Categories
Asterisk Support Blog Elastix Support FreePBX Knowledge Base Security

Keeping the Bots out and allowing your friends in

Since this post was originally written things have advanced, FreePBX has an integrated firewall with intrusion detection using Fail2Ban, and this should always be enabled even if system is on premise.

Another major step forward in protection is APIBAN this is a client program that helps prevent unwanted SIP traffic by identifying addresses of known bad actors before they attack your system. Bad bots are collected through globally deployed honeypots. To use APIBAN you will need a key these are obtained from here . More details on API ban are here if you are interested in using it in different situations.

To simplify installation on Freepbx based systems I have simple script that downloads and install it, this can be downloaded here or from the command line of the server as follows:

wget https://freeaccesspublic.s3.eu-west-2.amazonaws.com/apiban.sh
Make it an executable : chmod +x  apiban.sh
then run the script : ./apiban.sh your_api_key

If you dont add your APIKEY on the command line vi will open and you can add it manually. The script will then initially run the client which will take a few seconds to download the initial set of bots, then it will add a line to the crontab file and restart the cron daemon. the timing of the cronjob is randomised to be between every 4 and 22 minutes.

We have seen many Bots attacking Asterisk servers, Interestingly its not always good old sipvicious anymore but a Windows program called sipcli and originating mainly from the US and Germany.

Normally our iptables firewalls are updated but for some reason these keep getting through, So we have now based rules on the User-Agent in iptables as well

Here are a few examples to get rid of many of the favourites

-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipcli" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipvicious" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP

For Freepbx format add following to the Firewalls custom rules


-A fpbxreject -p udp --dport 5060:5261 -m string --string "REGISTER sip:server.domain.co.uk" --algo bm -j ACCEPT
-A fpbxreject -p udp --dport 5060:5261 -m string --string "REGISTER sip:" --algo bm -j DROP
-A fpbxreject -p tcp --dport 5060:5261 -m string --string "REGISTER sip:server.domain.co.uk" --algo bm -j ACCEPT
-A fpbxreject -p tcp --dport 5060:5261 -m string --string "REGISTER sip:" --algo bm -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "sip:a'or'3=3--@" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: PolycomSoundPointIP SPIP_550 UA 3.3.2.0413" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: Avaya IP Phone 1120E" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: Cisco-SIPGateway/IOS-15.2.4.M5" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: PolycomVVX-VVX_401-UA5.4.1.18405" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: eyeBeam release 3006o stamp 17551" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: owenee" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: owenee" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: Custom" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: Custom" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: SIP" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: SIP" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: gazllove" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: gazllove" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: pplsip" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: pplsip" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: sipcli" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: sipcli" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: sipvicious" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: sipvicious" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: sip-scan" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: sip-scan" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: sipsak" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: sipsak" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: sundayddr" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: sundayddr" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: iWar" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: iWar" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: CSipSimple" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: CSipSimple" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: SIVuS" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: SIVuS" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: Gulp" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: Gulp" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: sipv" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: sipv" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: smap" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: smap" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: friendly-request" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: friendly-request" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: VaxIPUserAgent" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: VaxIPUserAgent" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: siparmyknife" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: siparmyknife" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string "User-Agent: Test" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string "User-Agent: Test" --algo bm --to 65535 -j DROP

Also its worth adding these ranges as little good will ever come from them

# Ponytelecom ranges
-A INPUT -s 62.210.0.0/16 -j DROP
-A INPUT -s 195.154.0.0/16 -j DROP
-A INPUT -s 212.129.0.0/18 -j DROP
-A INPUT -s 62.4.0.0/19 -j DROP
-A INPUT -s 212.83.128.0/19 -j DROP
-A INPUT -s 212.83.160.0/19 -j DROP
-A INPUT -s 212.47.224.0/19 -j DROP
-A INPUT -s 163.172.0.0/16 -j DROP
-A INPUT -s 51.15.0.0/16 -j DROP
-A INPUT -s 151.115.0.0/16 -j DROP

# VITOX TELECOM
-A INPUT -s 77.247.109.0/255.255.255.0 -p udp -j DROP 
-A INPUT -s 185.53.88.0/24 -p udp -j DROP 
-A INPUT -s 185.53.89.0/24 -p udp -j DROP 
-A INPUT -s 37.49.224.0/24 -p udp -j DROP 
-A INPUT -s 37.49.230.0/24 -p udp -j DROP 
-A INPUT -s 37.49.231.0/24 -p udp -j DROP 
-A INPUT -s 77.247.110.0/255.255.255.0 -p udp -j DROP
Categories
Asterisk Support Knowledge Base Products and services Technical

Gradwell IP Address ranges

At Gradwell, they send internet traffic from different addresses (known as IP addresses) to allow their telephony systems to work smoothly. Below is the list of IP addresses where their VoIP (Voice over IP) traffic will come from. It’s important that your firewall allows traffic from these addresses however they recommend you don’t set it to allow only from these, just that they are included.

The reason they say don’t allow only these addresses is that there network is dynamic and may shift or new items added and we don’t want this to affect your service.

There are a couple of things you should do to ensure you get the most from the Gradwell Voice services:

  • Check your firewall filtering – is there anything being excluded?
    • If yes – Allow the IP range traffic – this will most likely be in your firewall settings or tools (they all differ so they can’t exactly point you there)
    • If no – you’re good to go
  • If you use UDP traffic then you’ll need to allow Media ports (known as RTP) with the numbers 1024 to 65535

Current ranges as of summer 2021

109.224.232.0/22 109.224.232.0 to 109.224.235.255
109.224.240.0/22 109.224.240.0 to 109.224.243.255
109.239.96.132/31 109.239.96.132 to 109.239.96.133
141.170.24.21/31 141.170.24.21 to 141.170.24.22
141.170.24.5/31 141.170.24.5 to 141.170.24.6
141.170.50.16/28 141.170.50.16 to 141.170.50.31
185.47.148.0/24 185.47.148.0 to 185.47.148.255
194.145.188.224/27 194.145.188.224 to 194.145.188.255
194.145.189.52/31 194.145.189.52 to 194.145.189.53
194.145.190.128/26 194.145.190.128 to 194.145.190.191
194.145.191.128/27 194.145.191.128 to 194.145.191.159
195.74.60.0/23 195.74.60.0 to 195.74.61.255
213.166.3.128/26 213.166.3.129 - 213.166.3.190
213.166.4.128/26 213.166.4.129 - 213.166.4.190
213.166.5.0/24 213.166.5.0 to 213.166.5.255
78.40.243.192/27 78.40.243.192 to 78.40.243.223
87.238.72.128/26 87.238.72.128 to 87.238.72.191
87.238.73.128/26 87.238.73.128 to 87.238.73.191
87.238.74.128/26 87.238.74.128 to 87.238.74.191
87.238.77.128/26 87.238.77.128 to 87.238.77.191

To simplify things a bit listed below are the ranges in common formats.

Rules for Freepbx Custom file “firewall-4.rules”

-A fpbxreject -s 109.224.232.0/22 -p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s 109.224.240.0/22 -p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	109.224.222.16/28	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	109.224.232.0/22	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	109.224.240.0/22	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	109.239.96.132/31	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	141.170.24.20/30	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	141.170.24.5/31	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	141.170.50.16/28	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	185.47.148.0/24	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	194.145.188.224/27	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	194.145.189.52/31	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	194.145.190.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	194.145.191.128/27	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	195.74.60.0/23	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	212.11.68.144/28	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	213.166.2.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	213.166.3.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	213.166.4.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	213.166.5.0/24	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	78.40.243.192/27	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	87.238.72.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	87.238.73.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	87.238.74.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A fpbxreject -s	87.238.77.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT

Rules for IPtables file

-A INPUT -s 109.224.232.0/22 -p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s 109.224.240.0/22 -p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	109.224.222.16/28	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	109.224.232.0/22	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	109.224.240.0/22	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	109.239.96.132/31	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	141.170.24.20/30	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	141.170.24.5/31	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	141.170.50.16/28	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	185.47.148.0/24	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	194.145.188.224/27	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	194.145.189.52/31	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	194.145.190.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	194.145.191.128/27	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	195.74.60.0/23	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	212.11.68.144/28	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	213.166.2.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	213.166.3.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	213.166.4.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	213.166.5.0/24	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	78.40.243.192/27	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	87.238.72.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	87.238.73.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	87.238.74.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
-A INPUT -s	87.238.77.128/26	-p udp -m udp --dport 4569:5270 -j ACCEPT
Categories
Asterisk Support Covid-19 FreePBX Knowledge Base Remote Working

Disabling Router SIP ALG

With many companies asking their employees to work from home, a common problem when trying to use a sip phone on a home network is the SIP ‘helper’ or ALG, Here is some advice on how to disable it on the more common routers that you may encounter.

SIP ALG (Application Layer Gateway) modifies VoIP traffic with the aim of solving NAT and firewall related problems. SIP ALG does this by inspecting SIP packets and modifying SIP Header and SDP data.

Unfortunately, SIP ALG was poorly implemented in a lot of cases, which has lead to it causing more issues than it corrects and due to this, we believe that, in general, it is best disabled.

Note – Many routers will re-enable SIP ALG after being powered off and on, or sometimes after a firmware update, therefore if it has been disabled in the past, and you know that the router was recently updated and powered off and on again, then it is always a good idea to log in to the router and double check the setting.

Virgin SuperHub: SIP ALG cannot be disabled in the settings of SuperHubs. Please click here for advice troubleshooting issues with SuperHubs. 

BT: SIP ALG cannot be disabled in the settings of BT HomeHubs, but can be disable with BT Business Hub versions 3 and higher:

Disabling a BT Business Hub 5’s SIP ALG

Fritz!Box: SIP ALG can’t be disabled.

DrayTek routers: Log in to your DrayTek via Telnet using an SSH client such as Putty: http://www.putty.org/

Check if SIP ALG is Enabled or Disabled:

To check if SIP ALG is Enabled or Disabled enter this command: sys sip_alg ?

If SIP ALG is disabled a ” 0 ” result will be returned.  If SIP ALG is enabled the result will be ” 1 “.

Disabling SIP ALG:

To Disable SIP ALG enter the following:

sys sip_alg 0
sys commit
sys reboot

The router will restart and save your changes.

Click here for additional general information about DrayTek Firewall setup. 

TP-Link routers: How to Disable SIP ALG on TP-Link ADSL modem router

Linksys: Check for a ‘SIP ALG’ option, in the ‘Administration’ tab under ‘Advanced’. 

May also need to disable SPI Firewall. 

Microtik: Disable ‘SIP Helper‘. 

Netgear: Look for a ‘SIP ALG’ checkbox in the ‘WAN’ settings.

Port Scan and DoS Protection should also be disabled.

Disable STUN in VoIP phone’s settings. 

D-Link: In your router’s ‘Advanced’ settings –> ‘Application Level Gateway (ALG) Configuration’ uncheck the ‘SIP’ option. 

Huawei: Many routers support SIP ALG (usually found in the ‘Security’ menu). 

SonicWALL Firewall: Under the VoIP tab, the option ‘Enable Consistent NAT’ should be enabled and ‘Enable SIP Transformations’ unchecked.  

Thomson: How to Disable SIP ALG on a Thomson Router HERE

Test with STUN disabled in your VoIP phone’s settings.

Adtran Netvanta: Disable SIP ALG under ‘Firewall/ACLs’ –> ‘ALG Settings’.

For Technicolor TG588V routers see this document for step by step details

Even if there isn’t a SIP ALG option in your router’s settings, it may still be implemented. TelNet commands must be used to disable SIP ALG with TechnicolorThomsonSpeedTouch, some Draytek and some ZyXEL routers. 

Categories
Asterisk Support FreePBX Knowledge Base Support Technical

Backing up files in FreePBX 15

The first time you come to restore your FREEpbx 15 system you may find that not everything that you expected is there !

The new backup module backs up on a module by module base and not like before where is was DBs and Files.

Linked here is a repository that has the files to create a module that can be edited to backup directories.

https://bitbucket.org/cybercottage/filebackup

The file you need to edit is Backup.php

<?php

namespace FreePBX\modules\Filebackup;
use FreePBX\modules\Backup as Base;

class Backup extends Base\BackupBase
{
    public function runBackup($id, $transaction)
    {
        $this->addDirectories([
            '/etc/asterisk','/tftpboot',
        ]);
        $files = glob("/etc/asterisk/*conf");
        foreach ($files as $file) {
            $path = pathinfo($file, PATHINFO_DIRNAME);
            $this->addFile(basename($file), $path, '', "conf");
    }
    $files = glob("/tftpboot/*xml");
        foreach ($files as $file) {
            $path = pathinfo($file, PATHINFO_DIRNAME);
            $this->addFile(basename($file), $path, '', "conf");
        }
        return $this;
    }
}

As you see we are backing up /etc/asterisk and /tftpboot , But only *.conf files in /etc/asterisk and only *.xml files in /tftpboot

Details on the new backup system are here https://wiki.freepbx.org/display/FOP/Implementing+Backup

Thanks to James Finstrom for the original version of this, This version is not to replace his work but only to give an example of working with Multiple directories

The downloaded zip file needs to be added as a Local module via Module Admin and enabled, It will obviously give a signing error but this can be disabled in Advanced settings or ignored ;-)

Enjoy but don’t blame me if it doesn’t work. Ive tested it on my systems and all seems good by your experience may be different

Categories
Asterisk Support FreePBX Knowledge Base Support Technical

Resetting root password on FreePBX 14 and other Centos 7 servers

Boot your system and wait until the GRUB menu appears. On some systems you may need to press the “Escape” key to access the GRUB menu. FreePBX should show this for a few seconds on Boot

Highlight your Operating System and then press “e” to edit. You have to be quick here simpler to just press e when the menu appears and you will see similar to below.

Find the line beginning with linux. In this example the line begins linux16.

Manually delete the entries quiet and rhgb from the line. then append the following statement to the end of the line init=/bin/sh Don’t worry if your command is spread across more than one line. A continuation character “\ will be inserted automatically.

Now reboot your system now using the options specified by pressing the keys Ctrl +X

Once the system has re-booted, you will be presented with a shell prompt without having to enter any user name or password.

At this command prompt you will need to enter the following commands:

Remount the “/” root filesystem in Read/Write mode: mount -o remount,rw /

Issue the passwd command to reset the root account password: passwd

Then enter the new password as prompted twice

Then remount the “/” root filesystem in Read Only mode: mount -o remount,ro /

You can now restart the system and login with your new password.

Categories
Asterisk Support Blog Design FreePBX Knowledge Base Software

G.729 Goes Royalty Free

G.729 – IMPORTANT INFORMATION

As of January 1, 2017 the patent terms of most Licensed Patents under the G.729 Consortium have expired.

With regard to the unexpired Licensed Copyrights and Licensed Patents of the G.729 Consortium Patent License Agreement, the Licensors of the G.729 Consortium, namely Orange SA, Nippon Telegraph and Telephone Corporation and Université de Sherbrooke (“Licensors”) have agreed to license the same under the existing terms on a royalty-free basis starting January 1, 2017.

For current Licensees of the G.729 Consortium Patent License Agreement, no reports and no payments will be due for Licensed Products Sold or otherwise distributed as of January 1, 2017.

For other companies selling G.729 compliant products and that are not current Licensees of the G.729 Consortium, there is no need to execute a G.729 Consortium Patent License Agreement since Licensors have agreed to license the unexpired Licensed Copyrights and Licensed Patents of the G.729 Consortium Patent License Agreement under the existing terms on a royalty-free basis starting January 1, 2017.

As soon as we hear how this is going to affect Digium Asterisk we will update here.

 

Categories
Asterisk Support Knowledge Base Security

Catching the IP of anonymous callers on Asterisk servers

Hi just sharing a simple bit of dialplan to catch anon callers ip addresses when using freepbx and Anonymous callers is set to yes, which is needed for some suppliers.

Normally I would say lock your firewall to only known IPs, but in some cases this isn’t possible

Im sure if you have a Asterisk server with a public IP you will have seen calls on the console screen where the call is to a destination but the callers are exten@yourserver . Well this little bit of dialplan at the end of you default sip context should catch them and log them with the ip of the originating server

In extensions_custom.conf add the dialplan below

[catchall]
exten => s,1,Noop(Dead calls rising)
exten => s,n,Set(uri=${SIPCHANINFO(uri)})
exten => s,n,Verbose(3,Unknown call from ${uri} to ${EXTEN})
exten => s,n,System(echo "[${STRFTIME(${EPOCH},,%b %d %H:%M:%S)}] SECURITY[] Unknown Call from ${CALLERIDNUM} to ${FROM_DID} IPdetails ${uri}" >> /var/log/asterisk/sipsec.log)
exten => s,n,Hangup()

Then in Custom Destinations add a destination as  catchall,s,1

so you now get in your logs

[May 1 00:11:06] SECURITY[] Unknown Call from  to 900441516014742 IPdetails sip:101@37.75.209.113:21896

 I hope this is some help to you, It allows other scripts to pick up this address and add it to your firewall.
Categories
Asterisk Support Knowledge Base

Nagios check_asterisk change for Asterisk 13

We noticed to day after a Asterisk server upgrade the Nagios check_asterisk plugin we use was reporting a”unknown”

It seems there is a minor change in response to the status request.

It was:

[root@elastix24 ~]# ./check_asterisk -h 127.0.0.1 -m mgr -u user -p secret  -vvvv
Running in Manager mode
Connecting to 127.0.0.1:5038
Connected to 127.0.0.1:5038
Asterisk Call Manager/1.1
Action: Login
Username: user
Secret: secret

Response: Success
Message: Authentication accepted
Action: Status

Response: Success
Message: Channel status will follow

Event: StatusComplete
OK  (idle) 

Its now with ami 2.7

[root@aubpbx1 ~]# ./check_asterisk -h 127.0.0.1 -m mgr -u user -p secret -vvvv
Running in Manager mode
Connecting to 127.0.0.1:5038
Connected to 127.0.0.1:5038
Asterisk Call Manager/2.7.0
Action: Login
Username: user
Secret: secret

Response: Success
Message: Authentication accepted

Action: Status
Response: Success

EventList: start
Message: Channel status will follow

Event: StatusComplete
OK  (idle)

So the plugin code need a small change to reflect this

diff check_asterisk check_asterisk_old 
162,163c162,163
< &unknown("Unknown answer $response (wanted Message: something)") unless ($message =~ m/^EventList:\s+(.*)$/i);
< &unknown("didn't understand message $message") unless ($1 =~ m/start/i);
---
> &unknown("Unknown answer $response (wanted Message: something)") unless ($message =~ m/^Message:\s+(.*)$/i);
> &unknown("didn't understand message $message") unless ($1 =~ m/Channel status will follow/i);

Once this is made seems to be reporting OK.

Categories
Asterisk Support Elastix Support Knowledge Base Support Technical

One way audio with Yealink T23 and Gamma Sip trunks on Freepbx

We recently had a very puzzling issue with a customer who we supplied some T23 Yealink handsets. When making outgoing calls over Gamma sip trunks on their Elastix server we were getting one way audio, This was not an issue with their existing Snom handsets or a problem for internal or incoming calls over the same trunks. It also wasn’t an issue when using iax2 trunks.

It seems that there is some interoperability issue when using sip trunks and these handsets. and seems to be a little known issue as only affects a few operators.

It seems to addressed in 44.80.0.20 version software that isn’t on the Yealink UK site yet but is available here and should be loaded on all T23 handsets as they are being delivered as 44.80.0.5 firmware at the moment.

Categories
Asterisk Support Elastix Support Knowledge Base Support

Multiple Dynamic features with Asterisk Applicationmaps

Dynamic features are very useful for allowing users access to custom features during calls. These can be loaded individually via the dialplan, but in freepbx based solutions this will mean a bit of hacking of the dialplan using overides and making sure all still works afterwards, or as a global varible.

The easiest way is to load them as a global as is done with apprecord, But if you want to add lots of features then you will have to use a Application Map group. This is done by editing the features_applicationmap_custom.conf  file so it looks like below for example, at the top are your application maps then your group

testfeature => #9,callee,Playback,tt-monkeys 
calleehangup => #8,callee,Hangup()
callerhangup => #7,caller,Hangup()
[mymapgroup]
testfeature => #9
calleehangup => #8
callerhangup => #7
apprecord => *1

DO NOT FORGET to add the apprecord to your group.

You then need to edit the globals_custom.conf file and add a line like below

DYNAMIC_FEATURES => mymapgroup

Then reload asterisk and issue the command “features show”

Dynamic Feature           Default Current
---------------           ------- -------
callerhangup              no def  #7     
calleehangup              no def  #8     
testfeature               no def  #9     
apprecord                 no def  *1     
Feature Groups:
---------------
===> Group: mymapgroup
===> --> apprecord (*1,caller,Macro,one-touch-record)
===> --> callerhangup (#7)
===> --> calleehangup (#8)

and to check that they are loaded as a global variable do “dialplan show globals” and near or at the top you will see:-

 DYNAMIC_FEATURES=mymapgroup

And thats all there is to it.