Tag: Linux

Categories
Knowledge Base Support

24×7 Asterisk server monitoring with Nagios.

We offer an economical solution for end users and resellers to monitor their Asterisk and Linux servers.

Our platform monitors servers 24 hours a day 7 days a week. Hosted in a state of the art US based data centre with connections to major UK data centres and multiple connections to the internet.

We offer different levels of monitoring from simple uptime and email alerts to system load, disk space and channel usage with email and SMS notification. Web panel and firefox/Chrome plugin available to all levels to view system status.

The service is primarily aimed at Asterisk based IPPBX server but we can monitor other Linux based servers and Mitel systems as well. Our checks on Asterisk servers were customised by us to allow easy and secure deployment as we only require SSH access to make checks and this is secured by server keys. 

Nagios monitor screen

 

Service levels

Silver Level £10 setup – £2.50 per month £25.00 per year

  • Single Server, 4 services from list below & email alerts.
  • Ping test
  • SIP/IAX Peer availability
  • Asterisk channels
  • ISDN availability
  • Disk Space
  • System Load
  • Heartbeat Status
  • SIP/IAX2 registration status
  • Mitel SNMP Alarm status

Gold Level £10 setup per server – £5.00 per month £50.00 per year

  • Upto 2 Servers, 4 services per server, email and SMS alerts by subscription

In addition to the silver list:-

  • Asterisk Database status
  • Custom checks, (cost for design may be inured)

Additional options.

SMS alerts by arrangement, if using Gradwell Numbers and outbound we can integrate with the SMS API

Extra contact £5 setup

Extra server £10 setup £2.50 per month £25 per year

Extra service £5 setup £0.50 per month £5 per year

Partner options are available, Please contact us for details.  Pdf  download cymon 

Categories
Gateways

Redfone FoneBRIDGE

The foneBRIDGE is a T1/E1 PRI-to-Ethernet Bridge. It is an integrated black box appliance designed to streamline installation and enable redundant design of open source telephony based VoIP systems such as Asterisk®, Elastix, Trixbox, FreeSwitch and others.

Features

Failover and HA Enabled
• Flexible Configuration
• Highly reliable design
• Simple Install
• Form factor independent
• Single, Dual, Quad and Octal Port models

Applications

• T1/E1 PRI Trunk termination
• Legacy PBX-to-Asterisk integration
• Simple, single server installs
• Complex, HA Asterisk clusters
• Channel Bank connectivity
• Mixed telephony environments (T1 and E1)
• Blade Servers where PCI slots are not available

Download Datasheet here

Price excluding VAT:

  • Non ec Single e1 £430
  • Non ec Dual e1 £850
  • Non ec Quad e1 £1200
  • ec Single e1 £640
  • ec Dual e1 £1200
  • ec Quad e1 £1700
*ec = Hardware echo cancelation
Categories
Knowledge Base

Trusting Linux servers

This hopes to explain in simple steps setting up a pair (or more) servers as a trusted group.
So what do we want to achieve ? Well we wnat to be able to ssh, sftp, rsync etc between servers and not need to enter passwords
Steps required
1 Hosts File
2 Editing sshd_config
3 Create the ssh keys
4 Setting up the Auth. users file
Hosts File

Firstly we need to make sure all servers are in the hosts file
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost
127.0.0.1 asterisk2.local
# We point to eth0 on our own box
192.168.10.100 asterisk2.local
192.168.10.100 asterisk2
# We point to eth1 on the other box
192.168.10.108 asterisk1

Editing sshd_config

Now we need to edit the /etc/ssh/sshd_config file
so that the following

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile /root/.ssh/authorized_keys

replaces

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

Now restart the sshd
/etc/init.d/sshd restart

Create the ssh keys

We now need to create the keys on each server
ssh-keygen -t rsa
and hit return for all the questions.
this will create 2 files in /root/.ssh

go the /root/.ssh directory and copy the id_rsa.pub to the other server and get its id_rsa.pub

sftp asterisk1

put id_rsa.pub asterisk2.pub
get id_rsa.pub asterisk1.pub
bye

Setting up the Auth. users file

In the /root/.ssh directory you will now have for example :-

asterisk1.pub id_rsa id_rsa.pub known_hosts

We now need to copy the asterisk1.pub to the authorized_keys file

cat asterisk1.pub >> authorized_keys

Do the same on the other server.

You should now be able to ssh and rsync between servers.

Categories
Knowledge Base

Sip debugging with wireshark

Wireshark and Cloudshark are invaluable tools for debugging sip and iax issues on your Asterisk server.

Here we have a short Video that goes over the basics of getting a call captured and opened in Cloudshark

we also have a short tutorial for download here in PDF format

First we need to get the packets we want. This is far simpler than its thought. We use a simple command line tool called tcpdump, if its not installed install it now, You wont be able to live without it.

Here we have 2 commands, The first captures packets on interface eth0, -n means we won’t convert addresses, -w means we just capture raw packets and udp means its only the udp packets we want and finally port 5060 means its only the sip messaging we want. In the second we dont specify port 5060 so that we get the rtp stream as well.

/usr/sbin/tcpdump -n -i eth0 -w /tmp/wireshark.pcap -s2000 udp port 5060
 /usr/sbin/tcpdump -n -i eth0 -w /tmp/wireshark.pcap -s2000 udp
screen -S "udpDump" -dm tcpdump -n -i eth0 -C 9 -W 15 -w /var/log/asterisk/dumpsip.pcap -s2000 udp port 5060

The command above will write to file in the background and will rotate at 9 meg so suitable for cloudshark

Once you have started the capture and made a call as required you will get a file called for example /tmp/wireshark.pcap copy this to your workstation via ftp or sftp as you would copy any file.

Categories
Knowledge Base

Better SIP security

In Seven Steps

Original Text by J Todd March 28th, 2009

In case any of you were wondering why there has been a fairly notable upswing in the attacks happening on SIP endpoints, the answer is “script kiddies.”  In the last few months, a number of new tools have made it easy for knuckle-draggers to attack and defraud SIP endpoints, Asterisk-based systems included.  There are easily-available tools that scan networks looking for SIP hosts, and then scan hosts looking for valid extensions, and then scan valid extensions looking for passwords.You can take steps, NOW, to eliminate many of these problems.  I think the community is interested in coming up with an integrated Asterisk-based solution that is much wider in scope for dynamic protection (community-shared blacklists is the current thinking) but that doesn’t mean you should wait for some new tool to defend your systems.  You can IMMEDIATELY take fairly common-sense measures to protect your Asterisk server from the bulk of the scans and attacks that are on the increase. The methods and tools for protection already exists – just apply them, and you’ll be able to sleep more soundly at night.

Seven Easy Steps to Better SIP Security on Asterisk:

 

1) Don’t accept SIP authentication requests from all IP addresses.  Use the “permit=” and “deny=” lines in sip.conf to only allow a reasonable subset of IP addresess to reach each listed extension/user in your sip.conf file.  Even if you accept inbound calls from “anywhere” (via [default]) don’t let those users reach authenticated elements!

 

2) Set “alwaysauthreject=yes” in your sip.conf file.  This option has been around for a while (since 1.2?) but the default is “no”, which allows extension information leakage.  Setting this to “yes” will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.

 

3) Use STRONG passwords for SIP entities.  This is probably the most important step you can take.  Don’t just concatenate two words together and suffix it with “1? – if you’ve seen how sophisticated the tools are that guess passwords, you’d understand that trivial obfuscation like that is a minor hinderance to a modern CPU.  Use symbols, numbers, and a mix of upper and lowercase letters at least 12 digits long.

 

4) Block your AMI manager ports.  Use “permit=” and “deny=” lines in manager.conf to reduce inbound connections to known hosts only.  Use strong passwords here, again at least 12 characters with a complex mix of symbols, numbers, and letters.

 

5) Allow only one or two calls at a time per SIP entity, where possible.  At the worst, limiting your exposure to toll fraud is a wise thing to do.  This also limits your exposure when legitimate password holders on your system lose control of their passphrase – writing it on the bottom of the SIP phone, for instance, which I’ve seen.

 

6) Make your SIP usernames different than your extensions.  While it is convenient to have extension “1234? map to SIP entry “1234? which is also SIP user “1234?, this is an easy target for attackers to guess SIP authentication names.  Use the MAC address of the device, or some sort of combination of a common phrase + extension MD5 hash (example: from a shell prompt, try “md5 -s ThePassword5000?)

 

7) Ensure your [default] context is secure.  Don’t allow unauthenticated callers to reach any contexts that allow toll calls.  Permit only a limited number of active calls through your default context (use the “GROUP” function as a counter.)  Prohibit unauthenticated calls entirely (if you don’t want them) by setting “allowguest=no” in the [general] part of sip.conf.

 

These 7 basics will protect most people, but there are certainly other steps you can take that are more complex and reactive.  Here is a fail2ban recipe which might allow you to ban endpoints based on volume of requests.  There is discussion on the asterisk-user and asterisk-dev mailing lists of incorporating this type of functionality into Asterisk – let’s hear your ideas!

 

If you’d like to see an example of the tools that you’re up against, see this demo video of an automated attack tool that does scan, guess, and crack methods via a click-and-drool interface.
In summary: basic security measures will protect you against the vast majority of SIP-based brute-force attacks.  Most of the SIP attackers are fools with tools – they are opportunists who see an easy way to defraud people who have not considered the costs of insecure methods.  Asterisk has some methods to prevent the most obvious attacks from succeeding at the network level, but the most effective method of protection are the administrative issues of password robustness and username obscurity.

 

JTodd
Digium
Categories
Knowledge Base Technical

Installing Webdav on Centos with untrusted ssl certificates

Webdav (Web-based Distributed Authoring and Versioning) is a set of methods based on the Hypertext Transfer Protocol (HTTP) that facilitates collaboration between users in editing and managing documents and files stored on World Wide Web servers.This can be useful to allow backing up of data between servers. In Linux there is a command line client called cadaver that in theory allows you to script its use.

This isnt as staight forward as it could have been and we spent half a day and a lot of Googling to get to the bottom of common problems, Such as auto loging in, Untrusted ssl certificates and scripting.

So here is a simple run down on what you have to do to script with webdav and cadaver

Install cadaver

yum install cadaver

once installed you will need to install the certificate for the untrusted ssl site

for example
wget http://website/untrusted.server.com.cer
now convert this to a .pem file
openssl x509 -inform der -in untrusted.server.com.cer -out untrusted.server.com.pem

now add this to your cert.pem file.

in centos this seems to be in the  /usr/share/ssl/ directory
cat untrusted.server.com.pem >> /usr/share/ssl/cert.pem

you now need to edit the ./netrc file with the server and logon details
vi ~/.netrc

machine untrusted.server.com
login   user
password        secret

save the file.

now when you connect you wont be promted for accepting the certificate or a username and password

cadaver -et  https://untrusted.server.com
dav:/>

Ok now we want to script the actions.
This is as simple as creating a script file.

for example

vi ~/.cadavscript
ls
pwd
quit

will give the following output

cadaver -et  https://untrusted.server.com/ < ~/.cadavscript
dav:/> Listing collection `/’: succeeded.
test.txt                              35  Aug 19 15:04
dav:/> Current collection is `https://untrusted.server.com/’.
dav:/> Connection to `untrusted.server.com’ closed.

So create a script to do what you want and your done

Categories
Knowledge Base

General Configuration Guide Skype for SIP and Asterisk

 

If you are new to SIP, Asterisk is a useful, open-source (GPL) platform with which to test and experiment with the Skype for SIP. This is a guide on how to install Skype for SIP on a system agnostic or “vanilla” Asterisk server.

 

To install Asterisk on your server, please see the Digium documentation here http://www.asterisk.org.

 

This configuration guide is based on Debian Linux (Lenny 64bit). With a basic installation of Debian you can install Asterisk by issuing the following APT command at the command line:-

apt-get install asterisk

 

 

Configuration Files for Vanilla Asterisk

 

In configuring Skype for SIP on a vanilla Asterisk system we are primarily concerned with two configuration files:-

 

  1. sip.conf (located in the /etc/asterisk/ directory)
    The sip.conf file holds the registration details for the Skype for SIP channel
  2. extensions.conf (located in the /etc/asterisk/ directory)The extensions.conf holds the dial plan telling Asterisk what to do with incoming and outgoing calls.-

 

Let’s do a walkthrough of the configuration steps.

 

Configuring the sip.conf File

 

Step 1

 

The sip.conf file has two sections that need to be completed. The “General” section (denoted in the file with the [general] heading) and peer section denoted in the file with the [peers] heading.

 

In the General section we need to add a “register” line. This tells Asterisk to register with Skype at the Skype local point of presence.

 

Add the following, under the “[general]” section in the file, substituting your 9905xxxx number and password with your actual credentials for the Skype for SIP profile you wish to use. Your SIP Profile details can be found in the Skype Business Control Panel (BCP):-

 

register => 99051000xxxxxx: PaSsW0rD@sip.skype.com /99051000xxxxxx

 

Step 2

To ensure that we also receive the callerID from Skype clients we also should add:-

 

trustrpid = no

sendrpid = yes

 

 

Step 3

Next, we add a section for the peer, in the “[peers]” section of the sip.conf file. Again we substitute the 9905xxxxx number and password with the SIP Profile credentials from the Skype Business Control Panel (BCP):-

 

[99051000xxxxxx]

type = peer

username = 99051000xxxxxx

fromdomain = sip.skype.com

fromuser = 99051000xxxxxx

realm = sip.skype.com

host = sip.skype.com

dtmfmode = rfc2833

secret = PaSsW0rD

nat = no ;This should be set to reflect your network NAT configuration

canreinvite = no

insecure = invite

qualify = yes

disallow = all

allow = alaw

allow = ulaw

;allow = g729 ; Uncomment this if you have G729 licences

amaflags = default

trustrpid = no

sendrpid = yes

context = skype_in

 

Please Note:

If your Asterisk PBX is behind a NAT device, you should set “nat = yes” in this section.

 

If your Asterisk PBX has a dedicated internet IP address, set this to “nat = no”.

 

Step 4

After setting these changes, reload the Asterisk’s SIP module by typing:-

 

asterisk -rx “reload chan_sip.so”

 

…….at the command line.

 

Step 5

After the SIP Module has reloaded enter asterisk -rx “sip show peers” at the command line, which should return:

 

pbx*CLI> sip show peers

Name/username Host Dyn Nat ACL Port Status

99051000xxxxxx/99051000xx 193.120.218.68 5060 OK (52 ms)

 

Then enter asterisk -rx sip show registry” which should return:

 

pbx*CLI> sip show registry

Host Username Refresh State Reg.Time

sip.skype.com:5060 99051000xxxx 105 Registered day, dd mmm yyyy hh:mm:ss

 

If you see output similar to the above, then you are registered to the Skype SIP gateway and ready to make and receive calls.

 

We now need to setup the extensions.conf so that we have a dialplan setup and Asterisk knows how to deal with incoming and outgoing calls.

 

Configuring the extensions.conf File

 

The extensions.conf file requires a “context” and an “extension” to be added for incoming Skype calls, plus an extension to be added to the context that users use for outgoing calls.

 

Incoming “context”

 

Add the following lines to the [context] section of extensions.conf, substituting 9905xxxxxxx with the 9905 number for the SIP Profile. Again you can find the details of your Skype SIP Profiles in the Skype BCP:-

 

[skype_in]

exten => 99051xxxxxxxx,Noop(${CALLERID(name)} , ${CALLERID(num)})

exten => 99051xxxxxxxx,n,Dial(SIP/100,30,t,r)

exten => 99051xxxxxxxx,n,voicemail(100|u)

 

This is a simple “vanilla” context that shows us the callerID name and number, dials extension 100 for 30 seconds and finally, if unanswered, goes to voicemail. This sequence will need to be amended to suit your requirements. If you are planning on having many SIP Profiles or Online Numbers that all need to end up at the same destination, or the destination is decided by the Skype Business Account that the online number is registered against, a more complicated Dialplan can be used. For example:-

 

[skype_in]

exten => 99051xxxxxxxx,1,Noop(${CALLERID(name)} , ${CALLERID(num)})

exten => 99051xxxxxxxx,n,Queue(sfs|r|||40)

exten => 99051xxxxxxxx,n,voicemail(100|u)

 

 

Outgoing “Context”

 

The outgoing context must be included in the context for your user’s phones. Usual security measures apply. Do not include this in a context for incoming calls.

 

[skype_out]

 

exten => _90Z.,1,Set(CALLERID(num)= 99051xxxxxxxx)

exten => _90Z.,n,Dial(SIP/0044${EXTEN:2}@99051xxxxxxxx)

 

exten => _900.,1,Set(CALLERID(num)= 99051xxxxxxxx)

exten => _900.,n,Dial(SIP/${EXTEN:1}@99051xxxxxxxx)

 

 

In the sip.conf add the following to create user 100

 

[100]

secret=secret

mailbox=100

callerid=”myskypetrunk” <100>

type=friend

host=dynamic

context=international

;nat=no

nat=yes

canreinvite=no

dtmfmode=rfc2833

pickupgroup=1

callgroup=1

subscribecontext=default

notifyringing=yes

disallow=all

;allow=alaw

allow=ulaw

allow=gsm

 

in the extensiosn.conf add the following to the default context

 

exten => _XXX,1,Dial(SIP/${EXTEN},20)

 

Also create a context called international

 

[international]

include => default

include => skype_out