E-mail alerts from munin for network bandwidth usage

I’m a big fan of munin for monitoring your linux server. It’s quick and easy to install and produces some nice graphs.

I run some OpenVZ servers and wanted to get munin to alert me if there was a sudden spike in my bandwidth throughput.

There are some instructions here for setting up alerts from munin but I couldn’t get it to work for the “if_” plugin that is used to generate the bandwidth graphs.

Turns out that plugin doesn’t produce warnings as standard. Here’s a quick and easy solution that works for me (although there are some pitfalls – such as the fact that you’re setting a generic setting for all interfaces)

On the machine running ‘munin-node’ edit the file /usr/share/munin/plugins/if_   (the location may vary)

and add this line with all the other echo statements –

echo "up.warning 1000000"

It’s in bits per second so that should set it to 1MB/s

Now on the machine running ‘munin’ (could be the same machine) edit the file /etc/munin/munin.conf and somewhere near the top add the lines –

contacts me
contact.me.command mail -s "Munin notification ${var:host}" user@example.com
contact.me.always_send warning

And that should be it. Give it 5 minutes and see if you get an alert  (might be worth setting the warning level to less than 1MB/s to test!)

dstat – another performance monitoring tool

The way I look at it, you can never have too many tools for monitoring the prefomance of your servers!

And it’s best to look round before you actually need them too. Run them on your system when things are ‘normal’ – that will make tracking down problems a lot easier when things start to go wrong.

A handy little tools that combines the functionality of vmstat, iostat, netstat, nfsstat is called dstat.

If you’re using CentOS this can be install via rpmforge (click here for details on adding the rpmforge repo) by doing a

yum install dstat

then you can just run dstat (or ‘man dstat’ for some options)

Here’s an example of the output you can expect to see –

# dstat
----total-cpu-usage---- -dsk/total- -net/total- ---paging-- ---system--
usr sys idl wai hiq siq| read  writ| recv  send|  in   out | int   csw
6   1  93   0   0   0|  31k  242k|   0     0 | 0.2   0.3 |2070   113
0   0  99   1   0   0|4096B    0 |1402B  452B|   0     0 |2037    72
0   0 100   0   0   0|   0     0 |1336B  468B|   0     0 |2035    77
0   1  99   0   0   0|   0     0 |1276B  452B|   0     0 |2035    67
0   0  99   1   0   0|   0   528k|1632B  452B|   0     0 |2049    90
0   0 100   0   0   0|   0     0 |2168B  468B|   0     0 |2039    68
0   0 100   0   0   0|   0     0 |1692B  452B|   0     0 |2036    70
1   0  99   0   0   0|   0     0 |1216B  452B|   0     0 |2032    64
0   0 100   0   0   0|   0    40k|1216B  452B|   0     0 |2050    91
0   0 100   0   0   0|   0     0 |1276B  452B|   0     0 |2033    88
0   0 100   0   0   0|   0     0 |1266B  562B|   0     0 |2036    75
2   2  96   0   0   1|   0   344k|1967B 1157B|   0     0 |2061   230

Hackers targetting Asterisk boxes

I saw the first ‘externsion scan’ of my Asterisk box this week. That is, an external server tried to register as an extension, starting at extension 100 all the way up to extension 999. I’m assuming if they had found a valid extension number then this would have been been followed by a brute force password (secret) scan.

This is an interesting article explaining the problem a little more – http://michigantelephone.wordpress.com/2008/11/28/why-didnt-freepbx-developers-implement-important-security-patch/

If you’re running Asterisk (and FreePBX) then the least you need to do is make sure that you’ve got pretty strong passwords for your extensions.

CallWithUs launch UK based SIP server

*** UPDATE 23/6/09 – While callwithus still have a UK sip server you should use the server ‘sip.callwithus.com’ in your configuration settings. Check the callwithus website for details.

If you’re based in the UK or Europe and looking for a cheap ITSP (VIOP provider) it might be worth looking at CallWithUS as they’ve recently launched a UK based SIP server.

As well as the US based servers sip.callwithus.com, east.callwithus.com and west.callwithus.com you can now use uk.callwithus.com. I now get sub 6ms pings from my Asterisk server in BlueSquare to the CallWithUs server.

I’ve been using CallWithUs for a while now and they provide very competitively priced DIDs and termination rates.

CallCentric trunk setup with Asterisk/FreePBX

Here is my CallCentric configuration for FreePBX.

If you’re thinking about signing up with CallCentric please use my referral link here. Thanks.

Trunk Name: CallCentric

PEER Details:

username=1777XXXXXXX
type=peer
secret=PASSWORD
qualify=yes
nat=no
insecure=very
host=callcentric.com
fromuser=1777XXXXXXX
fromdomain=callcentric.com
dtmfmode=rfc2833
disallow=all
context=custom-get-did-from-sip
canreinvite=yes
allow=ulaw

Register String:

1777XXXXXXX:PASSWORD@callcentric.com/1777XXXXXXX

Please note: the above number starting 1777 is your account number and not you DID number

You also need to add 2 lines to one of the configuration files to correctly extract the DID number from incoming calls.

Edit /etc/asterisk/extensions_custom.conf

Add the following lines

[custom-get-did-from-sip]
exten => _.,1,Goto(from-trunk,${CUT(CUT(SIP_HEADER(To),@,1),:,2)},1)

Then restart Asterisk

You should now be able to create Inbound Routes based on you CallCentric DID numbers

CallCentric with FreePBX – free trunk setup

I’ve been using CallCentric as one of my SIP trunk and DID providers for several months now and it has worked really well. If you use FreePBX (or one of the prebuilt distributions that use it such as Trixbox, Elastix or PBX-in-a-flash) and use this link to sign up for a free CallCentric account I will configure your trunk in FreePBX for free.

Please use the contact form here if you would like to take up this offer.

Some of the services offered by CallCentric are –

  • US DID numbers from only $2.95/month
  • DID numbers in cities all over the world
  • US calls at only $0.0198 per minute
  • UK landline calls only $0.0198 per minute
  • Unlimited calling or pay-as-you-go plans

Sipgatge trunk with Asterisk/FreePBX

I’ve used Sipgate for the past few years with my Asterisk box and have been pretty impressed.

For anyone else looking to use Sipgate with Asterisk/FreePBX here is my trunk setup

Trunk Name: Sipgate

PEER Details:

username=1234567
type=peer
secret=XXXXXXXX
qualify=yes
nat=never
insecure=very
host=sipgate.co.uk
fromuser=1234567
fromdomain=mydomain.com
dtmfmode=rfc2833
disallow=all
context=from-trunk
canreinvite=yes
authuser=1234567
allow=ulaw

Register String:

1234567:XXXXXXXX@sipgate.co.uk/1234567

If you are using NAT between your Asterisk box and Sipgate you will need “canreinvite=no” and “nat=yes” or you will probably get one way audio only on your calls

Edit: context changed to “from-trunk” to make the post clearer

Cheap international phone calls with Asterisk

If you make a lot of international phones calls, or even if you don’t make a lot of them but need to be flexible in how and when you make them, running an Asterisk server could be the way to go.

Asterisk is a OpenSource telephone system that runs on top of Linux. Asterisk can be quite difficult to manage as it involves editing text based configuration files. If you don’t want to do this you can install a web based management interface called FreePBX. This provides lots of management functionality from a nice web based GUI.

Here are just some ideas for how you could use your own phone system –

Cheap calls abroad from your cell phone

Asterisk/FreePBX provides a feature called DISA. This enables to dial into your Asterisk server (via a local access number available from an ITSP such as CallWithUs) and then dial back out again (again via an ITSP). This would enable to call anywhere in the would at a local rate, right from your cell phone.

Continue reading

Limit SMTP connections for OpenVZ VPS

I’ve started renting out some OpenVZ VPSs for a few people and wanted to make sure that they couldn’t be used to send spam. One of the easiest ways to do this is just to limit the number of outbound smtp connections allowed from the VPS using iptables.

I used the following iptables rules on the OpenVZ host node to accomplish this –

# Limit number of SMTP connections from Mail Server
<br>iptables -A FORWARD -o eth0 -p tcp -s 77.211.239.14 --dport 25 -m limit --limit 3/minute -m state --state NEW -j ACCEPT
<br># iptables -A FORWARD -o eth0 -p tcp -s 77.211.239.14 --dport 25 -m state --state NEW -j LOG
<br>iptables -A FORWARD -o eth0 -p tcp -s 77.211.239.14 --dport 25 -m state --state NEW -j DROP

The ip address is the ip address of the VPS. The optional log rule in the middle (that’s commented out) is useful when you are setting this up so you can check that packets are actually begin affected by the rules.