28th February 2010, 11:52 pm
There is an interesting discussion on the PBX-in-a-Flash forums here regarding an Asterisk security announcement.
If you write custom Asterisk contexts outside of FreePBX then you should read through how to do this securely. You should not be using wildcard pattern matching as this could be used to create channels in a manner not intended.
Also raised is the potential of a Asterisk/FreePBX system being compromised via the Asterisk Recording Interface (ARI). This is the web interface that allows you to view and manage voicemails. If you do not use this feature of FreePBX it is strongly recommended that you remove access to it. This can be done simply by running the following command as root on systems with standard configuration -
chmod 000 /var/www/html/recordings
This will prevent the ARI being accessible via a browser.
If you would like more information regarding Asterisk diaplan security please see the following resources -
http://www.asterisk.org/node/49906
http://downloads.asterisk.org/pub/security/AST-2010-002.html
http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt
http://www.freepbx.org/forum/freepbx/users/dial-plan-injection-vulnerability
Also, always use complex and difficult-to-guess passwords in all areas when setting up Asterisk/FreePBX
If you have a sysadminman VPS and would like the ARI interface disabling please raise a ticket via the helpdesk.
As always thanks to Ward Mundy and Joe Roper who make a great contribution to the Asterisk community.
14th February 2010, 11:56 am
A few times recently I’ve wanted to be able to turn an e-mail into a voice call. This would be especially handy for emergency server monitoring and notification.
Here is my first attempt. It’s also my first attempt at writing something in Python so you definitely use at your own risk!
There is room for improvement as there is no validation on any of the fields extracted from the e-mail.
It also assumes that these components are already in place -
24th January 2010, 09:53 am
On 15/1/2010 a security advisory was released for FreePBX version 2.5.1 (and potentially earlier versions) concerning a SQL injection vulnerability. If you are running this version then I would suggest upgrading to version 2.5.2. You can find more details of the vulnerability here.
You can upgrade through the FreePBX GUI by using the module admin menu. Here are the steps -
* While FreePBX 2.6 is available please make sure you’re aware of any implications before updating to this version.
1 – Select the ‘Module Admin’ menu
2 – Click ‘Upgrade All’
3 – Click ‘Process’
4 – Click ‘Confirm’
5 – Click ‘Return’
6 -Click ‘Apply Changes’
14th January 2010, 08:03 pm
Elastix includes an Instant Messenger server called OpenFire. While not enabled by default it is very easy to enable.
What’s not so obvious is how to disable OpenFire if you decide, once you’ve had a look at it, you don’t want/need to run it. You might want to do this as OpenFire runs on Java which can be quite memory hungry, also it opens another point of attack to your server.
The easiest way to disable it is via the command prompt by running -
service openfire stop
chkconfig openfire off
This will also stop it starting automatically when the server is rebooted.
10th January 2010, 11:35 am
I recently looked at an A2Billing 1.34 install that was slow to browse the rates through the GUI. There were over 800,000 rates which was causing the slowdown. While probably not a good idea to have so many rates, it is possible to speed up this screen by creating an index in MySQL.
To do that -
Log in to MySQL -
(you should be able to get the username/password you need from the top of the /etc/asterisk/a2billing.conf file)
mysql -u a2billing-user -p mya2billing
Create an index on the destination field in the cc_ratecard table -
create index ind_cc_ratecard_destination using btree on cc_ratecard(destination);
To find out why queries are taking so long in MySQL you can turn on the slow-query log in MySQL.
See here for more info – http://dev.mysql.com/doc/refman/5.1/en/slow-query-log.html
16th December 2009, 08:27 pm
The Sysadminman Elastix VPS template has been updated to version 1.6
See here for more details – http://sysadminman.net/distro-elastix.html
13th December 2009, 12:18 pm
I was about to write a blog post about setting up Skype for Asterisk on Elastix but after searching round on the web I found this great blog post by ‘Bob’ on the Elastix website.
It gives a good walkthrough and screenshots for getting Skype for Asterisk from Digium up and running.
If you do want to install this on your Sysadminman Elastix VPS just open a support ticket first asking for an éth0′device to be setup as you’ll need this for the Digium registration process
11th December 2009, 10:37 pm
I had an unusual problem recently with certain calls going to the PSTN via a SIP provider. The call would connect but with no audio at either end.
I’ve seen this lots before and is often caused by NAT or a firewall blocking the audio stream but that wasn’t the cause this time.
The problem was caused my trunk only being setup to allow the ulaw codec (allow=ulaw on the trunk). What I think was happening was that my provider was accepting, and connecting, the call but then when it tried to hand the call off to it’s upstream provider, which only accepted alaw, it would fail.
So if you’re having problems with connected calls but no audio it might be worth enabling all of the codecs on the trunk to rule out any codec mismatch issues.
If that doesn’t help look at NAT or firewalling 
25th October 2009, 01:59 pm
The version of A2Billing has been updated to the latest release on the Sysadminman VPS template.
This template now includes -
- Asterisk v1.6
- FreePBX v2.5
- A2Billing v1.4.2.1
More details can be found here – http://sysadminman.net/uk-voip-vps.html
19th October 2009, 07:22 pm
The home of Asterisk has had a nice makeover. With well over 1 million downloads already this year it is definitely a major player in the VOIP space.
Check it out here – www.asterisk.org
