Category: Asterisk Support

Categories
Asterisk Support Elastix Support Knowledge Base

Sip Config for Aretta CBeyond and Voiceflex with Asterisk

Since Version 1.8 in Asterisk we have seen some issues with DID calls from some suppliers.

The tell tail sign is that even though you have an inbound route that matches the DID it will still say in the verbose screen that nothing matched it in the inbound context, For example:-

Call from 'USERNAME' (XXX.XX.XXX.XX:5060) to extension '01234123412' rejected because extension not found in context 'from‐trunk'

and if you do “dialplan show 01234123412@from-trunk” sure enough there is one.

After much searching and experimentation below is a working freepbx config that has been tested with 1.8 and 11 and proves to be working with the suppliers above.

OUTBOUND

[peername]
username=USERNAME
type=peer
trustrpid=yes
sendrpid=yes
secret=PASSWORD
qualify=no
outboundproxy=sip.hostname.com
nat=yes
insecure=very
host=sip.hostname.com
fromdomain=sip.hostname.com
dtmfmode=auto
disallow=all
context=from-trunk
canreinvite=no
allow=ulaw
allow=alaw

INBOUND

[username]
type=peer
host=sip.hostname.com
dtmfmode=auto
disallow=all
context=from-trunk
canreinvite=no
allow=ulaw
allow=alaw


;registration string
USERNAME:PASSWORD@peername/USERNAME
Categories
Asterisk Support Elastix Support Knowledge Base

IAX2 Cause code

Here is a table of the IAX2 to assist with debugging IAX2 call issues

More IAX2 information can be found here and the RFC is here


CSV download is here
Number Cause Reference
1 Unassigned/unallocated number [RFC5457]
2 No route to specified transit network [RFC5457]
3 No route to specified transit network [RFC5457]
4-5 Unassigned
6 Channel unacceptable [RFC5457]
7 Call awarded and delivered [RFC5457]
8-15 Unassigned
16 Normal call clearing [RFC5457]
17 User busy [RFC5457]
18 No user response [RFC5457]
19 No answer [RFC5457]
20 Unassigned
21 Call rejected [RFC5457]
22 Number changed [RFC5457]
23-26 Unassigned
27 Destination out of order [RFC5457]
28 Invalid number format/incomplete number [RFC5457]
29 Facility rejected [RFC5457]
30 Response to status enquiry [RFC5457]
31 Normal, unspecified [RFC5457]
32-33 Unassigned
34 No circuit/channel available [RFC5457]
35-37 Unassigned
38 Network out of order [RFC5457]
39-40 Unassigned
41 Temporary failure [RFC5457]
42 Switch congestion [RFC5457]
43 Access information discarded [RFC5457]
44 Requested channel not available [RFC5457]
45 Pre-empted (causes.h only) [RFC5457]
46 Unassigned
47 Resource unavailable, unspecified (Q.931 only) [RFC5457]
48-49 Unassigned
50 Facility not subscribed (causes.h only) [RFC5457]
51 Unassigned
52 Outgoing call barred (causes.h only) [RFC5457]
53 Unassigned
54 Incoming call barred (causes.h only) [RFC5457]
55-56 Unassigned
57 Bearer capability not authorized [RFC5457]
58 Bearer capability not available [RFC5457]
59-62 Unassigned
63 Service or option not available (Q.931 only) [RFC5457]
64 Unassigned
65 Bearer capability not implemented [RFC5457]
66 Channel type not implemented [RFC5457]
67-68 Unassigned
69 Facility not implemented [RFC5457]
70 Only restricted digital information bearer capability is available (Q.931 only) [RFC5457]
71-78 Unassigned
79 Service or option not available (Q.931 only) [RFC5457]
80 Unassigned
81 Invalid call reference [RFC5457]
82 Identified channel does not exist (Q.931 only) [RFC5457]
83 A suspended call exists, but this call identity does not (Q.931 only) [RFC5457]
84 Call identity in use (Q.931 only) [RFC5457]
85 No call suspended (Q.931 only) [RFC5457]
86 Call has been cleared (Q.931 only) [RFC5457]
87 Unassigned
88 Incompatible destination [RFC5457]
89-90 Unassigned
91 Invalid transit network selection (Q.931 only) [RFC5457]
92-94 Unassigned
95 Invalid message, unspecified [RFC5457]
96 Mandatory information element missing (Q.931 only) [RFC5457]
97 Message type nonexistent/not implemented [RFC5457]
98 Message not compatible with call state [RFC5457]
99 Information element nonexistent [RFC5457]
100 Invalid information element contents [RFC5457]
101 Message not compatible with call state [RFC5457]
102 Recovery on timer expiration [RFC5457]
103 Mandatory information element length error (causes.h only) [RFC5457]
104-110 Unassigned
111 Protocol error, unspecified [RFC5457]
112-126 Unassigned
127 Internetworking, unspecified [RFC5457]
128-255 Unassigned

 

Categories
Asterisk Support Elastix Support Knowledge Base Security

Elastix 2.4 ARI vulnerability Patch

The recent vulnerability in the Asterisk and Freepbx ARI login.php file is not addressed in an update to ARI in the unembedded freepbx on Elastix 2.4.

This will mean that your systems will still be vulnerable.

We have produced a patch that you can apply to address this. The patch can be downloaded  from https://s3.amazonaws.com/filesandpatches/ari.patch and applied as detailed below.

logon to the server console

cd /var/www/html/recordings/includes
cp login.php /root/login.php.ari
wget https://s3.amazonaws.com/filesandpatches/ari.patch
patch < ari.patch 

Then to check either login to server ARI interface or 

cat login.php |grep json

and you should get the following output

$buf = json_decode($_COOKIE['ari_auth'],true);
$data = json_decode($crypt->decrypt($data,$ARI_CRYPT_PASSWORD),true);
$data = $crypt->encrypt(json_encode($data),$ARI_CRYPT_PASSWORD);
$buf = json_encode(array($data,$chksum));


also check to see if you have the file in the fw_ari directory.

ls -l /var/www/html/admin/modules/fw_ari/htdocs_ari/includes

if there is a login.php there then copy over the patched version.

cp /var/www/html/recordings/includes/login.php  /var/www/html/admin/modules/fw_ari/htdocs_ari/includes/login.php

After these actions check that the file ownership is still correct

if not 

chown asterisk:asterisk /var/www/html/recordings/includes/login.php

This patch also applies to any older version of ARI out there.

also to be on the lookout for two suspicious files, named “c.sh” or “c2.pl” respectively. If you see these two files remove them immediately!

More details here. http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-cve-2014-7235/24536 or here http://support.freepbx.org/node/92822

 

 

 

Categories
Asterisk Support Elastix Support Knowledge Base

Installing DynDns update script on Centos

The following is a simple run-through on installing the dyndns client for updating the ip address on your hosts.

cd /usr/src

wget  http://cdn.dyndns.com/ddclient.tar.gz
tar -xzvf ddclient.tar.gz

cd ddclient-3.7.3/

mkdir /etc/ddclient

mkdir /var/cache/ddclient
cp ddclient /usr/local/sbin

cp sample-etc_ddclient.conf /etc/ddclient/ddclient.conf

cp sample-etc_rc.d_init.d_ddclient /etc/rc.d/init.d/ddclient
chkconfig --add ddclient

cd ..

vi  /etc/ddclient/ddclient.conf

add at the bottom of file

#
use=web
login=USERNAME
password=PASSWORD
server=members.dyndns.org  
protocol=dyndns2
# add your DNS name here as below 
DNSNAME.dyndns.biz
#
/etc/init.d/ddclient start

You will then need to check that your host address has updated on the dyndns site.

If you get perl io ssl errors in the logfile then:

yum install perl-IO-Socket-SSL
Categories
Asterisk Support Blog Elastix Support Knowledge Base Security

Shellshocked by Bash !

Well any one in IT and many people who never have anything todo with dirty working of *nix operating systems including Apples OSX cant have missed the news about the latest venerability. This is hot on the heels of teh OpenSSl one and the NTP one before that.

All these have different levels of risk, The NTP one was just a pain easily fixed and could cause little damage, The Openssl one was more of a risk as it allowed hackers to read the memory of systems using certain versions of OpenSSL nicknamed Heartbleed. Now the Bash one is fairly simple to exploit and has been now seen in the wild which in the case of Heartbleed it wasn’t really exploited in the wild.

So how do you test. simple , just type

env x='() { :;}; echo vulnerable’ bash -c “test”

and if it comes back saying Vulnerable update bash.

Great easy you say, well it was spent half a day checking 40 odd servers and updating bash. But then the update they rolled out want enough so today went back round updating again.

It has to be noted that some repositories were running slow and in teh case of one (SCHMOOZE) they hadn’t got the latest patch live by mid day.

It was pleasing how most suppliers were open and concise on what to check and how to fix. I was rather disappointed with  another Asterisk Based PBX distro who instead of publishing how to check and what to do, told users to download a script and run that, I don’t think its a good idea to hide security measures, If people deploy systems they need to know how to secure them.

I wonder whats next? , After spending 2 days on this now looking at setting up a Puppet server, This has cost me a day of my time and i’m meant to be installing a queuemetrics call center for a customer…

Categories
Asterisk Support Elastix Support FreePBX Knowledge Base

Using Gmail to send Voicemail emails

We have seen more and more ISPs blocking Port 25.  This means that sending emails natively from FreePBX or any Asterisk based IPBX for things such as voicemail notification can time out or be rejected.

To get round this you can send your email notifications via Gmail.

Firstly you need a Gmail account, once you have this jot down the user and password, you will need this later.

You now need to connect to your server via ssh as you have a couple of files to edit.

Firstly you need to enter the account details in sasl_passwd

vi /etc/postfix/sasl_passwd

and add

smtp.gmail.com:587 yourmailaddress@gmail.com:password

Save it, then edit main.cf

vi  /etc/postfix/main.cf

Then add at the end:

masquerade_domains = yourdomain.com
# The servers hostname below
myhostname = Asterisk.yourdomain.com
mydomain = Asterisk.yourdomain.com
# The email account its being sent from below
myorigin = voicemail@yourdomain.com

relayhost = smtp.gmail.com:587
mynetworks = 127.0.0.0/8
inet_interfaces = loopback-only
smtp_use_tls = yes
smtp_always_send_ehlo = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_generic_maps = hash:/etc/postfix/generic 
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

Then enter the following commands at teh command line

postmap hash:/etc/postfix/sasl_passwd
/etc/init.d/postfix restart

Finally you need to make a change to your gmail account to “Allow users to manage their access to less secure apps” which is in the security section of the Gmail ‘Domain’ account setting if its a GSuite account then make sure “Less secure app access” is set to yes in the accounts ‘security section’ if you don’t do this you will see:

535-5.7.8 Username and Password not 
accepted. Learn more at?535 5.7.8 https://support.google.com/mail/?p=BadCredentials  

or 

530-5.7.0 Authentication Required. Learn more at 530 5.7.0 h
ttps://support.google.com/mail/?p=WantAuthError

Most likely the 535 error if ‘Less secure app access’ is not enabled.

You should now be able to send email via the gmail account.

It’s worth making a couple of changes to the gmail account, firstly set and out of office sayings it’s only a sending mailbox and another to delete messages in the inbox.

Categories
Asterisk Support Elastix Support Knowledge Base Technical

IAX2 Peers going unreachable.

In the past we have found that IAX@ peers have been reliable and solid.

But lately with the advent of bonded ADSL lines and other forms of aggregated lines we have seen issues where the IAX2 trunk will go down and a simple reload of Asterisk or even a restart doesn’t fix it.

Taken from Voip-info

A report of the problem by another user :

This is something I’ve run into myself and my VOIP IAX2 provider has this issue with many clients running Asterisk on TrixBox or other custom made systems behing a NAT (Linux) router.

If our PPPoE goes down, we have to reboot our Asterisk server to get our IAX2 trunk to re-register otherwise, it will try and just keep timing out. I have the 4569 forwarded internal (Pierre Belanger adds: in many cases, the 4569 port forwarding useless unless your Asterisk server provides service to IAX2 phones from the Internet, i.e. not on your local LAN).

I have a dirty script that avoids having to reboot the TrixBox and restore our service within 2 minutes of a blip automatically, and logs the ‘blips’ so i can see how ‘reliable’ our service is.

We have take the original script posted and made some changes, Notably it checks a defined peer name as we have seen that the problem doesn’t always affect all peers on a system.

======Code follows ======

#!/bin/sh
#We record the status of the IAX2 Trunk
cd /root/ # I have script live in root,
# Set the peer name to monitor here
# ******
peername="YOURIAX2PEERNAME"
# ******
date >> slap.log
echo "Testing $peername peer" >> slap.log
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername >> slap.log
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername > reg_status
sleep 1
#We then Scan the Status and see if we're online or not...
TEST="OK"
if grep $TEST reg_status > /dev/null
then
echo "All OK Here" >> slap.log
exit #Abort, we are online, all is well...
fi
#IF we're this far down, we've lost IAX. Log the incident.
echo "we have a problem with $peername, Restarting it" >> slap.log
#Restart the IAX2 trunk. Delay required for some reason.
/usr/sbin/asterisk -rx 'module unload chan_iax2.so' >> slap.log
sleep 90;
/usr/sbin/asterisk -rx 'module load chan_iax2.so' > /dev/null
echo "Restarted it Now lets check status" >> slap.log
sleep 5;
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername >> slap.log
#We record the status of the IAX2 Trunk
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername > reg_status
sleep 1
#We then Scan the Status and see if we're online or not...
TEST="OK"
if grep $TEST reg_status > /dev/null
then
echo "All OK Here" >> slap.log
exit #Abort, we are online, all is well...
fi
#IF we're this far down, we've lost IAX. Log the incident.
echo "we have a problem with $peername, Restarting it" >> slap.log
#Restart the IAX2 trunk. Delay required for some reason.
/usr/sbin/asterisk -rx 'module unload chan_iax2.so' >> slap.log
sleep 120;
/usr/sbin/asterisk -rx 'module load chan_iax2.so' > /dev/null
echo "Restarted it Now lets check status" >> slap.log
sleep 5;
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername >> slap.log
#We record the status of the IAX2 Trunk

======Code ends======

This seems to do the trick and its cronned to run every night or hour in some cases.

UPDATE

on testing and speaking to suppliers. We would advise adding the following settings to your IAX2 peers

 

qualifysmoothing=yes
qualifyfreqnotok=30000
qualifyfreqok=120000
qualify=yes

With this added we have not seen any unexpected unreachables.

 

Categories
Asterisk Support Elastix Support Knowledge Base Technical

Running a Macro on answer for Asterisk queues.

asteriskThe Asterisk Queue application has an option that will run a macro on answer, This can be very useful when integrating with CRM such as Capsule or call centre applications.

This option isnt included in freepbx, Though this can be hand coded it isn’t best to do this when using Elastix, AsteriskNoW or any other freepbx based system.

To add this option We have written a couple of patched versions of the relevant freepbx pages that can be downloaded here , You will also need to add a extra field to the mysql database as follows

  1. Log in to mysql:   mysql -u root -p
  2. Enter password
  3. mysql> use asterisk
  4. mysql> ALTER TABLE `queues_config` ADD `qmacro` VARCHAR( 255 ) NULL;
  5. mysql> describe queues_config;

You should now have something like this:- | qmacro | varchar(255) | YES | | NULL | | as the last line of the table.

Now download the tar file and unpack it. then copy the two files to the /var/www/html/admin/modules/queues directory.

On loading the queue page in freepbx you will now have the “Queue macro on answer” box

queuemacro

In this box you put the macro name you wish to run when a member answers a call.

For example:-

[macro-logit]
exten => s,1,Noop( capsule crm intergration ${crminfo} ${CALLERID(all)})
exten => s,n,Set(foo=${CURL(http://127.0.0.1/directory/capsual.php?strCallid=${crminfo})})
exten => s,n,Noop(${foo})
exten => s,n,Hangup()

This a simple dialplan that runs a php script to log calls to the capsule crm

capsual.php

<?php
$today = date(“F j, Y, g:i a”);
$duedate1 = date(“Y-m-d”);
$duedate2 = date(“H:i:s”);
$Token = ‘YOUR CAPSUAL API CODE’;
$number = $_GET[‘strCallid’];
$datetime = $today;
$duedate = “$duedate1″.”T”.”$duedate2″.”Z”;
echo $duedate;
$myxml=”<?xml version=”1.0″ encoding=”UTF-8″?>n
<task>n
<description>Call recieved from $number at $datetime. Please update and assign this task if required</description>n
<dueDateTime>$duedate</dueDateTime>n
<category>incoming call</category>n
</task>”;
// The URL to connect with (note the /api/ that’s needed and note it’s person rather than party)
// SEE: http://capsulecrm.com/help/page/api_gettingstarted/
$capsulepage = “https://youraccount.capsulecrm.com/api/task”;
echo $capsulepage;
echo $number;
// Initialise the session and return a cURL handle to pass to other cURL functions.
$ch = curl_init($capsulepage);
// set appropriate options NB these are the minimum necessary to achieve a post with a useful response
// …can and should add more in a real application such as
// timeout CURLOPT_CONNECTTIMEOUT
// and useragent CURLOPT_USERAGENT
$options = array(CURLOPT_USERPWD => “$Token:x”,
CURLOPT_HTTPHEADER => array(‘Content-Type: application/xml’),
CURLOPT_HEADER => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $myxml
);
curl_setopt_array($ch, $options);
// Do the POST and collect the response for future printing etc then close the session
$response = curl_exec($ch);
$responseInfo = curl_getinfo($ch);
curl_close($ch);
echo $responseInfo;
echo $response;
?>

Have fun

 

Categories
Asterisk Support Elastix Support Knowledge Base

Backing up to Amazon s3 from Elastix

We decided to do this as we have recently installed a new elastix server in the office which had limited disk space and wanted to keep offsite backups of recordings

s3cmd is a command line client for copying files to/from Amazon S3 (Simple Storage Service) and performing other related tasks, for instance creating and removing buckets, listing objects, etc.

Install s3cmd

wget http://sourceforge.net/projects/s3tools/files/s3cmd/1.5.2/s3cmd-1.5.2.tar.gz
 tar -xzvf s3cmd-1.1.0-beta3.tar.gz
 mkdir /usr/local/s3cmd/
 cd s3cmd-1.1.0-beta3
 cp -Rf * /usr/local/s3cmd/
 cd /usr/local/s3cmd/
 ./s3cmd --configure

Follow the prompts and enter your keys.

Test the installation
./s3cmd ls s3://yourbucket/

If the test works then the script below is a simple backup script to backup elastix monitor files and backups daily.

vi /etc/cron.daily/rec2s3c.sh

#!/bin/sh
 /usr/local/s3cmd/s3cmd --config=/some/where/.s3cfg sync /var/spool/asterisk/monitor s3://yourbucket
 /bin/rm -f /var/spool/asterisk/monitor/*.gsm
 /bin/rm -f /var/spool/asterisk/monitor/*.wav
 /usr/local/s3cmd/s3cmd --config=/some/where/.s3cfg ls s3://yourbucket/monitor/ > /var/log/s3dirlist.log
 /usr/local/s3cmd/s3cmd --config=/some/where/.s3cfg sync /var/www/backup s3://yourbucket
 /usr/local/s3cmd/s3cmd --config=/some/where/.s3cfg ls s3://yourbucket/backup/ >> /var/log/s3dirlist.log

 

enjoy :-)

For more details of what can be done with s3cmd see http://linux.die.net/man/1/s3cmd and http://aws.amazon.com/s3/

 

Categories
Asterisk Support Elastix Support Knowledge Base OpenVox

Asterisk pickup groups

The aim here is to explain the relationship between the callgroup and pickup group settings in extension conf files of an Asterisk server and named pickup in freepbx, we will use numbers but not names (see explanation below).

Call Pickup is the abilty to pickup a ringing phone from another phone.

The ability to do this is defined in the extensions conf file.

In many systems there is only on setting to do this normally “pickup group” you add extensions to this group and they can pickup calls ringing at members of the group. Obvious really.

Now Asterisk goes one better. You can define the callgroup and pickup group, This way you define who you can pickup and who can pickup you. This is very useful for operators, who for example don’t want calls picked up of them but do want to pickup calls from all other users.

So how do you define it.

In our example we will have 4 phones defined as follows

Callgroup Pickupgroup
201 2 1-2
202 1-4 1-4
203 2,4 2,4
204 1 1

And who can do what when trying t pickup is as follows

Ringing Phones attempting Pickup
Call to 201 204 PU failed 203 PU Passed
Call to 202 201 PU passed 203 PU Passed
Call to 203 201 PU passed 204 PU failed
Call to 204 201 PU passed 203 PU failed

So from this we can see that its the Pickupgroup that defines what callgroup can be picked up.

So because 201 has a callgroup of 2 Only sets who’s pickup group includes 2 can pick up the call. whereas as 201 has a pickupgroup of 1-2 it can pickup calls from callgroups 1-2.

For example you may have 6 pickup groups defined with users only allowed to pickup their own group members except an operato who wishes to be able to pick everyone up and a PA who has a college who she wants to be able to pickup

So all normal users would have their pickup and callgroup the same. The PA would have the pickupgroup defined with both the group numbers but only its own call group. And finally the operator would have a callgroup of 0 and its pickupgroup of 1-6.

Named call pickup groups

Named pickup groups are new with Asterisk 11. And are now supported in FreePBX , But be careful even though the ‘hint’ says they can be numeric or names the just use the named variable.

namedcallgroup=office,home,1
namedpickupgroup=office,home

As above we have a namedcallgroup as 1 but this is not the same as callgroup 1

A named callgroup and pickupgroup can be set to a comma separated list of case sensitive name strings. The number of named groups is unlimited. The number of named groups you can specify at once is limited by the line length supported.

SYNTAX
namedcallgroup=[name[,name[,...]]]
namedpickupgroup=[name[,name[,...]]]
  • namedcallgroup – specifies which named pickup groups that this channel is a member.
  • namedpickupgroup – specifies which named pickup groups this channel can pickup.
Configuration Example
namedcallgroup=engineering,sales,netgroup,protgroup
namedpickupgroup=sales

Configuration should be supported in several channel drivers, including:

  • chan_dahdi.conf
  • misdn.conf
  • sip.conf
  • pjsip.conf

pjsip.conf uses snake case:

named_call_group=engineering,sales,netgroup,protgroup
named_pickup_group=sales

You can use named pickup groups in parallel with numeric pickup groups. For example, the named pickup group ‘4’ is not the same as the numeric pickup group ‘4’.

Numeric call pickup groups

(obsolete use named groups)

A numeric callgroup and pickupgroup can be set to a comma separated list of ranges (e.g., 1-4) or numbers that can have a value of 0 to 63. There can be a maximum of 64 numeric groups. This is important to note as Freepbx does not sanity check what you put in there, So you can put 70 in the Gui and it will show 70 but do a sip show peer or a pjsip show endpoint and you will see its not set.