SysAdminMan Blog » Linux and Unix

Whitelist in fail2ban and denyhosts

matt — Fri, 04 May 2012 10:29:07 +0000

All SysAdminMan servers come with fail2ban and denyhosts installed. These are two software packages that do similar things so can be confusing.
Here are the differences -

fail2ban
monitors Asterisk logs for failed ‘Register’ attempts and blocks the IP using IPTables. This means if you get yourself blocked it will appear as though the server has gone down

denyhosts
monitors /var/log/secure for failed SSH attempts and just blocks the IP for SSH access. You will get connection refused just for SSH if you get yourself blocked

It’s possible to whitelist your own IPs so that they don’t get accidentally blocked by following the instructions below.

You should replace 123.123.123.123 with your own IP -

export ignoreip="123.123.123.123"

sed -i "s/ignoreip = /ignoreip = $ignoreip /" /etc/fail2ban/jail.conf
service fail2ban restart

echo "sshd: $ignoreip" >> /etc/hosts.allow
service denyhosts restart

Asterisk virtualization – OpenVZ or VMWare?

matt — Mon, 10 Oct 2011 14:29:46 +0000

I recently read a post/advert claiming that VMWare was a ‘much better’ platform for hosting Asterisk than any other virtualization platform, such as OpenVZ, Xen, KVM … So I thought I’d write a little about the architecture running the SysAdminMan VPSs and why it was chosen.

There are a few different names given to a virtualized server – Virtual Private Server (VPS), Virtual Dedicated Server (VDS), VM (Virtual Machine) but they all refer to the same overall goal – take a dedicated server and partition it in to several virtual servers that share the underlying hardware.

Now, don’t get me wrong, I really like VMWare ESX. In fact I spent many years as a VMWare admin running mission critical ESX clusters that needed to be available 24/7. These hosted corporate web systems that processed many £100k’s of transactions per year. So does that make it the perfect platform for offering Asterisk hosting? Not necessarily.

VMWare and KVM both provide ‘full virtualization’ which is a layer in between the hardware and VPS that emulates the hardware and provides the virtual machine access to it. This means the operating system on the VPS does not need to be aware that it is running inside a VPS. It runs as normal, with VMWare/KVM translating the requests to the underlying hardware. Xen can now also do this running in HVM mode.

While this provides good segregation between the Virtual Servers it does add a layer between the VPS and underlying hardware that can cause timing issues, which are so critical to VOIP/Asterisk. This is not always the case, but a possibility.

OpenVZ is different. This provides operating system-level virtualization where the underlying hardware runs a kernel that is shared by all of the virtual machines. On SysAdminMan VPSs this is CentOS. This provides more direct access to the underlying hardware which, in my experience, makes it an ideal platform for hosting Asterisk.

Where OpenVZ gets a bad name is that it’s very easy to provision many more VPSs on a physical server than that server can really handle. This means lots of virtual machines all trying to use the CPU, ram, network etc on the underlying server, resulting in bottlenecks. This might not be a problem on a webserver. If a web server takes half a second longer to display a web page because the server is overloaded then maybe nobody will notice. However, if your VOIP packets are delayed for half a second then you will definitely notice!

SysAdminMan only has around 10 virtual servers per physical server, often less depending on the resource allocations to the VPSs on that server. This results in a lot less contention for the underlying hardware than with some providers (especially general VPS providers) that might have 20, 30, 40 servers running on the same hardware.

Probably the most crucial fact about running Asterisk on a VPS though is who you are sharing the underlying hardware with, and how well the server is managed. Even if there are only a few other virtual servers on that server and they are allowed to abuse the resources available then you will likely get a bad VOIP experience. This can definitely be the case where Asterisk is installed on a general purpose VPS.

All SysAdminMan VPSs are specifically designed to be running Asterisk. The underlying hardware is closely monitored and you can be sure that you are not sharing the hardware with customers running highly demanding Java application servers or game servers etc. It can be very difficult for VPS customers to troubleshoot VOIP quality issues on their server as they have no visibility to the underlying hardware. You have to trust that your VPS provider is not allowing the underlying server to be overloaded.

The Asterisk hosting market is definitely getting more competitive but I’m confident that the service and products offered by SysAdminMan represent excellent value for money and a stable and well managed platform to host your VOIP server. SysAdminMan has been successfully hosting Asterisk servers since early 2009.

Check your DNS configuration – intoDNS

matt — Thu, 14 Jul 2011 20:15:20 +0000

DNS can be a tricky thing! One of the main problems with troubleshooting your DNS set up is that DNS is a distributed system, there are thousands of DNS servers around the world, and changes to DNS records take time to propagate to all of these servers.

A really useful tool for checking your DNS config is intoDNS. You just type in your domain name and it will run some tests and highlight any potential issues it finds. It uses the authoritative DNS servers to try and rule out any confusion caused by DNS propagation times.

Check it out here – intoDNS

Restricting web interface access with iptables

matt — Mon, 18 Apr 2011 08:44:26 +0000

By default all SysAdminMan VPSs come with port 443 open to allow https access to the web GUI. A really good security tip, where possible, is to restrict this to only IP addresses that need access.

First, whenever making changes to iptables I always temporarily disable them from running at startup. This way if you make an error and lock yourself out the server just needs a restart. You must remember to re-enable at the end!

Disable iptables at startup and copy the existing configuration -

chkconfig iptables off

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig

Next list the current inbound rules with their line numbers -

iptables -L INPUT -n --line-numbers

num target     prot opt source               destination
...
7    ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0           tcp dpt:4445
8    ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW
9    ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0           tcp dpt:443 state NEW
10   ACCEPT     tcp -- 0.0.0.0/0            0.0.0.0/0           tcp dpt:5060
...

So https access (port 443) is allowed in rule 9. Now we are going to delete this rule -

iptables -D INPUT 9

Now we add in the new rule to allow access to port 443 from a particular IP address. You will want to change the IP address below (123.123.123.123) to be your IP address. You may also want to change the Ethernet interface (venet0) if you are not using a SysAdminMan VPS -

iptables -I INPUT 1 -i venet0 -p tcp -m tcp -s 123.123.123.123 --dport 443 -j ACCEPT

Now check that the rule is working correctly. If it is we can save the current rules and enable them at startup again -

service iptables save
chkconfig iptables on

KVM virtualization – text only CentOS guest install

matt — Tue, 05 Apr 2011 20:58:30 +0000

It took me a little while today to figure out how to do a text only install of a CentOS guest on KVM. Previously I had started the install using virt-install and then connected to the VNC console over SSH. This is a bit of a hassle though when all you want is a quick, text based install.

So here’s how.

Firstly all of my VMs live on LVM so create a virtual disk to hold the VM. I’m creating a 20G ‘partition’ in a volume group called kvm-storage. The logical volume is called host.demo.com.

lvcreate -L20G -n host.demo.com kvm-storage

Now download the CentOS install ISO. Either CD1 or the netinstall ISO should be fine -

wget http://mirrors.manchester.icecolo.com/centos/5.5/isos/x86_64/CentOS-5.5-x86_64-bin-1of8.iso

Now we mount the ISO -

mkdir /mnt/centos55

mount -o loop CentOS-5.5-x86_64-bin-1of8.iso /mnt/centos55/

Now we run the virt-install command. I suggest putting this command in a file and running it from there to make editing easier!

virt-install \
-n host.demo.com \
-r 512 \
--vcpus=1 \
--os-variant=rhel5.4 \
--accelerate \
--nographics \
-v \
-l /mnt/centos55/ \
-w bridge:br1 \
--disk path=/dev/kvm-storage/host.demo.com \
-x "console=ttyS0"

Here are the parts of the command above that allow for a text based install -

–nographics – tells KVM not to allocate a graphics console to the VM

-v – means we’re doing full virtualization

-l – sets the boot location to be the ISO we mounted earlier

–disk – sets the install destination disk to be the disk we created earlier

-x “console=ttyS0″ – sets a kernel boot parameter telling CentOS to use ttyS0 as the console

Once this is done you should see the text based installation screens. This worked pretty well in putty, you are able to tell what menu options you are selecting. You won’t be able to use the mounted ISO for the actual installation media so I did a HTTP install, selecting one of the CentOS mirrors to do the install from (like – http://mirrors.manchester.icecolo.com/centos/5.5/os/x86_64/)

Once the install is complete and the VM rebooted you can access the console again by running -

virsh
list --all
console VM-ID

Blocking Asterisk hacking/scanning attempts with fail2ban

matt — Thu, 07 Oct 2010 12:15:53 +0000

Warning – if you follow these instructions fail2ban will, by default, be protecting you against other scans such as ssh attempts. This means though that if you get your IP blocked you will not be able to connect to your server from that IP. Ensure that you whitelist your IP by following the instructions at the end of the post.

Over the past few weeks we have seen a big jump in the scanning of VOIP servers. All of these scans are brute force scanning attempts that first scan for valid extension numbers and then to brute force guess the extension password by repeatedly trying different passwords.

Unfortunately Asterisk doesn’t have anything built-in to prevent these types of scans but it is very good at logging these attempts in the Asterisk logs. This means we can use a free utility called fail2ban and the linux iptables firewall to block IP addresses that make repeated failed login attempts.

Fail2ban is already included in PBX-in-a-Flash but we can also use it with other Asterisk distributions.

Most of the information in this post was taken from here, so please visit for more information.

Here is a quick guide for getting fail2ban blocking Asterisk brute force scanning on a 32 bit CentOS server. You must have iptables installed already.

First we are going to install the rpmforge repository and use the fail2ban package from there -

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
sed -i 's/enabled = 0/enabled = 1/' /etc/yum.repos.d/rpmforge.repo

yum install -y fail2ban jwhois

Now disable the rpmforge repo do that it doesn’t interfere with any of the CentOS/Asterisk packages -

sed -i 's/enabled = 1/enabled = 0/' /etc/yum.repos.d/rpmforge.repo

Next we are going to create the fail2ban configuration file for Asterisk. This tells fail2ban what text to monitor the logs for -

cat >> /etc/fail2ban/filter.d/asterisk.conf <<-EOF
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '' - Peer is not supposed to register
NOTICE.* failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' $from $
NOTICE.* .*: Host failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
EOF

Next we are going to add some lines to the jail.conf file that tells fail2ban what log files to monitor and what action to take when the required text is detected. This includes sending an alert e-mail so you may want to change ‘root’ to your e-mail address. It also includes the length of time the IP address is blocked for in seconds. Here we have it set to 3 days, you may want to modify this -

cat >> /etc/fail2ban/jail.conf <<-EOF
[asterisk-iptables]

enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 259200
EOF

Fail2ban needs the date in the Asterisk log files written in a specific format. To do this we can add a line to the ‘General’ section of the Asterisk logger configuration file. If you already have a ‘General’ section in there you will just want to add the line manually rather than running the command below -

cat >> /etc/asterisk/logger.conf <<-EOF
[general]
dateformat=%F %T
EOF

asterisk -rx "logger reload"

Finally we want to fire up fail2ban and set it to start at boot time -

service fail2ban start
chkconfig fail2ban on

One final thing you may want to do is ‘whitelist’ your own IP address/s. You can do this by adding them to the ignoreip line in the jail.conf file. Here’s a couple of lines to do it automatically, just change the IP address here for your own IP address -

sed -i 's/ignoreip = /ignoreip = 123.123.123.123 /' /etc/fail2ban/jail.conf
service fail2ban restart

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Limiting SIP/IAX connections to Asterisk with IPTables

matt — Sat, 27 Mar 2010 16:21:38 +0000

WARNING: be very careful when editing IPTables firewall rules. It is relatively easy to completely disable access to your machine.

All Sysadminman VPSs come with IPTables enabled. However to allow for VOIP traffic both SIP and IAX ports are opened.

If you know that your VOIP providers and all extensions are on fixed IP addresses then it is possible to limit connections to just those addresses.

First let’s list all the VOIP traffic rules that are set up -

iptables -L --line-numbers

Chain INPUT (policy DROP)
num target     prot opt source               destination

10   ACCEPT     tcp -- anywhere             anywhere            tcp dpt:sip
11   ACCEPT     udp -- anywhere             anywhere            udp dpt:sip
13   ACCEPT     tcp -- anywhere             anywhere            tcp dpt:sip-tls
14   ACCEPT     udp -- anywhere             anywhere            udp dpt:sip-tls
15   ACCEPT     udp -- anywhere             anywhere            udp dpt:iax

The extract above just show’s the sip, sip-tls and iax2 rules.

Now let’s delete those rules. Warning! All SIP/IAX2 traffic will be blocked as soon as you run this! Note that your line numbers may be different. Make sure that you delete them in reverse number order or the numbers will change as you delete them.

iptables -D INPUT 15
iptables -D INPUT 14
iptables -D INPUT 13
iptables -D INPUT 11
iptables -D INPUT 10

Don’t delete this rule if you use SIP as it is what opens the high port numbers for the actual voice/media stream -

12 ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp

Now, let’s assume that our SIP provider is at 1.1.1.1 and our extensions are at 2.2.2.2. Let’s allow access from those numbers for SIP.
All lines are inserted at rule 10 and get shuffled up -

iptables -I INPUT 10 -p tcp --dport 5060 -s 1.1.1.1 -j ACCEPT
iptables -I INPUT 10 -p udp --dport 5060 -s 1.1.1.1 -j ACCEPT
iptables -I INPUT 10 -p tcp --dport 5060 -s 2.2.2.2 -j ACCEPT
iptables -I INPUT 10 -p udp --dport 5060 -s 2.2.2.2 -j ACCEPT

Let’s check that those rules look OK (again, only listed here are the VOIP traffic rules) -

iptables -L --line-numbers

Chain INPUT (policy DROP)
num target prot opt source destination
10 ACCEPT tcp -- 2.2.2.2 anywhere tcp dpt:sip
11 ACCEPT udp -- 2.2.2.2 anywhere udp dpt:sip
12 ACCEPT udp -- 1.1.1.1 anywhere udp dpt:sip
13 ACCEPT tcp -- 1.1.1.1 anywhere tcp dpt:sip
14 ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp

Now test that everything is working as you expect. If it is you can save the rules so that they are loaded next time you reboot -

service iptables stop
iptables-save > /etc/sysconfig/iptables
service iptables start

If you make a mistake while editing the rules then just restart iptables to restore your old rules. Note that you can only do this before you save your new rules!

service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]

Namecheap SSL certificate for Sysadminman VPS

matt — Sun, 21 Mar 2010 01:11:53 +0000

A sysadminman template VPS comes already setup to use SSL (https) for web connections to a2billing and FreePBX. However, this is using a locally signed ssl certificate so you will receive a certificate warning when accessing your VPS. This is no less secure but can create a poor impression depending who will be accessing the site.

It’s relatively straight forward and inexpensive to get yourself a valid, externally signed, certificate.

The sysadminman template uses lighttpd as the web server so you need to follow these instructions -

[root@livedemo /]#

Next create a folder to store the keys and then create the key. Make sure to replace the server name with the DNS name of your server. This must match the name that people will use to browse to your webserver/website. You will need to enter a password for the key at this point but we will remove it or it will need to be entered every time the webserver starts.

[root@livedemo /]# mkdir -p /etc/lighttpd/ssl
[root@livedemo /]# cd /etc/lighttpd/ssl
[root@livedemo ssl]#
[root@livedemo ssl]# openssl genrsa -des3 -out livedemo.sysadminman.net.key 2048
Generating RSA private key, 2048 bit long modulus
..........++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for livedemo.sysadminman.net.key:
Verifying - Enter pass phrase for livedemo.sysadminman.net.key:
[root@livedemo ssl]#
[root@livedemo ssl]# openssl rsa -in livedemo.sysadminman.net.key -out livedemo.sysadminman.net.nopass.key
Enter pass phrase for livedemo.sysadminman.net.key:
writing RSA key

Next generate the Certificate Signing Request (CSR). Be very careful when entering he hostname. This must match the name of your a2billing/FreePBX website. You can leave the password blank.

[root@livedemo ssl]# openssl req -new -key livedemo.sysadminman.net.nopass.key -out livedemo.sysadminman.net.csr
You are about to be asked to enter information that will be incorporated
in to your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:Leics
Locality Name (eg, city) [Newbury]:Leicester
Organization Name (eg, company) [My Company Ltd]:sysadminman
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:livedemo.sysadminman.net
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now print the CSR and copy it

[root@livedemo ssl]# cat livedemo.sysadminman.net.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBqjCCARMCAQAwajELMAkGA1UEBhMCR0IxDjAMBgNVBAgTBUxlaWNzMRIwEAYD
VQQHEwlMZWljZXN0ZXIxFDASBgNVBAoTC3N5c2FkbWlubWFuMSEwHwYDVQQDExhs
aXZlZGVtby5zeXNhZG1pbm1hbi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBANR0hOz7bXEwMB1jMW8j7GgnsaZGM+ySIdp1h9kZx5qh8Ma07CCmUJ3i8Anf
FOWmiEx+04qxs2scaSaRgJpm499nflcm6lTzh6VwV/5hQuxwTHjN4DAPaxOB6Hrk
ewjcz6KsDWv7+VnyFN3MYwqE4075Q5LtF0+4XsDmNmjvUktbAgMBAAGgADANBgkq
hkiG9w0BAQUFAAOBgQDB3DbGcCSBqLDGVVRDEVOhICFKIlubKJ4S2Q2TLW2pa+j/
Iqt7qcGdombxVJMk3EfVkC//5KuiA/PaZen8ViBLWwAaRlLZq2NOrWEweYMihKXb
0a7CwVTMNWqji7QPjNtq4fyhKYKseZiAHpzyocVfw97zfGmk0hWjZbQfW5uwQA==
-----END CERTIFICATE REQUEST-----

Now order your SSL certificate from - http://www.namecheap.com/learn/other-services/cheap-ssl-certificate-rapidssl.asp. Select Apache + OpenSSL and paste the CSR text from earlier.

Complete the order process. You will be required to accept an e-mail to a predefined address. This must be a valid address as you will receive an order confirmation e-mail which you must acknowledge.

You will ultimately receive a zip file containing your certificate. You want the text from the file with your server name ending in .crt.

Create a file on the server called yoursername.crt and paste in the contents of the crt file

[root@livedemo ssl]# vi livedemo.sysadminman.net.crt
[root@livedemo ssl]# cat livedemo.sysadminman.net.crt
-----BEGIN CERTIFICATE-----
MIIEuTCCA6GgAwIBAgIQDvsV1EqjvyMdeQU5381EPDANBgkqhkiG9w0BAQUFADBx
....
-----END CERTIFICATE-----

Next combine the key and certificate to create a single .pem file.

[root@livedemo ssl]# cat livedemo.sysadminman.net.nopass.key livedemo.sysadminman.net.crt > livedemo.sysadminman.net.pem
[root@livedemo ssl]# chmod 600 livedemo.sysadminman.net.pem

Now edit the lighttpd config file. Locate the reference to the existing .pem file and change it to your new .pem file

[root@livedemo ssl]# cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.backup
[root@livedemo ssl]# vi /etc/lighttpd/lighttpd.conf

#### SSL engine
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/livedemo.sysadminman.net.pem"

Now restart lighttpd and ensure it starts backup correctly

[root@livedemo ssl]# service lighttpd restart
Stopping lighttpd: [ OK ]
Starting lighttpd: [ OK ]

E-mail to voice call – with Asterisk, Postfix and Cepstral

matt — Sun, 14 Feb 2010 11:56:09 +0000

A few times recently I’ve wanted to be able to turn an e-mail into a voice call. This would be especially handy for emergency server monitoring and notification.

Here is my first attempt. It’s also my first attempt at writing something in Python so you definitely use at your own risk!

There is room for improvement as there is no validation on any of the fields extracted from the e-mail.

It also assumes that these components are already in place -

Asterisk (with Astersk Manager Interface)
E-mail server (I’m using Postfix)
Ceptral text-to-speech (www.cepstral.com) – installed in /opt/swift/bin
Python (I’m using v2.4.3)

First we need to pipe the incoming e-mail to our Python script. For this I added a line to /etc/aliases -

emailspeak: "|/usr/local/bin/emailspeak.py"

and ran newaliases -

newaliases

Now for the script which is called ‘/usr/local/bin/emailspeak.py’

You will need to change at least the USER, SECRET and TRUNK settings at the top of the script to match you Asterisk setup.

#!/usr/bin/env python
# emailspeak.py by sysadminman - http://sysadminman.net
# v1.0 13/2/10

# Import libs we need
import sys, time, email, email.Message, email.Errors, email.Utils, smtplib, os, socket, random
from datetime import date
from email.Iterators import typed_subpart_iterator
from time import sleep

# Asterisk Manager connection details
HOST = '127.0.0.1'
PORT = 5038
# Asterisk Manager username and password
USER = 'manageruser'
SECRET = 'managerpass'
# Set the name of the SIP trunk to use for outbound calls
TRUNK = 'trunkforcalls'

# Generate a random number as a string. We'll use this for file names later on
callnum = str(random.randint(1, 100000000))

# Taken from here, with thanks - http://ginstrom.com/scribbles/2007/11/19/parsing-multilingual-email-with-python/
def get_charset(message, default="ascii"):
"""Get the message charset"""

if message.get_content_charset():
return message.get_content_charset()

if message.get_charset():
return message.get_charset()

return default

# Taken from here, with thanks - http://ginstrom.com/scribbles/2007/11/19/parsing-multilingual-email-with-python/
def get_body(message):
"""Get the body of the email message"""

if message.is_multipart():
#get the plain text version only
text_parts = [part
for part in typed_subpart_iterator(message,
'text',
'plain')]
body = []
for part in text_parts:
charset = get_charset(part, get_charset(message))
body.append(unicode(part.get_payload(decode=True),
charset,
"replace"))

return u"\n".join(body).strip()

else: # if it is not multipart, the payload will be a string
# representing the message body
body = unicode(message.get_payload(decode=True),
get_charset(message),
"replace")
return body.strip()

# Read the e-mail message that has been piped to us by Postfix
raw_msg = sys.stdin.read()
emailmsg = email.message_from_string(raw_msg)

# Extract database Fields from mail
msgfrom = emailmsg['From']
msgto = emailmsg['To']
msgsubj = emailmsg['Subject']
msgbody = get_body(emailmsg)

# Write a log file in /tmp with a record of the e-mails
currtime = date.today().strftime("%B %d, %Y")
logfile = open('/tmp/email2voice.log', 'a')
logfile.write(currtime + "\n")
logfile.write("Call Number: " + callnum + "\n")
logfile.write("From: " + msgfrom + "\n")
logfile.write("To: " + msgto + "\n")
logfile.write("Subject: " + msgsubj + "\n")
logfile.write("Body: " + msgbody + "\n\n")
logfile.close()

# Convert the body of the text to a wav file
swiftcommand = "/opt/swift/bin/swift -n Millie-8kHz -o /tmp/" + callnum + ".wav '" + msgbody + "'"
os.system(swiftcommand)

# We need to allow Asterisk permission to read the wav file
chmodcommand = "chmod 777 /tmp/" + callnum + ".wav"
os.system(chmodcommand)

# Set the number to be dailed as the subject of the e-mail
OUTBOUND = msgsubj

# Send the call details to the Asteirsk Manager Interface
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
sleep(3)
s.send('Action: login\r\n')
s.send('Username: ' + USER + '\r\n')
s.send('Secret: ' + SECRET + '\r\n\r\n')
sleep(3)
s.send('Events: off\r\n\r\n')
sleep(3)
s.send('Action: originate\r\n')
s.send('Channel: Sip/' + TRUNK + '/' + OUTBOUND + '\r\n')
s.send('WaitTime: 30\r\n')
s.send('CallerId: 1234\r\n')
s.send('Application: playback\r\n')
s.send('Data: /tmp/' + callnum + '\r\n')
s.send('Context: from-internal\r\n')
s.send('Async: true\r\n')
s.send('Priority: 1\r\n\r\n')
sleep(3)
s.send('Action: Logoff\r\n\r\n')
s.close()

And that should be it. To test just send an e-mail to emailspeak@yourserver.com with the telephone number you want to call as the subject line, and the text you want to be read in the body.

Don’t forget to write the telephone number in the format that your SIP provider is expecting it.

Hacking and securing your Asterisk server

matt — Sun, 12 Apr 2009 18:09:59 +0000

I spent a little while playing with sipvicious today. This is a SIP scanner that can be used for scanning SIP servers – which obviousy includes Asterisk, Trixbox, Elastix, etc…

It’s not surpising that scanning for vulnerable SIP servers is on the increase – these sort of tools are really easy to use, and with the lure of making free phone calls at your expense it’s definitnely worth making sure that your PBX is secure.

Here’s what I did to scan one of my servers. The server is a Trixbox CE 2.6 server and I set up the following extensions for testing -

Ext - 1001 : Display Name - 1001 : Secret - Empty
Ext - 1002 : Display Name - 1002 : Secret - 1002
Ext - 1003 : Display Name - "test" : Secret - "ekwrbq2k3b4lk32b"

Next I downloaded Sipvicious -

cd /tmp
wget http://sipvicious.googlecode.com/files/sipvicious-0.2.4.tar.gz
tar xvfz sipvicious-0.2.4.tar.gz
cd sipvicious-0.2.4

Now, first we need to find the Asterisk server we want to scan and for that we use svmap.py. I obviously know the name of my server but svmap.py will also scan blocks of IP addresses too.

So all I had to do was give it the hostname/ip address of my Asterisk servers and svmap has successfully identified it.

Next we want to see what externsions are configured on the server so we use svwar.py

The “-e 1000-9999″ tells svwar to scan for all extensions between those numbers. As you can see it returns the test extensions I configured and also tells us that extension 1001 doesn’t need a password to connect to it. So potentially, as a hacker, I could already connect as this extension and start making calls.

Now let’s see if there’s any other vulnerable extenions with svcrack.py -

./svcrack.py -u1002 -r1-9999 asteriskdemo

| Extension | Password |
------------------------
| 1002 | 1002 |

The “-u 1002″ tells svcrack which extension to try and guess the password for and “-r1-9999″ tells it to use that as a range for potential passwords. It took about 3 seconds to try all the numbers between 1 and 9999 and guess the password. It’s definitely not a good idea just to use numbers for your passwords!

It’s also possible to download dictionary files (just long lists of words) and tell sipvicious to use those as potential passwords. This obviously takes longer to run.

So, what can we do to protect ourselves?

There are a few really simple things that can make our Asterisk servers much more secure.

Always use long, difficult to guess passwords for your extensions!

Set “alwaysauthreject=yes” in your sip configuration file. What this does is prevent Asterisk from telling a sip scanner which are valid extension numbers. Here’s what happened when I changed the setting on my Trixbox -

I edited the file /etc/asterisk/sip_custom.conf and entered the line

alwaysauthreject=yes

Then reloaded SIP in Asterisk with -

asterisk -rv
sip reload
exit

Now if I run the same command as before to see what valid extension numbers there are I get the following error -

./svwar.py -e 1000-9999 asteriskdemo

ERROR:TakeASip:SIP server replied with an authentication request for an unknown extension. Set --force to force a scan.
WARNING:root:found nothing

There are other things you can do and there is a great article here – http://blogs.digium.com/2009/03/28/sip-security/