Tag: Technical

Categories
Asterisk Support Elastix Support Knowledge Base Security

Elastix 2.4 ARI vulnerability Patch

The recent vulnerability in the Asterisk and Freepbx ARI login.php file is not addressed in an update to ARI in the unembedded freepbx on Elastix 2.4.

This will mean that your systems will still be vulnerable.

We have produced a patch that you can apply to address this. The patch can be downloaded  from https://s3.amazonaws.com/filesandpatches/ari.patch and applied as detailed below.

logon to the server console

cd /var/www/html/recordings/includes
cp login.php /root/login.php.ari
wget https://s3.amazonaws.com/filesandpatches/ari.patch
patch < ari.patch 

Then to check either login to server ARI interface or 

cat login.php |grep json

and you should get the following output

$buf = json_decode($_COOKIE['ari_auth'],true);
$data = json_decode($crypt->decrypt($data,$ARI_CRYPT_PASSWORD),true);
$data = $crypt->encrypt(json_encode($data),$ARI_CRYPT_PASSWORD);
$buf = json_encode(array($data,$chksum));


also check to see if you have the file in the fw_ari directory.

ls -l /var/www/html/admin/modules/fw_ari/htdocs_ari/includes

if there is a login.php there then copy over the patched version.

cp /var/www/html/recordings/includes/login.php  /var/www/html/admin/modules/fw_ari/htdocs_ari/includes/login.php

After these actions check that the file ownership is still correct

if not 

chown asterisk:asterisk /var/www/html/recordings/includes/login.php

This patch also applies to any older version of ARI out there.

also to be on the lookout for two suspicious files, named “c.sh” or “c2.pl” respectively. If you see these two files remove them immediately!

More details here. http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions-cve-2014-7235/24536 or here http://support.freepbx.org/node/92822

 

 

 

Categories
Case Studies Knowledge Base QueueMetrics Support

QueueMetrics

We have recently installed and customised a Queuemetrics solution for a customer. Their key reason for choosing Queuemetrics was the ability to use dynamic agents without the need of major Elastix reprogramming and a clear and simple interface.

It was also decided that users needed to be able to log into the system from their handsets as well as from a web interface, as the customer is hoping to roll out an agent portal in the future.

To enable Hotdesk the  following setting has to be set similar to below

# The value is interval time (in seconds) used by the analyzer to look back searching HOTDESK verbs in the queue log
default.hotdesking=86400

This meant some additional dialplans to allow logging in & out and pausing.

These are similar to the dialplans that the web portals use except that they have prompts and they also have to store the extension and agent id in the asterisk database.

;added dialplan for queuemetrics
; Add Member - 422
; User is asked for their loging agent id
exten => _422XXXX,1,Answer
exten => _422XXXX,2,Read(AGENTID,agent-login,4,,1,6)
exten => _422XXXX,3,Gotoif($["${AGENTID}" = ""]?end)
exten => _422XXXX,4,GotoIf($[${LEN(${AGENTID})} != 4]?2)
exten => _422XXXX,5,set(DB(qmagent/${CALLERID(num)})=${AGENTID})
exten => _422XXXX,6,Macro(queuelog,${EPOCH},${UNIQUEID},NONE,Agent/${AGENTID},HOTDESK,SIP/${CALLERID(num)})
exten => _422XXXX,7,AddQueueMember(${EXTEN:3:4},SIP/${CALLERID(num)})
exten => _422XXXX,8,SayDigits(${AGENTID})
exten => _422XXXX,9,Playback(agent-loginok)
exten => _422XXXX,10(end),Hangup
; Remove Member - 423
exten => _423XXXX,1,Answer
exten => _423XXXX,2,set(DEL_AGENT=${DB_DELETE(qmagent/${CALLERID(num)})})
exten => _423XXXX,3,RemoveQueueMember(${EXTEN:3:4},SIP/${CALLERID(num)})
exten => _423XXXX,4,Playback(agent-loggedoff)
exten => _423XXXX,5,Hangup
; extension 32: agent pause with hotdesking (with pause code)
exten => _32XX,1,Answer
exten => _32XX,2,set(AGENTCODE=${DB(qmagent/${CALLERID(num)})})
exten => _32XX,3,NoOp( "QM: Pausing Agent/${AGENTCODE} at extension SIP/${CALLERID(num)} with pause reason '${EXTEN:2:2}' made by '${QM_LOGIN}' " )
exten => _32XX,4,PauseQueueMember(,SIP/${CALLERID(num)})
exten => _32XX,5,System( echo "${EPOCH}|${UNIQUEID}|NONE|Agent/${AGENTCODE}|PAUSEREASON|${EXTEN:2:2}" >> /var/log/asterisk/queue_log )
exten => _32XX,6,Playback(dictate/paused)
exten => _32XX,7,Hangup
; extension 33: agent unpause with hotdesking
exten => 33,1,Answer
exten => 33,2,NoOp( "QM: Unpausing Agent/${AGENTCODE} at extension SIP/${CALLERID(num)} made by '${QM_LOGIN}' " )
exten => 33,3,UnpauseQueueMember(,SIP/${CALLERID(num)})
exten => 33,4,Playback(dictate/pause)
exten => 33,5,Playback(removed)
exten => 33,6,Hangup

These need to be added to your extensions_custom.conf file in a context that’s included in the from-internal  context.

Also a change has to be made to the dialplans in the extensions_queuemetrics.conf to store and delete the database entry as well.

The system has proved to deliver what was expected and will shortly be expanded to track outbound calls and the addition of custom wallboards similar to what we recently produced for another customer.

If you would like to talk about adding QueueMetrics to your Asterisk system or are looking for a complete phone system and queuemetrics platform please contact us.

Categories
Asterisk Support Elastix Support Knowledge Base

Installing DynDns update script on Centos

The following is a simple run-through on installing the dyndns client for updating the ip address on your hosts.

cd /usr/src

wget  http://cdn.dyndns.com/ddclient.tar.gz
tar -xzvf ddclient.tar.gz

cd ddclient-3.7.3/

mkdir /etc/ddclient

mkdir /var/cache/ddclient
cp ddclient /usr/local/sbin

cp sample-etc_ddclient.conf /etc/ddclient/ddclient.conf

cp sample-etc_rc.d_init.d_ddclient /etc/rc.d/init.d/ddclient
chkconfig --add ddclient

cd ..

vi  /etc/ddclient/ddclient.conf

add at the bottom of file

#
use=web
login=USERNAME
password=PASSWORD
server=members.dyndns.org  
protocol=dyndns2
# add your DNS name here as below 
DNSNAME.dyndns.biz
#
/etc/init.d/ddclient start

You will then need to check that your host address has updated on the dyndns site.

If you get perl io ssl errors in the logfile then:

yum install perl-IO-Socket-SSL
Categories
Asterisk Support Blog Elastix Support Knowledge Base Security

Shellshocked by Bash !

Well any one in IT and many people who never have anything todo with dirty working of *nix operating systems including Apples OSX cant have missed the news about the latest venerability. This is hot on the heels of teh OpenSSl one and the NTP one before that.

All these have different levels of risk, The NTP one was just a pain easily fixed and could cause little damage, The Openssl one was more of a risk as it allowed hackers to read the memory of systems using certain versions of OpenSSL nicknamed Heartbleed. Now the Bash one is fairly simple to exploit and has been now seen in the wild which in the case of Heartbleed it wasn’t really exploited in the wild.

So how do you test. simple , just type

env x='() { :;}; echo vulnerable’ bash -c “test”

and if it comes back saying Vulnerable update bash.

Great easy you say, well it was spent half a day checking 40 odd servers and updating bash. But then the update they rolled out want enough so today went back round updating again.

It has to be noted that some repositories were running slow and in teh case of one (SCHMOOZE) they hadn’t got the latest patch live by mid day.

It was pleasing how most suppliers were open and concise on what to check and how to fix. I was rather disappointed with  another Asterisk Based PBX distro who instead of publishing how to check and what to do, told users to download a script and run that, I don’t think its a good idea to hide security measures, If people deploy systems they need to know how to secure them.

I wonder whats next? , After spending 2 days on this now looking at setting up a Puppet server, This has cost me a day of my time and i’m meant to be installing a queuemetrics call center for a customer…

Categories
Knowledge Base

Getting bad ELF interpreter with Nagios

When using some Nagios plugins to check server load and disk space on 64bit systems you may get back

/lib/ld-linux.so.2: bad ELF interpreter: No such file or directory

This means that you dont have the required libraries, To install them on Centos

yum install glibc.i686

The solution above works on CentOS, Fedora, or Red Hat 64bit operating systems; on a Debian or Ubuntu derived system use :

 sudo apt-get install ia32-libs

 

 

Categories
Asterisk Support Elastix Support FreePBX Knowledge Base

Using Gmail to send Voicemail emails

We have seen more and more ISPs blocking Port 25.  This means that sending emails natively from FreePBX or any Asterisk based IPBX for things such as voicemail notification can time out or be rejected.

To get round this you can send your email notifications via Gmail.

Firstly you need a Gmail account, once you have this jot down the user and password, you will need this later.

You now need to connect to your server via ssh as you have a couple of files to edit.

Firstly you need to enter the account details in sasl_passwd

vi /etc/postfix/sasl_passwd

and add

smtp.gmail.com:587 yourmailaddress@gmail.com:password

Save it, then edit main.cf

vi  /etc/postfix/main.cf

Then add at the end:

masquerade_domains = yourdomain.com
# The servers hostname below
myhostname = Asterisk.yourdomain.com
mydomain = Asterisk.yourdomain.com
# The email account its being sent from below
myorigin = voicemail@yourdomain.com

relayhost = smtp.gmail.com:587
mynetworks = 127.0.0.0/8
inet_interfaces = loopback-only
smtp_use_tls = yes
smtp_always_send_ehlo = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_generic_maps = hash:/etc/postfix/generic 
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

Then enter the following commands at teh command line

postmap hash:/etc/postfix/sasl_passwd
/etc/init.d/postfix restart

Finally you need to make a change to your gmail account to “Allow users to manage their access to less secure apps” which is in the security section of the Gmail ‘Domain’ account setting if its a GSuite account then make sure “Less secure app access” is set to yes in the accounts ‘security section’ if you don’t do this you will see:

535-5.7.8 Username and Password not 
accepted. Learn more at?535 5.7.8 https://support.google.com/mail/?p=BadCredentials  

or 

530-5.7.0 Authentication Required. Learn more at 530 5.7.0 h
ttps://support.google.com/mail/?p=WantAuthError

Most likely the 535 error if ‘Less secure app access’ is not enabled.

You should now be able to send email via the gmail account.

It’s worth making a couple of changes to the gmail account, firstly set and out of office sayings it’s only a sending mailbox and another to delete messages in the inbox.

Categories
Knowledge Base Security

Remote ssh tunnel script

We have various customers that have firewalls that only allow known trusted IP addresses through. Normally our office and our monitoring platform for example.

But if we are out and about we still sometimes need to access a system and its GUI, so we have created the simple script below that makes a ssh connection to the customer server and also tunnel to access any web gui.

This script is in place on the monitoring server so we can just ssh in to the monitoring platform and run the script. all that is needed is a single tunnel setup on the ssh client that i’m accessing the monitoring platform from.

#!/bin/bash
echo ssh tunnel tool. 2013 cyber-cottage.co.uk
echo Setting up a tunnel to $1
whois $1 |grep netname
if [ "$1" = '' ]; then
 echo "You have no remote destination set"
 echo "usage: remotetunnel.sh <remote server> <remote ssh port> <remote system port>"
 echo "For example remotetunnel.sh 81.22.23.24 8022 80"
 exit
fi
if [ "$3" = '' ]; then
echo "usage: remotetunnel.sh <remote server> <remote ssh port> <remote system port>"
echo "For example remotetunnel.sh 81.22.23.24 8022 80"
if [ "$2" = '' ]; then
 echo "You have no remote ssh or system port set, Setting ssh to port 22"
 port="22"
else
 port="$2"
fi
 echo "You have no remote system port set, Setting remote to port 80"
 rport="80"
else
 rport="$3"
fi
if [ "$port" = '' ]; then
 port=$2
fi
echo Remote system IP is $1
echo Remote ssh port is $port
echo Remote system port is $rport
read -p "Is this correct? (y/n) " RESP
if [ "$RESP" = "y" ]; then
 echo "Glad to hear it"
else
 exit
fi
ssh -L 9999:localhost:$rport  $1 -oport=$port
Categories
Asterisk Support Elastix Support Knowledge Base Technical

IAX2 Peers going unreachable.

In the past we have found that IAX@ peers have been reliable and solid.

But lately with the advent of bonded ADSL lines and other forms of aggregated lines we have seen issues where the IAX2 trunk will go down and a simple reload of Asterisk or even a restart doesn’t fix it.

Taken from Voip-info

A report of the problem by another user :

This is something I’ve run into myself and my VOIP IAX2 provider has this issue with many clients running Asterisk on TrixBox or other custom made systems behing a NAT (Linux) router.

If our PPPoE goes down, we have to reboot our Asterisk server to get our IAX2 trunk to re-register otherwise, it will try and just keep timing out. I have the 4569 forwarded internal (Pierre Belanger adds: in many cases, the 4569 port forwarding useless unless your Asterisk server provides service to IAX2 phones from the Internet, i.e. not on your local LAN).

I have a dirty script that avoids having to reboot the TrixBox and restore our service within 2 minutes of a blip automatically, and logs the ‘blips’ so i can see how ‘reliable’ our service is.

We have take the original script posted and made some changes, Notably it checks a defined peer name as we have seen that the problem doesn’t always affect all peers on a system.

======Code follows ======

#!/bin/sh
#We record the status of the IAX2 Trunk
cd /root/ # I have script live in root,
# Set the peer name to monitor here
# ******
peername="YOURIAX2PEERNAME"
# ******
date >> slap.log
echo "Testing $peername peer" >> slap.log
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername >> slap.log
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername > reg_status
sleep 1
#We then Scan the Status and see if we're online or not...
TEST="OK"
if grep $TEST reg_status > /dev/null
then
echo "All OK Here" >> slap.log
exit #Abort, we are online, all is well...
fi
#IF we're this far down, we've lost IAX. Log the incident.
echo "we have a problem with $peername, Restarting it" >> slap.log
#Restart the IAX2 trunk. Delay required for some reason.
/usr/sbin/asterisk -rx 'module unload chan_iax2.so' >> slap.log
sleep 90;
/usr/sbin/asterisk -rx 'module load chan_iax2.so' > /dev/null
echo "Restarted it Now lets check status" >> slap.log
sleep 5;
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername >> slap.log
#We record the status of the IAX2 Trunk
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername > reg_status
sleep 1
#We then Scan the Status and see if we're online or not...
TEST="OK"
if grep $TEST reg_status > /dev/null
then
echo "All OK Here" >> slap.log
exit #Abort, we are online, all is well...
fi
#IF we're this far down, we've lost IAX. Log the incident.
echo "we have a problem with $peername, Restarting it" >> slap.log
#Restart the IAX2 trunk. Delay required for some reason.
/usr/sbin/asterisk -rx 'module unload chan_iax2.so' >> slap.log
sleep 120;
/usr/sbin/asterisk -rx 'module load chan_iax2.so' > /dev/null
echo "Restarted it Now lets check status" >> slap.log
sleep 5;
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername >> slap.log
#We record the status of the IAX2 Trunk

======Code ends======

This seems to do the trick and its cronned to run every night or hour in some cases.

UPDATE

on testing and speaking to suppliers. We would advise adding the following settings to your IAX2 peers

 

qualifysmoothing=yes
qualifyfreqnotok=30000
qualifyfreqok=120000
qualify=yes

With this added we have not seen any unexpected unreachables.

 

Categories
Cards

Digium Cards

digium_cards

Not only was Digium the first vendor of telephony interface cards built specifically for Asterisk, but it has always been the market leader, with over 50% of the world’s board business.

Analogue Cards

Digium analogue telephony cards are high-performance, highly reliable and cost-effective interfaces for POTS lines to your Asterisk solution. Multiple applications can be created to satisfy the business needs of any organization when using Digium analogue cards in concert with Asterisk software, the Linux® operating system and standard PC/server platforms.

Digital Cards

Digium’s super-reliable digital line cards connect Asterisk-based communication systems to T1, E1, J1 and ISDN-BRI interfaces.

Hybrid Cards

The Digium Hx8 Series are high-performance, cost-effective hybrid analogue and BRI telephony interface cards providing the capability to seamlessly integrate mixed-mode environments in a single device. Use the telephony card selector to identify the card that fits your requirements.

  • RoHS compliant
  • Manufactured in an ISO 9001:2001 certified facility in the United States
  • Maintain an MTBF greater than one (1) million hours
  • 5-year hardware warranty

 

For configuration and pricing please email or call us. We always want to speak to customers buying cards to make sure that it will be compatible with their server hardware.

Categories
Elastix Support Knowledge Base

Setting up timed call flow in Elastix

Screenshot from 2013-06-19 14:50:45If you want to set up timed call flow in Elastix but still have the ability to override for holidays and when the office is open late you have a few extra steps to add.

We will assume  you have your queues and extensions setup for this video. If you havent set your extensions up see our other video on setting up extensions.

 

 

We have used 2 day/night modes, One at before the call enters the time condition, This means that you can override day service for holidays etc and another at the end that means the call can be forced to go to a night queue instead of voicemail.

I hope you found this useful and keep coming back for more.