Category Archives: Asterisk

Asterisk OpenSource PBX

New Digium VOIP phones with AsteriskNOW

Digium d50Digium, the company behind Asterisk and AsteriskNOW, has been kind enough to send me two of their new handsets to review. These VOIP phones have been specifically designed to work with Asterisk.

These handsets feature –

  • Easy provisioning from Asterisk or AsteriskNOW
  • Integrated with Asterisk voicemail, directory, parking, call recordings, call queues and more
  • Build custom phone apps with a simple JavaScript API

I have a 2-line D40 and a 4-line D50 and will be writing a few posts soon to show how these phones can be used with a hosted AsteriskNOW PBX to provide a flexible and powerful telephone system.

More information about the handsets can be found here – Digium VOIP phones

FreePBX: Inbound number not working help

Setting up an Inbound (DID/DDI) number in FreePBX can be tricky. We have to do 2 things to get it to work. First we need to tell FreePBX/Asterisk that the incoming call is allowed, the second is to say what to do with that incoming call.

Lets look at allowing the call first. One of the easiest ways to do this is allow Anonymous SIP Calls in FreePBX. I recommend you do not do this though as you don’t really want Asterisk/FreePBX trying to process any call fired at it.

So if we’re not going to allow anonymous SIP calls we need to tell Asterisk what IPs to allow calls from, and we do this by setting up a trunk. When a call comes to our server we will receive a SIP INVITE from the remote server, asking us to accept the call, so let’s have a look at the SIP INVITE messages coming in …

First we’ll install ‘tcpdump’ if it’s not already on the system. In CentOS we do –

yum -y install tcpdump

Next we run the following command to list all the INVITE messages coming in. You will need to change the network adapter name if you’re not on a VPS, probably from venet0 to eth0 –

tcpdump -i venet0 -n -s 0 port 5060 -vvv | grep -B1 "INVITE sip"

Continue reading

Whitelist in fail2ban and denyhosts

All SysAdminMan servers come with fail2ban and denyhosts installed. These are two software packages that do similar things so can be confusing.
Here are the differences –

fail2ban
monitors Asterisk logs for failed ‘Register’ attempts and blocks the IP using IPTables. This means if you get yourself blocked it will appear as though the server has gone down

denyhosts
monitors /var/log/secure for failed SSH attempts and just blocks the IP for SSH access. You will get connection refused just for SSH if you get yourself blocked

It’s possible to whitelist your own IPs so that they don’t get accidentally blocked by following the instructions below.

You should replace 123.123.123.123 with your own IP –

export ignoreip="123.123.123.123"

sed -i "s/ignoreip = /ignoreip = $ignoreip /" /etc/fail2ban/jail.conf
service fail2ban restart

echo "sshd: $ignoreip" >> /etc/hosts.allow
service denyhosts restart

Asterisk / Elastix queue and agent wallboard

UPDATED VERSION HEREhttp://sysadminman.net/blog/2013/asterisk-freepbx-queue-and-agent-wallboard-4933

I had a customer recently that was using the Elastix call centre module. This uses Asterisk queues to provide a call centre solution. Part of the call centre module is reports to monitor the status of the queue. However, the two reports that the customers wanted to run to generate a wallboard created quite a load on the server. They were running several complex MySQL queries against pretty large tables.

So I wrote a small PHP wallboard application. This shows the current status of the queue and the call agents that are signed in to it. It parses the output of the Asterisk command ‘queue show’ to generate these statistics. By default it’s set to refresh every 5 seconds. Now, I’m no programmer so the code is not pretty, but I thought I’d share it here in case it helped anyone else.

Asterisk / Elastix wallboard

Continue reading

OpenVPN with a TP-LINK TL-WR1043ND

TP-LINK TL-WR1043NDThere are several potential benefits to setting up a VPN to your Asterisk server. All traffic is encrypted and you don’t need to open lots of ports in the firewall. Also there are no issues with SIP and NAT as traffic is routed over the VPN tunnel.

This is a pretty advanced setup but here is a walkthrough for setting up a SysAdminMan VPS as an OpenVPN server and then connecting to it with a TP-LINK router running OpenWRT.

Specifically this router is used – http://www.tp-link.com/en/products/details/?model=TL-WR1043ND. I paid around £40 from Amazon, an absolute bargain for something that will run OpenWRT.

Setting up the router

First you need to flash OpenWRT on to the router. This replaces the original firmware. Here are some instructions for this TP-Link router – http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd?s. I got version 18 of the router and flashed Backfire 10.03.1-rc6 version of OpenWRT.

Continue reading

Humbug Labs – VOIP fraud – Hourly Threshold alert

Humbug Labs is an online service that can monitor your Asterisk CDR records and generate e-mail/SMS alerts based on predefined traffic patterns.

There are quite a few different types of alerts and you should spend a few minutes selecting the alerts that are relevant to your PBX system. Statistics are available free with Humbug Labs, and fraud alerts are available for a small monthly charge, based on your monthly call volume.

Hourly Threshold

If a fraudster does figure out a way to place unauthorised calls through your phone system there’s a good chance they will place as many calls as they can, as quickly as possible. This can be a problem with VOIP as you may not have a limited number of ‘channels’ as you do with traditional phone systems.

Humbug Labs includes an alert that will send an e-mail/SMS if your system is used to place more than a predefined number of calls in an hour. It can also monitor the duration of all the calls placed in an hour.

Humbug Labs – VOIP fraud – Blacklist Numbers alert

Humbug Labs in an online service that monitors your PBX call records and produces statistics and alerts based on those records. The statistics part is similar to Google Analytics, except for phone systems. It produces graphs and charts based on calls flowing through your PBX.

On Asterisk systems a small client is installed that securely transmits the CDR records to Humbug Lab’s servers. You can monitor multiple PBX’s from a single Humbug Labs account.

For the statistics side you just install the client and it starts monitoring automatically. There is also an alerting component that can generate e-mail or SMS alerts based on call traffic matching a certain pattern.

This takes a few minutes to set up but it well worth it as it will provide an alert should unauthorised calls be placed using your system.

The following few posts are going to describe some of the alerts available.

BLACKLIST NUMBERS

There are 2 alerts available for blacklist numbers. The first will generate an alert if calls are placed to premium numbers. The second is a ‘Community Blacklist’ and these are telephone numbers that have been collected by Humbug Labs from telecom security organizations, law enforcement agencies, and Humbug’s fraud data repository that are known to be used by fraudsters.

There are no extra configurable options for these alerts. Just switch them on your CDRs will be monitored for calls to these numbers.

 

Asterisk virtualization – OpenVZ or VMWare?

I recently read a post/advert claiming that VMWare was a ‘much better’ platform for hosting Asterisk than any other virtualization platform, such as OpenVZ, Xen, KVM … So I thought I’d write a little about the architecture running the SysAdminMan VPSs and why it was chosen.openvz-logo

There are a few different names given to a virtualized server – Virtual Private Server (VPS), Virtual Dedicated Server (VDS), VM (Virtual Machine) but they all refer to the same overall goal – take a dedicated server and partition it in to several virtual servers that share the underlying hardware.

Now, don’t get me wrong, I really like VMWare ESX. In fact I spent many years as a VMWare admin running mission critical ESX clusters that needed to be available 24/7. These hosted corporate web systems that processed many £100k’s of transactions per year. So does that make it the perfect platform for offering Asterisk hosting? Not necessarily.

VMWare and KVM both provide ‘full virtualization’ which is a layer in between the hardware and VPS that emulates the hardware and provides the virtual machine access to it. This means the operating system on the VPS does not need to be aware that it is running inside a VPS. It runs as normal, with VMWare/KVM translating the requests to the underlying hardware. Xen can now also do this running in HVM mode.

While this provides good segregation between the Virtual Servers it does add a layer between the VPS and underlying hardware that can cause timing issues, which are so critical to VOIP/Asterisk. This is not always the case, but a possibility.

OpenVZ is different. This provides operating system-level virtualization where the underlying hardware runs a kernel that is shared by all of the virtual machines. On SysAdminMan VPSs this is CentOS. This provides more direct access to the underlying hardware which, in my experience, makes it an ideal platform for hosting Asterisk.

Where OpenVZ gets a bad name is that it’s very easy to provision many more VPSs on a physical server than that server can really handle. This means lots of virtual machines all trying to use the CPU, ram, network etc on the underlying server, resulting in bottlenecks. This might not be a problem on a webserver. If a web server takes half a second longer to display a web page because the server is overloaded then maybe nobody will notice. However, if your VOIP packets are delayed for half a second then you will definitely notice!

SysAdminMan only has around 10 virtual servers per physical server, often less depending on the resource allocations to the VPSs on that server. This results in a lot less contention for the underlying hardware than with some providers (especially general VPS providers) that might have 20, 30, 40 servers running on the same hardware.

Probably the most crucial fact about running Asterisk on a VPS though is who you are sharing the underlying hardware with, and how well the server is managed. Even if there are only a few other virtual servers on that server and they are allowed to abuse the resources available then you will likely get a bad VOIP experience. This can definitely be the case where Asterisk is installed on a general purpose VPS.

All SysAdminMan VPSs are specifically designed to be running Asterisk. The underlying hardware is closely monitored and you can be sure that you are not sharing the hardware with customers running highly demanding Java application servers or game servers etc. It can be very difficult for VPS customers to troubleshoot VOIP quality issues on their server as they have no visibility to the underlying hardware. You have to trust that your VPS provider is not allowing the underlying server to be overloaded.

The Asterisk hosting market is definitely getting more competitive but I’m confident that the service and products offered by SysAdminMan represent excellent value for money and a stable and well managed platform to host your VOIP server. SysAdminMan has been successfully hosting Asterisk servers since early 2009.

Installing UK voice prompts for Asterisk

By default the English language voice prompts that Asterisk comes with have an American accent. There are some free UK voice prompts available and below are instructions for downloading and installing those. The instructions below will replace the existing US prompts with the UK ones.

The prompts can be found here – http://www.enicomms.com/cutglassivr/

More details about different language voice prompts can be found here – http://www.voip-info.org/wiki/view/Asterisk+sound+files+international

The commands below download the wav, ulaw, alaw, g729 and g723 codec versions.

First create a folder to download the files to –

cd /usr/src
mkdir uk
cd uk

Continue reading

FreePBX security advisory – SIP extension types

There has been some (heated!) discussions on the Asterisk and FreePBX forums about SIP extension types.

So, what’s all the fuss about …

Well, it’s about being able to enumerate the local extensions on your Asterisk server. This means being able to get a list of valid extension numbers. If a hacker can do this it’s a bad thing because then they just need to figure out the extension secret (password) before they can start making calls at your expense.

So what about fail2ban? Isn’t this support to stop this?

Fail2ban is great. If a malicious user tries to REGISTER as an extension on your system, and gets the password wrong, Asterisk logs this attempt (including what IP address they tried to register from) in the Asterisk logs. Once fail2ban sees a specified number of these log entries it blocks the IP address.

However, it’s not always necessary for an extension to REGISTER to make a call via your system, they can just send a SIP INVITE message to try and initiate the call, and on certain (some/all?) versions of Asterisk this error is not logged in the Asterisk logs. Currently even where Asterisk logs the error it does not include the IP address of the attacker. This obviously means that fail2ban cannot block the IP address.

Even worse, if the extension SIP type is set to ‘friend’, Asterisk sends back different error messages depending if the extension number is valid or not. This tells the attacker the valid extension numbers to concentrate their attack on. This can be prevented by setting the extension type in FreePBX to ‘type=peer’

type equals peer

Unfortunately, for historical reasons, the default setting in FreePBX is ‘type=friend’. This means that virtually all FreePBX users will have ‘type=friend’ set for their extensions.

So what should you do?

It’s actually quite difficult to figure out how different versions of Asterisk behave regarding the SIP TYPE settings.

My advice would be to set all extensions in FreePBX to ‘type=peer’. It works for me and should give you an additional level of protection than leaving it as ‘type=friend’. Don’t forget that, ongoing, you will need to change it for new extensions.

Changing this setting should have no adverse effect but if you have lots of extension I’d suggest testing it on a couple first.

Where can you read more?

There are a lot of forum posts and discussions regarding this subject. With lots of differing view points. Please read some of them if you’d like to draw your own conclusion.

http://www.freepbx.org/trac/ticket/5103

https://issues.asterisk.org/jira/browse/19194

http://forums.asterisk.org/viewtopic.php?p=156669

http://forums.digium.com/viewtopic.php?t=78679