SYSADMINMAN

WARNING: be very careful when editing IPTables firewall rules. It is relatively easy to completely disable access to your machine.

All Sysadminman VPSs come with IPTables enabled. However to allow for VOIP traffic both SIP and IAX ports are opened.

If you know that your VOIP providers and all extensions are on fixed IP addresses then it is possible to limit connections to just those addresses.

Continue reading ‘Limiting SIP/IAX connections to Asterisk with IPTables’ »

A sysadminman template VPS comes already setup to use SSL (https) for web connections to a2billing and FreePBX. However, this is using a locally signed ssl certificate so you will receive a certificate warning when accessing your VPS. This is no less secure but can create a poor impression depending who will be accessing the site.

It’s relatively straight forward and inexpensive to get yourself a valid, externally signed, certificate.

The sysadminman template uses lighttpd as the web server so you need to follow these instructions -

Log in to your VPS as root:

Continue reading ‘Namecheap SSL certificate for Sysadminman VPS’ »

There is an interesting discussion on the PBX-in-a-Flash forums here regarding an Asterisk security announcement.

If you write custom Asterisk contexts outside of FreePBX then you should read through how to do this securely. You should not be using wildcard pattern matching as this could be used to create channels in a manner not intended.

Also raised is the potential of a Asterisk/FreePBX system being compromised via the Asterisk Recording Interface (ARI). This is the web interface that allows you to view and manage voicemails. If you do not use this feature of FreePBX it is strongly recommended that you remove access to it. This can be done simply by running the following command as root on systems with standard configuration -

This will prevent the ARI being accessible via a browser.

If you would like more information regarding Asterisk diaplan security please see the following resources -

http://www.asterisk.org/node/49906
http://downloads.asterisk.org/pub/security/AST-2010-002.html
http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt
http://www.freepbx.org/forum/freepbx/users/dial-plan-injection-vulnerability

Also, always use complex and difficult-to-guess passwords in all areas when setting up Asterisk/FreePBX

If you have a sysadminman VPS and would like the ARI interface disabling please raise a ticket via the helpdesk.

As always thanks to Ward Mundy and Joe Roper who make a great contribution to the Asterisk community.

A few times recently I’ve wanted to be able to turn an e-mail into a voice call. This would be especially handy for emergency server monitoring and notification.

Here is my first attempt. It’s also my first attempt at writing something in Python so you definitely use at your own risk!

There is room for improvement as there is no validation on any of the fields extracted from the e-mail.

It also assumes that these components are already in place -

• Asterisk (with Astersk Manager Interface)
• E-mail server (I’m using Postfix)
• Ceptral text-to-speech (www.cepstral.com) – installed in /opt/swift/bin
• Python (I’m using v2.4.3)

Continue reading ‘E-mail to voice call – with Asterisk, Postfix and Cepstral’ »

I recently looked at an A2Billing 1.34 install that was slow to browse the rates through the GUI. There were over 800,000 rates which was causing the slowdown. While probably not a good idea to have so many rates, it is possible to speed up this screen by creating an index in MySQL.

To do that -

Log in to MySQL -

(you should be able to get the username/password you need from the top of the /etc/asterisk/a2billing.conf file)

Create an index on the destination field in the cc_ratecard table -

To find out why queries are taking so long in MySQL you can turn on the slow-query log in MySQL.

See here for more info – http://dev.mysql.com/doc/refman/5.1/en/slow-query-log.html

If you’ve installed Asterisk and FreePBX, or you’re using one of the preconfigured distributions such as Trixbox or Elastix, a good idea is to have the linux firewall, iptables, running on your system. Here’s an example of how you could set this up.

First thing to note is that it’s pretty easy to lock your self out of your server when playing around with iptables! It’s best to take a couple of simple precautions in case this happens.

These instructions should apply to CentOS/Redhat/Fedora.

Continue reading ‘iptables for Asterisk and FreePBX’ »

It’s definitely a good idea to change the default passwords you get with your Sysadminman hosted Asterisk server.

Here’s how to do it if you’re using Trixbox 2.6.

Changing the passwords should be pretty much the same as it would be on a regular Trixbox server.

First you need to SSH (a secure command line connection) to the server. If you use Windows on your desktop a good program for making SSH connections is Putty. It’s free and you can find it here – http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

For changing the server root password -

Use Putty, or another SSH client, to log into the server as the user root

Run the passwd command -

For changing the Trixbox ‘maint’ password -

Use Putty, or another SSH client, to log into the server as the user root

Run the passwd-maint command -

For changing the Voicemail ‘admin’ password -

Use Putty, or another SSH client, to log into the server as the user root

(Unfortunately there is no command for changing this password and you need to manually edit a file)

Now find the line that contains (line 73) -

and change $ARI_ADMIN_PASSWORD to equal your required password. Now save the file.

For changing the WebMeetMe passwords -

WebMeetMe passwords can be changed through the WebMeetMe interface

I spent a little while playing with sipvicious today. This is a SIP scanner that can be used for scanning SIP servers – which obviousy includes Asterisk, Trixbox, Elastix, etc…

It’s not surpising that scanning for vulnerable SIP servers is on the increase – these sort of tools are really easy to use, and with the lure of making free phone calls at your expense it’s definitnely worth making sure that your PBX is secure.

Here’s what I did to scan one of my servers. The server is a Trixbox CE 2.6 server and I set up the following extensions for testing -

Continue reading ‘Hacking and securing your Asterisk server’ »

If you’re looking for a softphone to use with Asterisk X-Lite is great.  It works on both Windows and Linux, although the configuration screens are a little different on the different versions.

All you should need to get it working with Asterisk are the following settings  (screenshot from the Windows version) -

Continue reading ‘SIP soft phone – using X-Lite with Asterisk’ »

I’ve been testing AsteriskNow running on a VPS today but from what I can see it doesn’t offer anything more than the current distributions I offer (Elastix, Trixbox and PBX in a Flash). If you have a preference for AsteriskNow over any other distribution please let me know why!