘0’,
accountcode varchar(20) NOT NULL default ‘’,
uniqueid varchar(32) NOT NULL default ‘’,
userfield varchar(255) NOT NULL default ‘’
);
restart asterisk

service asterisk restart

image.png1366x768 87.2 KB

image.png1366x768 148 KB