Categories
Elastix Support Knowledge Base Technical

Setting the server domain in elastix correct for scripted email

We run many scripts on customer servers to email cdrs, backups etc, one problem with some mail servers is the mail gets rejected as it comes from root@elastixserver.yourdomain.com by default to fix this is simple and only takes a few lines.

Postfix MTA offers smtp_generic_maps parameter. You can specify lookup tables that replace local mail addresses by valid Internet addresses when mail leaves the machine via SMTP.

Open your main.cf file

# vi /etc/postfix/main.cf

Append following parameter

smtp_generic_maps = hash:/etc/postfix/generic

Save and close the file. Open /etc/postfix/generic file:

# vi /etc/postfix/generic

Make sure root@elastixserver.yourdomain.com change to elastixserver@yourdomain.com add :

root@elastixserver.yourdomain.com  elastixserver@yourdomain.com

Save and close the file. Create or update generic postfix table:

# postmap /etc/postfix/generic

Restart postfix:

# /etc/init.d/postfix restart

When mail is sent to a remote host via SMTP this replaces root@elastixserver.yourdomain.com by elastixserver@yourdomain.com mail address. You can use this trick to replace address with your ISP address if you are connected via local SMTP.

To set up gmail for delivery look at this

Categories
Asterisk Support Elastix Support Knowledge Base

Installing DynDns update script on Centos

The following is a simple run-through on installing the dyndns client for updating the ip address on your hosts.

cd /usr/src

wget  http://cdn.dyndns.com/ddclient.tar.gz
tar -xzvf ddclient.tar.gz

cd ddclient-3.7.3/

mkdir /etc/ddclient

mkdir /var/cache/ddclient
cp ddclient /usr/local/sbin

cp sample-etc_ddclient.conf /etc/ddclient/ddclient.conf

cp sample-etc_rc.d_init.d_ddclient /etc/rc.d/init.d/ddclient
chkconfig --add ddclient

cd ..

vi  /etc/ddclient/ddclient.conf

add at the bottom of file

#
use=web
login=USERNAME
password=PASSWORD
server=members.dyndns.org  
protocol=dyndns2
# add your DNS name here as below 
DNSNAME.dyndns.biz
#
/etc/init.d/ddclient start

You will then need to check that your host address has updated on the dyndns site.

If you get perl io ssl errors in the logfile then:

yum install perl-IO-Socket-SSL
Categories
Asterisk Support Elastix Support FreePBX Knowledge Base

Using Gmail to send Voicemail emails

We have seen more and more ISPs blocking Port 25.  This means that sending emails natively from FreePBX or any Asterisk based IPBX for things such as voicemail notification can time out or be rejected.

To get round this you can send your email notifications via Gmail.

Firstly you need a Gmail account, once you have this jot down the user and password, you will need this later.

You now need to connect to your server via ssh as you have a couple of files to edit.

Firstly you need to enter the account details in sasl_passwd

vi /etc/postfix/sasl_passwd

and add

smtp.gmail.com:587 yourmailaddress@gmail.com:password

Save it, then edit main.cf

vi  /etc/postfix/main.cf

Then add at the end:

masquerade_domains = yourdomain.com
# The servers hostname below
myhostname = Asterisk.yourdomain.com
mydomain = Asterisk.yourdomain.com
# The email account its being sent from below
myorigin = voicemail@yourdomain.com

relayhost = smtp.gmail.com:587
mynetworks = 127.0.0.0/8
inet_interfaces = loopback-only
smtp_use_tls = yes
smtp_always_send_ehlo = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_generic_maps = hash:/etc/postfix/generic 
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

Then enter the following commands at teh command line

postmap hash:/etc/postfix/sasl_passwd
/etc/init.d/postfix restart

Finally you need to make a change to your gmail account to “Allow users to manage their access to less secure apps” which is in the security section of the Gmail ‘Domain’ account setting if its a GSuite account then make sure “Less secure app access” is set to yes in the accounts ‘security section’ if you don’t do this you will see:

535-5.7.8 Username and Password not 
accepted. Learn more at?535 5.7.8 https://support.google.com/mail/?p=BadCredentials  

or 

530-5.7.0 Authentication Required. Learn more at 530 5.7.0 h
ttps://support.google.com/mail/?p=WantAuthError

Most likely the 535 error if ‘Less secure app access’ is not enabled.

You should now be able to send email via the gmail account.

It’s worth making a couple of changes to the gmail account, firstly set and out of office sayings it’s only a sending mailbox and another to delete messages in the inbox.

Categories
Knowledge Base Security

Remote ssh tunnel script

We have various customers that have firewalls that only allow known trusted IP addresses through. Normally our office and our monitoring platform for example.

But if we are out and about we still sometimes need to access a system and its GUI, so we have created the simple script below that makes a ssh connection to the customer server and also tunnel to access any web gui.

This script is in place on the monitoring server so we can just ssh in to the monitoring platform and run the script. all that is needed is a single tunnel setup on the ssh client that i’m accessing the monitoring platform from.

#!/bin/bash
echo ssh tunnel tool. 2013 cyber-cottage.co.uk
echo Setting up a tunnel to $1
whois $1 |grep netname
if [ "$1" = '' ]; then
 echo "You have no remote destination set"
 echo "usage: remotetunnel.sh <remote server> <remote ssh port> <remote system port>"
 echo "For example remotetunnel.sh 81.22.23.24 8022 80"
 exit
fi
if [ "$3" = '' ]; then
echo "usage: remotetunnel.sh <remote server> <remote ssh port> <remote system port>"
echo "For example remotetunnel.sh 81.22.23.24 8022 80"
if [ "$2" = '' ]; then
 echo "You have no remote ssh or system port set, Setting ssh to port 22"
 port="22"
else
 port="$2"
fi
 echo "You have no remote system port set, Setting remote to port 80"
 rport="80"
else
 rport="$3"
fi
if [ "$port" = '' ]; then
 port=$2
fi
echo Remote system IP is $1
echo Remote ssh port is $port
echo Remote system port is $rport
read -p "Is this correct? (y/n) " RESP
if [ "$RESP" = "y" ]; then
 echo "Glad to hear it"
else
 exit
fi
ssh -L 9999:localhost:$rport  $1 -oport=$port
Categories
Asterisk Support Elastix Support Knowledge Base Security

Keeping the Bots at bay out and allowing your friends in

Recently we have seen an upsurge in Bots attacking Asterisk servers, Interestingly its not good old sipvicious anymore but a Windows program called sipcli and originating mainly from the US and Germany.

Normally our iptables firewalls are updated but for some reason these keep getting through, So we have now based rules on the User-Agent in iptables as well

Here are a few examples to get rid of many of the favourites

-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipcli" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipvicious" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP

Also its worth adding these ranges as little good will ever come from them

# Ponytelecom ranges
-A INPUT -s 62.210.0.0/16 -j DROP
-A INPUT -s 195.154.0.0/16 -j DROP
-A INPUT -s 212.129.0.0/18 -j DROP
-A INPUT -s 62.4.0.0/19 -j DROP
-A INPUT -s 212.83.128.0/19 -j DROP
-A INPUT -s 212.83.160.0/19 -j DROP
-A INPUT -s 212.47.224.0/19 -j DROP
-A INPUT -s 163.172.0.0/16 -j DROP
-A INPUT -s 51.15.0.0/16 -j DROP
-A INPUT -s 151.115.0.0/16 -j DROP

# VITOX TELECOM
-A INPUT -s 77.247.109.0/255.255.255.0 -p udp -j DROP 
-A INPUT -s 185.53.88.0/24 -p udp -j DROP 
-A INPUT -s 185.53.89.0/24 -p udp -j DROP 
-A INPUT -s 37.49.224.0/24 -p udp -j DROP 
-A INPUT -s 37.49.230.0/24 -p udp -j DROP 
-A INPUT -s 37.49.231.0/24 -p udp -j DROP 
-A INPUT -s 77.247.110.0/255.255.255.0 -p udp -j DROP

For Freepbx format add following to /etc/firewall-4.rules

-A fpbxreject -s 37.49.231.0/24  -m udp -p udp -j DROP
-A fpbxreject -s 37.120.129.0/19   -p udp -j DROP
-A fpbxreject -s 185.53.88.0/24  -p udp -j DROP
-A fpbxreject -s 185.53.89.0/24  -p udp -j DROP
-A fpbxreject -s 185.53.90.0/24  -p udp -j DROP
-A fpbxreject -s 185.53.91.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.224.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.225.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.227.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.228.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.229.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.230.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.231.0/24  -p udp -j DROP
-A fpbxreject -s 77.247.108.0/24  -p udp -j DROP
-A fpbxreject -s 77.247.109.0/24  -p udp -j DROP
-A fpbxreject -s 77.247.110.0/24  -p udp -j DROP
-A fpbxreject -s 77.247.111.0/24  -p udp -j DROP
-A fpbxreject -s 62.210.0.0/16 -p udp -j DROP
-A fpbxreject -s 195.154.0.0/16 -p udp -j DROP
-A fpbxreject -s 212.129.0.0/18 -p udp -j DROP
-A fpbxreject -s 62.4.0.0/19 -p udp -j DROP
-A fpbxreject -s 212.83.128.0/19 -p udp -j DROP
-A fpbxreject -s 212.83.160.0/19 -p udp -j DROP
-A fpbxreject -s 212.47.224.0/19 -p udp -j DROP
-A fpbxreject -s 163.172.0.0/16 -p udp -j DROP
-A fpbxreject -s 51.15.0.0/16 -p udp -j DROP
-A fpbxreject -s 151.115.0.0/16 -p udp -j DROP

If you are still getting problems check out a sip trace and look for the contact part of the

Contact: <sip:100@xxx.www.rrr.zzz:5070>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8                       <<<<<<<<<<<<<<<< here it is 
Content-Type: application/sdp
Below is a simple Bash script to create iptables entry for Linux. Create a script and paste the code in , if you just run it it created entries ready for Centos iptables id you run  ‘scriptname freepbx’ it created the entry for /etc/firewall-4.rules
#!/usr/bin/bash
SCANNERS='owenee Custom SIP gazllove pplsip sipcli sipvicious sip-scan sipsak sundayddr friendly-scanner iWar CSipSimple SIVuS Gulp sipv smap friendly-request VaxIPUserAgent VaxSIPUserAgent siparmyknife Test'
SYS=$1
if [ "$SYS" != "freepbx" ]
then
SYS=NOOP
fi
echo This is for a $SYS system
echo Copy and paste below
echo
PORTS='5060:5261'
PROTOS='udp tcp'
for scanner in $SCANNERS; do
for port in $PORTS; do
for proto in $PROTOS; do
if [ "$SYS" = "freepbx" ]
then
echo -A fpbxreject -p $proto -m $proto --dport $port -m string --string '"User-Agent:' $scanner'"' --algo bm --to 65535 -j DROP
else
echo -A INPUT -p $proto -m $proto --dport $port -m string --string '"User-Agent:' $scanner'"' --algo bm --to 65535 -j DROP
fi
done
done
done

In this case just set as we have in iptables and it will catch all versions.

Hope this helps you as much as it has helped us

Also this idea can be reversed to only allow user agents (phones) you want to accept.

Here are a few examples of common soft and hardphones

-A ELASTIX_INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: Yealink" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: FPBX" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: Linphone" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT  -p udp -m udp --dport 5060 -m string --string "User-Agent: DX800" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT  -p udp -m udp --dport 5060 -m string --string "User-Agent: 3CX" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT  -p udp -m udp --dport 5060 -m string --string "User-Agent: Grand" --algo bm --to 65535 -j ACCEPT

Again to find others just do a sip trace and note down the user agent.

This can also be extended to make you system more secure by only allowing in devices that register to you FQDN and not just ip address

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#ssh moved from 22 to random port
-A INPUT -m state --state NEW -m tcp -p tcp --dport 65432 -j ACCEPT
#Web interface moved to new port.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8765 -j ACCEPT
#drop sipvicious traffic
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipvicious" --algo bm --to 65535 -j DROP
-A INPUT -i eth0 -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p udp --dport 4569 -m state --state ESTABLISHED,RELATED -j ACCEPT
#only allow Yealink phones
-A ELASTIX_INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: Yealink" --algo bm --to 65535 -j ACCEPT
#That register to your domain name directly
-A INPUT -i eth0 -p udp --dport 5060 -m string --string "REGISTER sip:yoursip.yourdomain.co.uk" --algo bm -j ACCEPT 
#only allow iax from known server
-A INPUT -s xxx.xxx.xxx.0/22 -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -j DROP
-A INPUT -i eth0 -p udp --dport 10000:20000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

The above example should keep you secure. (but things and methods change so keep your eye on the ball)

Categories
Asterisk Support Elastix Support Knowledge Base Technical

IAX2 Peers going unreachable.

In the past we have found that IAX@ peers have been reliable and solid.

But lately with the advent of bonded ADSL lines and other forms of aggregated lines we have seen issues where the IAX2 trunk will go down and a simple reload of Asterisk or even a restart doesn’t fix it.

Taken from Voip-info

A report of the problem by another user :

This is something I’ve run into myself and my VOIP IAX2 provider has this issue with many clients running Asterisk on TrixBox or other custom made systems behing a NAT (Linux) router.

If our PPPoE goes down, we have to reboot our Asterisk server to get our IAX2 trunk to re-register otherwise, it will try and just keep timing out. I have the 4569 forwarded internal (Pierre Belanger adds: in many cases, the 4569 port forwarding useless unless your Asterisk server provides service to IAX2 phones from the Internet, i.e. not on your local LAN).

I have a dirty script that avoids having to reboot the TrixBox and restore our service within 2 minutes of a blip automatically, and logs the ‘blips’ so i can see how ‘reliable’ our service is.

We have take the original script posted and made some changes, Notably it checks a defined peer name as we have seen that the problem doesn’t always affect all peers on a system.

======Code follows ======

#!/bin/sh
#We record the status of the IAX2 Trunk
cd /root/ # I have script live in root,
# Set the peer name to monitor here
# ******
peername="YOURIAX2PEERNAME"
# ******
date >> slap.log
echo "Testing $peername peer" >> slap.log
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername >> slap.log
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername > reg_status
sleep 1
#We then Scan the Status and see if we're online or not...
TEST="OK"
if grep $TEST reg_status > /dev/null
then
echo "All OK Here" >> slap.log
exit #Abort, we are online, all is well...
fi
#IF we're this far down, we've lost IAX. Log the incident.
echo "we have a problem with $peername, Restarting it" >> slap.log
#Restart the IAX2 trunk. Delay required for some reason.
/usr/sbin/asterisk -rx 'module unload chan_iax2.so' >> slap.log
sleep 90;
/usr/sbin/asterisk -rx 'module load chan_iax2.so' > /dev/null
echo "Restarted it Now lets check status" >> slap.log
sleep 5;
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername >> slap.log
#We record the status of the IAX2 Trunk
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername > reg_status
sleep 1
#We then Scan the Status and see if we're online or not...
TEST="OK"
if grep $TEST reg_status > /dev/null
then
echo "All OK Here" >> slap.log
exit #Abort, we are online, all is well...
fi
#IF we're this far down, we've lost IAX. Log the incident.
echo "we have a problem with $peername, Restarting it" >> slap.log
#Restart the IAX2 trunk. Delay required for some reason.
/usr/sbin/asterisk -rx 'module unload chan_iax2.so' >> slap.log
sleep 120;
/usr/sbin/asterisk -rx 'module load chan_iax2.so' > /dev/null
echo "Restarted it Now lets check status" >> slap.log
sleep 5;
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername >> slap.log
#We record the status of the IAX2 Trunk

======Code ends======

This seems to do the trick and its cronned to run every night or hour in some cases.

UPDATE

on testing and speaking to suppliers. We would advise adding the following settings to your IAX2 peers

 

qualifysmoothing=yes
qualifyfreqnotok=30000
qualifyfreqok=120000
qualify=yes

With this added we have not seen any unexpected unreachables.

 

Categories
Knowledge Base Technical

Flushing your sendmail queue.

Whenever sendmail has to deliver mails to other hosts which cannot be reached at that time, the messages are kept in the queue and are marked as “Deferred: Connection timed out”. Although the other hosts could be reached again and you want to tell sendmail to flush the mail queue, the command

sendmail -q -v

does not really try to reconnect to these hosts and still assumes that the connection timed out. The reason is that the hoststatus is cached, per default for a period of 30 minutes. Using

sendmail -OTimeout.hoststatus=0m -q -v

you can re-run the mail queue and force sendmail to reconnect to the hosts. You may want to define an alias for that, say, ‘sendmail-flush-timeouts’.

You can set further options in /etc/sendmail.cf.

Categories
Knowledge Base

ETHERACCESS LA210

The unit is referred to as the Network Termination Equipment (NTE) or RAD box.

It is used to ‘bond’ the multiple lines that are used on an EFM connection into one circuit. There are RJ45 Network ports on the rear that allow you to plug your own equipment such as routers in.

Front View

The front of the LA-210 includes LED lights that can indicate the state of the unit and the connection.

LA210_front

Rear view

The LA-210 has 4 RJ-45 network ports that the you can plug your own router into.

LA210_rear

ls120led LED STATUS


Categories
Knowledge Base Support

Mitel SNMP Alarm monitoring

As part of our ongoing improvements to our Alarm and fault monitoring service we are now pleased to be able to offer proactive monitoring of the Mitel 3300ICP snmp alarm output.3300
This monitoring is proactive, meaning we check the system at regular intervals from our Nagios platform and will raise alarms on power failing as well as all mitel snmp alarm levels.

mitel alarm example

The alarm can be emailed or txt’d to single or group of addresses.

All that is required is fixed external hostname or IP address and port 161 or another random port forwarded to port 161 so we can connect and the snmp configuration on the Mitel system to allow our systems IP address to connect.

If you are interested in this service the standard charge £25 per site per year for more details please email or call us.

Categories
Knowledge Base Technical

Skype for SIP name to DDI with Asterisk

When using Skype for SIP trunks with Asterisk a simple an neat way to enable DDI calling for the skype names is to use the “extension” option.
This means that the ‘To’ in in the sip header is set to what you set.

This can then be picked out with a simple little bit of dialplan

exten => 99051000000000,1,Set(CALLERID(num)=${CALLERID(name)})
exten => 99051000000000,2,Set(cNum=${SIP_HEADER(TO):5:6})
exten => 99051000000000,3,Noop(${cNum})
exten => 99051000000000,4,Goto(from-pstn,${cNum}|1)

In the above example we have 6 digit ddi numbers in the context from-pstn.

Setting up the Skype end is as simple as logging into your BCP and then the relevent profile and clicking on the calling tab

and setting as below

Image

This lets you now use one account and have all your BCP accounts have DDI calls directed at the PBX