Category Archives: Linux

Linux and Unix

Script to create Vultr firewall group allowing cloudflare IPs

See here for script – https://bitbucket.org/sysadminman/vultr-firewall-cloudflare

If you have a web server running behind cloudflare then you really want to only allow the cloudflare IPs to connect to that server.

If your web server is running on a vultr then you can create a firewall group using their API to allow this.

You won’t want to enter the cloudflare IPs manually, but they provide a downloadable list of their IPs.

I wrote this python script that creates a new firewall group and whitelists the cloudflare IPs, plus SSH (port 22). If you run the script again it will update the firewall group with the current IPs.

You will need a vultr API access token to connect to the API

Whitelist in fail2ban and denyhosts

All SysAdminMan servers come with fail2ban and denyhosts installed. These are two software packages that do similar things so can be confusing.
Here are the differences –

fail2ban
monitors Asterisk logs for failed ‘Register’ attempts and blocks the IP using IPTables. This means if you get yourself blocked it will appear as though the server has gone down

denyhosts
monitors /var/log/secure for failed SSH attempts and just blocks the IP for SSH access. You will get connection refused just for SSH if you get yourself blocked

It’s possible to whitelist your own IPs so that they don’t get accidentally blocked by following the instructions below.

You should replace 123.123.123.123 with your own IP –

export ignoreip="123.123.123.123"

sed -i "s/ignoreip = /ignoreip = $ignoreip /" /etc/fail2ban/jail.conf
service fail2ban restart

echo "sshd: $ignoreip" >> /etc/hosts.allow
service denyhosts restart

Asterisk virtualization – OpenVZ or VMWare?

I recently read a post/advert claiming that VMWare was a ‘much better’ platform for hosting Asterisk than any other virtualization platform, such as OpenVZ, Xen, KVM … So I thought I’d write a little about the architecture running the SysAdminMan VPSs and why it was chosen.openvz-logo

There are a few different names given to a virtualized server – Virtual Private Server (VPS), Virtual Dedicated Server (VDS), VM (Virtual Machine) but they all refer to the same overall goal – take a dedicated server and partition it in to several virtual servers that share the underlying hardware.

Now, don’t get me wrong, I really like VMWare ESX. In fact I spent many years as a VMWare admin running mission critical ESX clusters that needed to be available 24/7. These hosted corporate web systems that processed many £100k’s of transactions per year. So does that make it the perfect platform for offering Asterisk hosting? Not necessarily.

VMWare and KVM both provide ‘full virtualization’ which is a layer in between the hardware and VPS that emulates the hardware and provides the virtual machine access to it. This means the operating system on the VPS does not need to be aware that it is running inside a VPS. It runs as normal, with VMWare/KVM translating the requests to the underlying hardware. Xen can now also do this running in HVM mode.

While this provides good segregation between the Virtual Servers it does add a layer between the VPS and underlying hardware that can cause timing issues, which are so critical to VOIP/Asterisk. This is not always the case, but a possibility.

OpenVZ is different. This provides operating system-level virtualization where the underlying hardware runs a kernel that is shared by all of the virtual machines. On SysAdminMan VPSs this is CentOS. This provides more direct access to the underlying hardware which, in my experience, makes it an ideal platform for hosting Asterisk.

Where OpenVZ gets a bad name is that it’s very easy to provision many more VPSs on a physical server than that server can really handle. This means lots of virtual machines all trying to use the CPU, ram, network etc on the underlying server, resulting in bottlenecks. This might not be a problem on a webserver. If a web server takes half a second longer to display a web page because the server is overloaded then maybe nobody will notice. However, if your VOIP packets are delayed for half a second then you will definitely notice!

SysAdminMan only has around 10 virtual servers per physical server, often less depending on the resource allocations to the VPSs on that server. This results in a lot less contention for the underlying hardware than with some providers (especially general VPS providers) that might have 20, 30, 40 servers running on the same hardware.

Probably the most crucial fact about running Asterisk on a VPS though is who you are sharing the underlying hardware with, and how well the server is managed. Even if there are only a few other virtual servers on that server and they are allowed to abuse the resources available then you will likely get a bad VOIP experience. This can definitely be the case where Asterisk is installed on a general purpose VPS.

All SysAdminMan VPSs are specifically designed to be running Asterisk. The underlying hardware is closely monitored and you can be sure that you are not sharing the hardware with customers running highly demanding Java application servers or game servers etc. It can be very difficult for VPS customers to troubleshoot VOIP quality issues on their server as they have no visibility to the underlying hardware. You have to trust that your VPS provider is not allowing the underlying server to be overloaded.

The Asterisk hosting market is definitely getting more competitive but I’m confident that the service and products offered by SysAdminMan represent excellent value for money and a stable and well managed platform to host your VOIP server. SysAdminMan has been successfully hosting Asterisk servers since early 2009.

Check your DNS configuration – intoDNS

DNS can be a tricky thing! One of the main problems with troubleshooting your DNS set up is that DNS is a distributed system, there are thousands of DNS servers around the world, and changes to DNS records take time to propagate to all of these servers.intoDNS

A really useful tool for checking your DNS config is intoDNS. You just type in your domain name and it will run some tests and highlight any potential issues it finds. It uses the authoritative DNS servers to try and rule out any confusion caused by DNS propagation times.

Check it out here – intoDNS

 

Restricting web interface access with iptables

By default all SysAdminMan VPSs come with port 443 open to allow https access to the web GUI. A really good security tip, where possible, is to restrict this to only IP addresses that need access.

First, whenever making changes to iptables I always temporarily disable them from running at startup. This way if you make an error and lock yourself out the server just needs a restart. You must remember to re-enable at the end!

Disable iptables at startup and copy the existing configuration –

chkconfig iptables off

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig

Continue reading

KVM virtualization – text only CentOS guest install

It took me a little while today to figure out how to do a text only install of a CentOS guest on KVM. Previously I had started the install using virt-install and then connected to the VNC console over SSH. This is a bit of a hassle though when all you want is a quick, text based install.

So here’s how.

Firstly all of my VMs live on LVM so create a virtual disk to hold the VM. I’m creating a 20G ‘partition’ in a volume group called kvm-storage. The logical volume is called host.demo.com.

Continue reading

Blocking Asterisk hacking/scanning attempts with fail2ban

Warning – if you follow these instructions fail2ban will, by default, be protecting you against other scans such as ssh attempts. This means though that if you get your IP blocked you will not be able to connect to your server from that IP. Ensure that you whitelist your IP by following the instructions at the end of the post.

Over the past few weeks we have seen a big jump in the scanning of VOIP servers. All of these scans are brute force scanning attempts that first scan for valid extension numbers and then to brute force guess the extension password by repeatedly trying different passwords.

Unfortunately Asterisk doesn’t have anything built-in to prevent these types of scans but it is very good at logging these attempts in the Asterisk logs. This means we can use a free utility called fail2ban and the linux iptables firewall to block IP addresses that make repeated failed login attempts.

Fail2ban is already included in PBX-in-a-Flash but we can also use it with other Asterisk distributions.

Continue reading

Limiting SIP/IAX connections to Asterisk with IPTables

WARNING: be very careful when editing IPTables firewall rules. It is relatively easy to completely disable access to your machine.

All Sysadminman VPSs come with IPTables enabled. However to allow for VOIP traffic both SIP and IAX ports are opened.

If you know that your VOIP providers and all extensions are on fixed IP addresses then it is possible to limit connections to just those addresses.

Continue reading

Namecheap SSL certificate for Sysadminman VPS

A sysadminman template VPS comes already setup to use SSL (https) for web connections to a2billing and FreePBX. However, this is using a locally signed ssl certificate so you will receive a certificate warning when accessing your VPS. This is no less secure but can create a poor impression depending who will be accessing the site.

It’s relatively straight forward and inexpensive to get yourself a valid, externally signed, certificate.

The sysadminman template uses lighttpd as the web server so you need to follow these instructions –

Log in to your VPS as root:

Continue reading

E-mail to voice call – with Asterisk, Postfix and Cepstral

A few times recently I’ve wanted to be able to turn an e-mail into a voice call. This would be especially handy for emergency server monitoring and notification.

Here is my first attempt. It’s also my first attempt at writing something in Python so you definitely use at your own risk!

There is room for improvement as there is no validation on any of the fields extracted from the e-mail.

It also assumes that these components are already in place –

  • Asterisk (with Astersk Manager Interface)
  • E-mail server (I’m using Postfix)
  • Ceptral text-to-speech (www.cepstral.com) – installed in /opt/swift/bin
  • Python (I’m using v2.4.3)
  • Continue reading