Category: Elastix Support

Categories
Asterisk Support Blog Elastix Support FreePBX Knowledge Base Security

Keeping the Bots out and allowing your friends in

Since this post was originally written things have advanced, FreePBX has an integrated firewall with intrusion detection using Fail2Ban, and this should always be enabled even if system is on premise.

Another major step forward in protection is APIBAN this is a client program that helps prevent unwanted SIP traffic by identifying addresses of known bad actors before they attack your system. Bad bots are collected through globally deployed honeypots. To use APIBAN you will need a key these are obtained from here . More details on API ban are here if you are interested in using it in different situations.

To simplify installation on Freepbx based systems I have simple script that downloads and install it, this can be downloaded here or from the command line of the server as follows:

wget https://freeaccesspublic.s3.eu-west-2.amazonaws.com/apiban.sh
Make it an executable : chmod +x  apiban.sh
then run the script : ./apiban.sh your_api_key

If you dont add your APIKEY on the command line vi will open and you can add it manually. The script will then initially run the client which will take a few seconds to download the initial set of bots, then it will add a line to the crontab file and restart the cron daemon. the timing of the cronjob is randomised to be between every 4 and 22 minutes.

We have seen many Bots attacking Asterisk servers, Interestingly its not always good old sipvicious anymore but a Windows program called sipcli and originating mainly from the US and Germany.

Normally our iptables firewalls are updated but for some reason these keep getting through, So we have now based rules on the User-Agent in iptables as well

Here are a few examples to get rid of many of the favourites

-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipcli" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipvicious" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP

For Freepbx format add following to the Firewalls custom rules


-A fpbxreject -p udp --dport 5060:5261 -m string --string "REGISTER sip:server.domain.co.uk" --algo bm -j ACCEPT
-A fpbxreject -p udp --dport 5060:5261 -m string --string "REGISTER sip:" --algo bm -j DROP
-A fpbxreject -p tcp --dport 5060:5261 -m string --string "REGISTER sip:server.domain.co.uk" --algo bm -j ACCEPT
-A fpbxreject -p tcp --dport 5060:5261 -m string --string "REGISTER sip:" --algo bm -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "sip:a'or'3=3--@" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: PolycomSoundPointIP SPIP_550 UA 3.3.2.0413" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: Avaya IP Phone 1120E" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: Cisco-SIPGateway/IOS-15.2.4.M5" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: PolycomVVX-VVX_401-UA5.4.1.18405" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: eyeBeam release 3006o stamp 17551" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: owenee" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: owenee" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: Custom" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: Custom" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: SIP" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: SIP" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: gazllove" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: gazllove" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: pplsip" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: pplsip" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: sipcli" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: sipcli" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: sipvicious" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: sipvicious" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: sip-scan" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: sip-scan" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: sipsak" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: sipsak" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: sundayddr" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: sundayddr" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: iWar" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: iWar" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: CSipSimple" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: CSipSimple" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: SIVuS" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: SIVuS" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: Gulp" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: Gulp" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: sipv" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: sipv" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: smap" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: smap" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: friendly-request" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: friendly-request" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: VaxIPUserAgent" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: VaxIPUserAgent" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: siparmyknife" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: siparmyknife" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: Test" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: Test" --algo bm --to 65535 -j DROP

Also its worth adding these ranges as little good will ever come from them

# Ponytelecom ranges
-A INPUT -s 62.210.0.0/16 -j DROP
-A INPUT -s 195.154.0.0/16 -j DROP
-A INPUT -s 212.129.0.0/18 -j DROP
-A INPUT -s 62.4.0.0/19 -j DROP
-A INPUT -s 212.83.128.0/19 -j DROP
-A INPUT -s 212.83.160.0/19 -j DROP
-A INPUT -s 212.47.224.0/19 -j DROP
-A INPUT -s 163.172.0.0/16 -j DROP
-A INPUT -s 51.15.0.0/16 -j DROP
-A INPUT -s 151.115.0.0/16 -j DROP


# VITOX TELECOM
-A INPUT -s 77.247.109.0/255.255.255.0 -p udp -j DROP 
-A INPUT -s 185.53.88.0/24 -p udp -j DROP 
-A INPUT -s 185.53.89.0/24 -p udp -j DROP 
-A INPUT -s 37.49.224.0/24 -p udp -j DROP 
-A INPUT -s 37.49.230.0/24 -p udp -j DROP 
-A INPUT -s 37.49.231.0/24 -p udp -j DROP 
-A INPUT -s 77.247.110.0/255.255.255.0 -p udp -j DROP
Categories
Blog Elastix Support

Elastix changes and what it means

This week, significant changes at Elastix were announced, including the involvement of 3CX and the removal of key Elastix versions for download. Since those announcements, many things have been written by many people, and this has left some folks wondering what happened. Sangoma would like to reinforce its commitment to open source, this open letter from Sangoma, will provide our own clarity about how these events affect or involve Sangoma. Sangoma are a professional, global, growing, profitable, engineering-focused, publicly traded company, and this is the only reliable source of information to understand how those recent events affect or involve Sangoma. Other commentary released by other third parties about Sangoma, is not to be relied upon.

Everyone comes to open source software for their own reasons: software developers to do what they love; some to earn a livelihood; manufacturers to augment the project and sell their wares; and most importantly community members to find flexible/cost effective/well-supported solutions to their ‘business problem’ (in our case, for UC/Telecom/PBX needs). In the end, the good projects build something bigger than themselves… a community, a solution, and an opportunity for end users to utilize the project to build their own businesses. Over the course of a project many people will enter and exit those communities as their needs change.

As the primary investor in and developers of FreePBX, Sangoma actively works with many different members of the Open Source Telephony (OST) community, including Asterisk Developers, other FreePBX-based distros (including Elastix!), and many third-party hardware/software developers and manufacturers. As just one example, we have a great relationship with Digium and talk with them on an almost weekly basis, even though many consider us competitors. This may seem surprising to some, as many folks would think we might be bitter enemies. In fact, the opposite is true…we encourage and help those products to compete in the marketplace on their own merits. And this is entirely consistent with the commitment Sangoma has demonstrated to open source for many, many years over the time when we worked hard to also make Asterisk better. When Sangoma took over stewardship of FreePBX, we reiterated this statement clearly and unequivocally.

So Sangoma continues to work very hard every day, and invests many millions of dollars each year, in order to build strong relationships and to benefit to the entire open source telephony community. There is a saying that ‘a rising tide lifts all boats.’ Thus, it is usually counter-productive for open source contributors to battle with each other. In other words, there is no reason for them to fight over the same slice of pie, when there is an entire cake that no one is touching.

Their approach was no different with Elastix. For over a decade, Sangoma has been a direct supporter of Elastix, in many, many different ways, visiting them in Ecuador many times. They supported the project financially, They attended/exhibited/supported/spoke at multiple ElastixWorld events over many years, They cooperated with their distribution partners who also supported Elastix, They invested in R&D to ensure their products (software and hardware) were compatible with Elastix, etc. The list goes on and on.They had (and hope, still have), excellent relationships between the companies, in all parts of the organizations right up to the CEO level of both companies.

With recent changes at Elastix, some people/blogs/websites have made comments which claim that the removal of Elastix downloads of version 4 or MT, was in some way caused by Sangoma/FreePBX, due to concerns about compliance with GPL conditions. That is not true and They wish to set the story straight.  Sangoma hold ourselves to high ethical standards, and as a publicly traded company as well, setting the record straight with facts and not rumours, is both important and required.

While it is indeed true that Sangoma pointed out to Elastix some time ago, that there was a copyright issue,They did so in a very friendly manner, with words carefully chosen to be respectful of the long term relationship between the companies, and critically, to ensure that this important relationship continued. It was a 2015 letter from CEO to CEO, and certainly did not suggest any legal action, since it was not that kind of letter at all…it was a positive, complementary letter seeking to deepen the relationship, not harm it. That letter was sent shortly after Sangoma acquired FreePBX, when they made it a priority to reach out to PaloSanto to reinforce that the Elastix Project was a valuable strategic partner to Sangoma. It was in no way threatening, did not ask for, was not intended to, and given it was 2015, did not cause any versions of Elastix to be withdrawn. Elastix decision this week to shutdown these versions is a business decision not a response to Sangoma. While it seems that these days, the number of open source projects that remain truly open source is definitely on the decline, Sangoma’s commitment to open source remains as true today, as always.

And while it is admittedly a little unusual for companies to do so, in this case, for full transparency to the open source communities that they respect so very much (and to dispel any untrue rumours or claims), the entire letter is available. They share it for those who need confirmation of the above statements, and to reassure the Elastix community that Sangoma continues to be committed to you as well as to the entire Latin America region (and would be honored to have you consider joining the family)

This page is a shorted and edited version of Sangoma’s announcement at https://www.freepbx.org/what-happened-to-elastix/  follow the link for the full version.

Categories
Asterisk Support Elastix Support Knowledge Base Support Technical

One way audio with Yealink T23 and Gamma Sip trunks on Freepbx

We recently had a very puzzling issue with a customer who we supplied some T23 Yealink handsets. When making outgoing calls over Gamma sip trunks on their Elastix server we were getting one way audio, This was not an issue with their existing Snom handsets or a problem for internal or incoming calls over the same trunks. It also wasn’t an issue when using iax2 trunks.

It seems that there is some interoperability issue when using sip trunks and these handsets. and seems to be a little known issue as only affects a few operators.

It seems to addressed in 44.80.0.20 version software that isn’t on the Yealink UK site yet but is available here and should be loaded on all T23 handsets as they are being delivered as 44.80.0.5 firmware at the moment.

Categories
Elastix Support Knowledge Base Support

Converting recordings to MP3 in FreePBX and updating mysql CDR records

In FreePBX users can listen to wav file recordings via the “Call Recordings” tab, This uses a field in the mysql cdr table to say where that recording is and what its called, They are now stored in year/month/day directory structure under /var/spool/asterisk/monitor so if the end user wants the recordings in mp3 format as many do its not just a case of converting them its also a case of updating the database.

Luckily this is fairly straight forward, its just a case of doing a quick query and then converting the file and the updating the database. First you have to install lame, This can be done simply with yum then write a script.

In FreePBX advanced settings, you need to enable “Display” and “Override” readonly settings and then add

/usr/local/sbin/postrecord.sh ^{CDR(linkedid)} to “

The script I use is simple with a bit of basic logging.

#!/bin/bash
. postrecconfig.sh
date >> /var/log/asterisk/mp3.log
pcmwav=$(mysql -u$user -p$secret -s -N -D asteriskcdrdb<<<"select recordingfile from cdr where linkedid LIKE '$1' AND disposition = 'ANSWERED'  ORDER by calldate DESC LIMIT 1");
mp3="$(echo $pcmwav | sed s/".wav"/".mp3"/)"
nice lame -b 16 -m m -q 9-resample  "$path$pcmwav" "$path$mp3" >> /var/log/asterisk/mp3.log
touch -r "$path$pcmwav" "$path$mp3" >> /var/log/asterisk/mp3.log
mysql -u$user -p$secret -s -N -D asteriskcdrdb<<<"UPDATE cdr SET recordingfile='$mp3'  WHERE recordingfile = '$pcmwav'" >> /var/log/asterisk/mp3.log
echo $pcmwav >> /var/log/asterisk/mp3.log
echo "--------||-------" >> /var/log/asterisk/mp3.log
date >> /var/log/asterisk/mp3.log
echo "Done" >> /var/log/asterisk/mp3.log
echo "--------||-------" >> /var/log/asterisk/mp3.log
exit 1

The postrecconfig.sh file looks like

user=freepbxuser
secret=secret
receptemail=info@youremailaddress.com
file_age=35
dy=$(date '+%Y')
dm=$(date '+%m')
dd=$(date '+%d')
path=/var/spool/asterisk/monitor/$dy/$dm/$dd/



As can be seen it steps through entry by entry converting and updating the DB, This example is cron'd to run hourly but does not delete the original wav file, this would be done in a separate script run weekly to remove old files. The reason to keep them is so that a backup of the original is held for a period in case of errors.

Hope this is of help to you and your users

Categories
Asterisk Support Elastix Support Knowledge Base Support

Multiple Dynamic features with Asterisk Applicationmaps

Dynamic features are very useful for allowing users access to custom features during calls. These can be loaded individually via the dialplan, but in freepbx based solutions this will mean a bit of hacking of the dialplan using overides and making sure all still works afterwards, or as a global varible.

The easiest way is to load them as a global as is done with apprecord, But if you want to add lots of features then you will have to use a Application Map group. This is done by editing the features_applicationmap_custom.conf  file so it looks like below for example, at the top are your application maps then your group

testfeature => #9,callee,Playback,tt-monkeys 
calleehangup => #8,callee,Hangup()
callerhangup => #7,caller,Hangup()
[mymapgroup]
testfeature => #9
calleehangup => #8
callerhangup => #7
apprecord => *1

DO NOT FORGET to add the apprecord to your group.

You then need to edit the globals_custom.conf file and add a line like below

DYNAMIC_FEATURES => mymapgroup

Then reload asterisk and issue the command “features show”

Dynamic Feature           Default Current
---------------           ------- -------
callerhangup              no def  #7     
calleehangup              no def  #8     
testfeature               no def  #9     
apprecord                 no def  *1     
Feature Groups:
---------------
===> Group: mymapgroup
===> --> apprecord (*1,caller,Macro,one-touch-record)
===> --> callerhangup (#7)
===> --> calleehangup (#8)

and to check that they are loaded as a global variable do “dialplan show globals” and near or at the top you will see:-

 DYNAMIC_FEATURES=mymapgroup

And thats all there is to it.

Categories
Elastix Support Knowledge Base Technical

Setting the server domain in elastix correct for scripted email

We run many scripts on customer servers to email cdrs, backups etc, one problem with some mail servers is the mail gets rejected as it comes from root@elastixserver.yourdomain.com by default to fix this is simple and only takes a few lines.

Postfix MTA offers smtp_generic_maps parameter. You can specify lookup tables that replace local mail addresses by valid Internet addresses when mail leaves the machine via SMTP.

Open your main.cf file

# vi /etc/postfix/main.cf

Append following parameter

smtp_generic_maps = hash:/etc/postfix/generic

Save and close the file. Open /etc/postfix/generic file:

# vi /etc/postfix/generic

Make sure root@elastixserver.yourdomain.com change to elastixserver@yourdomain.com add :

root@elastixserver.yourdomain.com  elastixserver@yourdomain.com

Save and close the file. Create or update generic postfix table:

# postmap /etc/postfix/generic

Restart postfix:

# /etc/init.d/postfix restart

When mail is sent to a remote host via SMTP this replaces root@elastixserver.yourdomain.com by elastixserver@yourdomain.com mail address. You can use this trick to replace address with your ISP address if you are connected via local SMTP.

To set up gmail for delivery look at this

Categories
Asterisk Support Elastix Support Knowledge Base

Sip Config for Aretta CBeyond and Voiceflex with Asterisk

Since Version 1.8 in Asterisk we have seen some issues with DID calls from some suppliers.

The tell tail sign is that even though you have an inbound route that matches the DID it will still say in the verbose screen that nothing matched it in the inbound context, For example:-

Call from 'USERNAME' (XXX.XX.XXX.XX:5060) to extension '01234123412' rejected because extension not found in context 'from‐trunk'

and if you do “dialplan show 01234123412@from-trunk” sure enough there is one.

After much searching and experimentation below is a working freepbx config that has been tested with 1.8 and 11 and proves to be working with the suppliers above.

OUTBOUND

[peername]
username=USERNAME
type=peer
trustrpid=yes
sendrpid=yes
secret=PASSWORD
qualify=no
outboundproxy=sip.hostname.com
nat=yes
insecure=very
host=sip.hostname.com
fromdomain=sip.hostname.com
dtmfmode=auto
disallow=all
context=from-trunk
canreinvite=no
allow=ulaw
allow=alaw

INBOUND

[username]
type=peer
host=sip.hostname.com
dtmfmode=auto
disallow=all
context=from-trunk
canreinvite=no
allow=ulaw
allow=alaw


;registration string
USERNAME:PASSWORD@peername/USERNAME
Categories
Asterisk Support Elastix Support Knowledge Base

IAX2 Cause code

Here is a table of the IAX2 to assist with debugging IAX2 call issues

More IAX2 information can be found here and the RFC is here


CSV download is here
Number Cause Reference
1 Unassigned/unallocated number [RFC5457]
2 No route to specified transit network [RFC5457]
3 No route to specified transit network [RFC5457]
4-5 Unassigned
6 Channel unacceptable [RFC5457]
7 Call awarded and delivered [RFC5457]
8-15 Unassigned
16 Normal call clearing [RFC5457]
17 User busy [RFC5457]
18 No user response [RFC5457]
19 No answer [RFC5457]
20 Unassigned
21 Call rejected [RFC5457]
22 Number changed [RFC5457]
23-26 Unassigned
27 Destination out of order [RFC5457]
28 Invalid number format/incomplete number [RFC5457]
29 Facility rejected [RFC5457]
30 Response to status enquiry [RFC5457]
31 Normal, unspecified [RFC5457]
32-33 Unassigned
34 No circuit/channel available [RFC5457]
35-37 Unassigned
38 Network out of order [RFC5457]
39-40 Unassigned
41 Temporary failure [RFC5457]
42 Switch congestion [RFC5457]
43 Access information discarded [RFC5457]
44 Requested channel not available [RFC5457]
45 Pre-empted (causes.h only) [RFC5457]
46 Unassigned
47 Resource unavailable, unspecified (Q.931 only) [RFC5457]
48-49 Unassigned
50 Facility not subscribed (causes.h only) [RFC5457]
51 Unassigned
52 Outgoing call barred (causes.h only) [RFC5457]
53 Unassigned
54 Incoming call barred (causes.h only) [RFC5457]
55-56 Unassigned
57 Bearer capability not authorized [RFC5457]
58 Bearer capability not available [RFC5457]
59-62 Unassigned
63 Service or option not available (Q.931 only) [RFC5457]
64 Unassigned
65 Bearer capability not implemented [RFC5457]
66 Channel type not implemented [RFC5457]
67-68 Unassigned
69 Facility not implemented [RFC5457]
70 Only restricted digital information bearer capability is available (Q.931 only) [RFC5457]
71-78 Unassigned
79 Service or option not available (Q.931 only) [RFC5457]
80 Unassigned
81 Invalid call reference [RFC5457]
82 Identified channel does not exist (Q.931 only) [RFC5457]
83 A suspended call exists, but this call identity does not (Q.931 only) [RFC5457]
84 Call identity in use (Q.931 only) [RFC5457]
85 No call suspended (Q.931 only) [RFC5457]
86 Call has been cleared (Q.931 only) [RFC5457]
87 Unassigned
88 Incompatible destination [RFC5457]
89-90 Unassigned
91 Invalid transit network selection (Q.931 only) [RFC5457]
92-94 Unassigned
95 Invalid message, unspecified [RFC5457]
96 Mandatory information element missing (Q.931 only) [RFC5457]
97 Message type nonexistent/not implemented [RFC5457]
98 Message not compatible with call state [RFC5457]
99 Information element nonexistent [RFC5457]
100 Invalid information element contents [RFC5457]
101 Message not compatible with call state [RFC5457]
102 Recovery on timer expiration [RFC5457]
103 Mandatory information element length error (causes.h only) [RFC5457]
104-110 Unassigned
111 Protocol error, unspecified [RFC5457]
112-126 Unassigned
127 Internetworking, unspecified [RFC5457]
128-255 Unassigned

 

Categories
Elastix Support Security

SSLv3 Poodle and Elastix

Google has just disclosed SSL POODLE vulnerability which is a design flaw in SSLv3.  By default SSLv3 is enabled by default in Elastix and many other servers, Since it is a design flaw in the protocol itself and not an implementation bug, there will be no patches. Only way to mitigate this is to disable SSLv3 in your web server or application using SSL.

How to test for SSL POODLE vulnerability?

The following simple script will test, its a re-write of Redhats that would give a false negative if the script fails in anyway giving a false sense of security.

#!/bin/bash
chmod 755 /usr/share/doc/bash-3.2/scripts/timeout
ret=$(echo Q | /usr/share/doc/bash-3.2/scripts/timeout 5 openssl s_client -connect "127.0.0.1:${2-443}" -ssl3)
if echo "${ret}" | grep -q 'Protocol.*SSLv3'; then
 if echo "${ret}" | grep -q 'Cipher.*0000'; then
 echo "SSL 3.0 disabled"
 else
 echo "SSL 3.0 enabled"
 fi
else
 echo "SSL disabled or other error"
fi

The outputs will be similar to below on Elastix

[root@elastix24 ~]# ./sslv3.sh 
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=10:certificate has expired
notAfter=Jun 15 18:30:20 2014 GMT
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
notAfter=Jun 15 18:30:20 2014 GMT
verify return:1
DONE
SSL 3.0 enabled

As we can see its enabled.

Now edit the file  /etc/httpd/conf.d/ssl.conf

and change line 100 (in Elastix 2.4)

from SLProtocol all -SSLv2    to  SLProtocol all -SSLv2 -SSLv3

The restart the httpd service.

then test again and you should get

13033:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40
13033:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
SSL disabled or other error

If you want to read the background here is the relevant document

Click to access ssl-poodle.pdf

Categories
Asterisk Support Elastix Support Knowledge Base Security

Elastix 2.4 ARI vulnerability Patch

The recent vulnerability in the Asterisk and Freepbx ARI login.php file is not addressed in an update to ARI in the unembedded freepbx on Elastix 2.4.

This will mean that your systems will still be vulnerable.

We have produced a patch that you can apply to address this. The patch can be downloaded  from https://s3.amazonaws.com/filesandpatches/ari.patch and applied as detailed below.

logon to the server console

cd /var/www/html/recordings/includes
cp login.php /root/login.php.ari
wget https://s3.amazonaws.com/filesandpatches/ari.patch
patch < ari.patch 

Then to check either login to server ARI interface or 

cat login.php |grep json

and you should get the following output

$buf = json_decode($_COOKIE['ari_auth'],true);
$data = json_decode($crypt->decrypt($data,$ARI_CRYPT_PASSWORD),true);
$data = $crypt->encrypt(json_encode($data),$ARI_CRYPT_PASSWORD);
$buf = json_encode(array($data,$chksum));


also check to see if you have the file in the fw_ari directory.

ls -l /var/www/html/admin/modules/fw_ari/htdocs_ari/includes

if there is a login.php there then copy over the patched version.

cp /var/www/html/recordings/includes/login.php  /var/www/html/admin/modules/fw_ari/htdocs_ari/includes/login.php

After these actions check that the file ownership is still correct

if not 

chown asterisk:asterisk /var/www/html/recordings/includes/login.php

This patch also applies to any older version of ARI out there.

also to be on the lookout for two suspicious files, named “c.sh” or “c2.pl” respectively. If you see these two files remove them immediately!

More details here. http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-cve-2014-7235/24536 or here http://support.freepbx.org/node/92822