Block Asterisk SIP registrations from internet/WAN hackers with iptables/shorewall

As a result of hundreds of hacking attempts targeted at my Asterisk server from internet, I've installed Fail2ban to automatically ban the IP addresses of the hackers from accessing after 3 failed attempts with the following in my jail.conf
[asterisk-udp]

enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-udp, port="5060", protocol=udp]
           sendmail-whois[name=Asterisk-udp, dest=root, sender=root]
logpath  = /var/log/asterisk/messages
maxretry = 3

However, then I started to receive hundreds of email from Fail2ban telling me IP address were banned by it one after another. Below is an example email for banning an IP address in France:
Hi,

The IP 195.154.38.225 has just been banned by Fail2Ban after
63 attempts against Asterisk-udp.


Here is more information about 195.154.38.225:

[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '195.154.38.0 - 195.154.39.255'

% Abuse contact for '195.154.38.0 - 195.154.39.255' is 'abuse@proxad.net'

inetnum:        195.154.38.0 - 195.154.39.255
netname:        ISDNET-4
descr:          Tiscali France Backbone
country:        FR
admin-c:        BG34
tech-c:         TTFR1-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

role:           Tiscali Telecom France Registry
remarks:        now known as Online S.A.S. / Iliad-Entreprises
address:        8 rue de la ville l'évèque
address:        75008 Paris
address:        France
abuse-mailbox:  abuse@iliad-entreprises.fr
admin-c:        IENT-RIPE
tech-c:         IENT-RIPE
tech-c:         NR1053-RIPE
nic-hdl:        TTFR1-RIPE
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

person:         Benoit Grange
address:        Tiscali Telecom
address:        37 bis rue Greneta
address:        75002 Paris - France
phone:          +33 1 45 08 20 00
fax-no:         +33 1 45 08 20 01
remarks:        +-----------------------------------------------------------------------+
remarks:        | ATTENTION: Pour nous signaler un probleme (intrusion, spam, etc),     |
remarks:        | merci de respecter la procedure suivante:                             |
remarks:        | Envoyer un mail a "abuse@tiscali.fr" avec les informations suivantes: |
remarks:        | - date & heure (y compris le fuseau horaire ou l'heure GMT)           |
remarks:        | - adresse IP source ou toutes les en-tetes du mail                    |
remarks:        | - nature du probleme (en quelques mots)                               |
remarks:        | Nous ne repondons pas aux demandes par telephone.                     |
remarks:        | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
remarks:        | Je ne suis que le representant legal de Tiscali et non pas            |
remarks:        | l'utilisateur final de l'adresse IP renvoyee par votre firewall       |
remarks:        | Les adresses IP sont generalement allouees dynamiquement a nos abonnes|
remarks:        | et donc votre logiciel ne peut PAS connaitre le nom de l'utilisateur  |
remarks:        | reel de l'IP. Merci d'avoir lu jusqu'au bout.                         |
remarks:        +-----------------------------------------------------------------------+
nic-hdl:        BG34
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

% Information related to '195.154.0.0/16AS12876'

route:          195.154.0.0/16
descr:          Online SAS
descr:          Paris, France
origin:         AS12876
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.78 (DB-3)

Regards,

Fail2Ban

I've had enough such emails therefore I started looking for a way to block these hacking attempts from reaching my Asterisk server. I had shorewall installed on the Asterisk server as my firewall and NAT router. It has interface net defined on the internet/WAN side and the iptables chain net2fw is relevant for managing the traffic from internet to my firewall.
Therefore I added the following into /etc/shorewall/started to drop all SIP registration packets (containing string "REGISTER sip:") from internet destined to UDP port 5060 of my firewall
/usr/sbin/iptables -I net2fw -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
The --algo is a required parameter that specifies the pattern matching strategy (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris). After restarting shorewall, the following is shown from iptables
# iptables -L net2fw
Chain net2fw (1 references)
target     prot opt source               destination      
DROP       udp  --  anywhere             anywhere             udp dpt:sip STRING match  "REGISTER sip:" ALGO name bm TO 65535
And I'm happy now that all these annoying hacking attempts are properly handled.

Where should I go after the End of XMPP with Google Voice on 5/14/2014?

As Obihai announced on its blog page, Google Sets the Date for the End of XMPP with Google Voice (GV) to be 5/14/2014. http://blog.obihai.com/2013/10/important-message-about-google-voice.html

After I read it, I decided to port my number out of GV to ANVEO (http://www.anveo.com/) since they are running a porting promotion at the moment (porting request must be submited before December 31st 2013). I can enjoy one year of unlimited incoming calls at ANVEO for $24. The terms for the free porting is copied below from their website:
 * Free Porting Specific Terms: When the FREE porting is complete the phone number will be pre-paid for 12 months and account will be charged a non-refundable $24 (12 x $2/month) for Personal Unlimited rate plan

Otherwise porting a US number needs $15 porting fee without the promotion. Another option to keep the old GV number working is to order a new phone number at ANVEO and forward the GV number to the ANVEO number. There is no setup fee for a new ANVEO phone number when it is ordered on 'Personal Unlimited' rate plan ($2/month). However, I'm not convinced that free GV forwarding will last long therefore I chose to port the GV number out.

I first went to the following web page to unlock my GV number. It was unlocked immediately after I paid $3 to Google for porting it out. https://www.google.com/voice/unlock
I need to submit a copy of the GV confirmation page for unlocking the number to ANVEO together with the porting request. The ANVEO porting request form can be downloaded from here. I submitted the porting request on night of 10/31 and added $30 into my ANVEO account with google checkout. I received an email from ANVEO on 11/5 saying that "the phone number porting is almost complete and it will be switched to our carrier within 48-72 hours. The phone number is now in your account." 

I tried to use the ANVEO number in Asterisk and it worked. Before I can used it on a SIP device, I needed to activate SIP service at ANVEO website under Account Options->SIP Device Registration. An SIP password is generated after the activation and Asterisk needs this SIP password to register for SIP. The username for a SIP device is the ANVEO account number. 

The following are the context for ANVEO in users.conf for Asterisk
[general]
hassip = yes
hasiax = no
registeriax = no
callwaiting = yes
threewaycalling = yes
callwaitingcallerid = yes
transfer = yes
canpark = yes
cancallforward = yes
callreturn = yes
call-limit = 100
qualify = yes
disallow = all
allow = ulaw,alaw
type = friend

[anveo]
host=sip.anveo.com
port=5010
username= {account number}
secret= {SIP password}
insecure=port,invite
group = null
hasexten = yes
canreinvite = yes
callcounter = yes
disallow=all
allow=ulaw
context=anveo-in
registersip = yes

And the following is the context in extensions.conf for ANVEO incoming calls(6666 is the extension number of my home)
[anveo-in]
exten => s,1,NoOp(From Anveo ${EXTEN})
exten => s,n,Dial(SIP/6666) 

I prefer Nonoh for outgoing calls, which currently offers free calling to countries such as US, Canada and China for 120 days after a credit (10 Euro minimum) is bought. And I found it a good idea to set the caller ID for outgoing calls to the ANVEO number at the Nonoh account settings.

The following are the context for Nonoh in users.conf for Asterisk
[nonoh]
host = sip.nonoh.net
username = {nonoh username}
secret = {nonoh password}
group = null
registersip = yes
canreinvite = yes
insecure = port,invite
hasexten = no

And the following is the context in extensions.conf for Nonoh (assuming the numbers dialed start with 00 then country code)
[DLPN_6666]
include = CallingRule_Out
include = default
include = parkedcalls
include = conferences
include = ringgroups
include = voicemenus
include = queues
include = voicemailgroups
include = directory
include = pagegroups
include = page_an_extension

[CallingRule_Out]
exten => _00[1-9]X.,1,Dial(SIP/nonoh/${EXTEN:0})

It is also possible to use ANVEO for outgoing calls, which costs 1 cent/minute in the US. The SIP device settings for outgoing calls can be found at
https://www.anveo.com/faq.asp?code=faq_sip_config

ANVEO also provides E911 service for $0.8/month per address and a bunch of add-ons for additional services.

gvoice login error

My pygooglevoice 0.5 suddenly stopped working and if I run gvoice at the command line like
 # gvoice -b -e myname@gmail.com -p wtfpasswd call 18664254745 1CALLBKNUMBER 3
I got a error saying Login failed.

I found at this thread that it's probably due to recent changes in the Google voice web login interface. And after I have the following in the file /usr/lib/python2.7/site-packages/googlevoice/settings.py (the folder might be python2.6 depending on the python version installed), it works again and gvoice can dial out without any problems
LOGIN = 'https://accounts.google.com/ServiceLogin?service=grandcentral&passive=1209600&continue=https://www.google.com/voice&followup=https://www.google.com/voice&ltmpl=open'

pygooglevoice 0.5

When I tried to run gvoice within Asterisk 1.6 by System command, I always got an error after using the method described here.

After some digging, I found the following were not clear to me:

1. The configuration file ~/.gvoice is unavaible to Asterisk. I need to invoke gvoice with all necessary arguments.
2. The phoneType argument is required for a Gizmo5 ringback number, which is 7. I found the declaration of call in voice.py.
   def call(self, outgoingNumber, forwardingNumber=None, phoneType=None, subscriberNumber=None). Therefore if I invoke gvoice like this
   exten => _X.,n,Set(DB(gv_dialout/channel)=${CHANNEL})
exten => _X.,n,System(/usr/bin/gvoice -e ${ACCTNAME} -p ${ACCTPASS} call ${EXTEN} ${RINGBACK} ${PHONETYPE})
Then it succeeds. RINGBACK is my Gizmo5 747 number and PHONETYPE is 7.
3. It's important to set the key gv_dialout/channel in the Asterisk database before calling the system(gvoice) command in [gv-outbound] since it may take a second or two for the System command to return and the chance is good that Asterisk might receive the ring back call from gvoice before the key gv_dialout/channel is set, which caused the bridge command to fail.

Asterisk (PBX) and PAP2T

1. hasexten=yes|no
   If the context for a peer sets hasexten=yes, Asterisk creates a hint for the user in the default context as shown below for a SIP peer 6000.
   CLI> dialplan show default
[ Context 'default' created by 'pbx_config' ]
'6000' => hint: SIP/6000 [pbx_config]
1. Dial(${HINT}) [pbx_config]
   Therefore I can use Goto(default,6000,1) to ring it
2. [general] user in users.conf
   It's set the default contexts for all other users. They can be overridden though. The following are in my [general] user (all my users are using SIP):
   fullname = My Name
;
; Starting point of allocation of extensions
;
userbase = 6000
;
; Create SIP Peer
;
hassip = yes
;
; Create IAX friend
;
hasiax = no
registeriax = no
;
; Create manager entry
;
hasmanager = no
callwaiting = yes
threewaycalling = yes
callwaitingcallerid = yes
transfer = yes
canpark = yes
cancallforward = yes
callreturn = yes
call-limit = 100
qualify = yes
disallow = all
allow = ulaw,alaw
type = friend

3. Asterisk directed call pickup
   I have two extensions: 6000 and 8888. Typically when there's a incoming call, only extension 6000 rings. I can pick up the call from the other extension though by pressing the # key from extension 8888. Therefore I have the following in features.conf
   [general]
pickupexten = #
   and the following in extensions.conf:
   [globals]
voipbuster = SIP/voipbuster

[CallingRule_pickup]
exten = _#,1,Pickup(6000@default)
exten = _#,n,Hangup()

[DLPN_8888]
include = CallingRule_pickup
include = CallingRule_VBOut
include = default

[CallingRule_VBOut]
exten => _001.,1,Dial(Local/${EXTEN:2}@gv-outbound/n)
exten => _00[2-9]X.,1,Macro(trunkdial-failover-0.3,${voipbuster}/${EXTEN:0},,voipbuster,)
   I had to add the following to the Dial Plan of the line that will pickup the call in my PAP2T to pass # key directly to Asterisk: #S0
   
4. Blind transfer
   I use the * key for Blind transfer. Therefore I have the following in features.conf
   [featuremap]
   blindxfer = *
   and the following in extensions.conf:
   [globals]
DIALOPTIONS = tT

[DLPN_6000]
include = CallingRule_VBOut
include = default
include = parkedcalls
include = conferences
include = ringgroups
include = voicemenus
include = queues
include = voicemailgroups
include = directory
include = pagegroups
include = page_an_extension
exten = _*,1,Transfer(8888)
   I had to add the following to the Dial Plan of the line that will initiate the transfer in my PAP2T to pass * key directly to Asterisk: *S0
5. Connecting PAP2T to the telephone lines 1&2 in my house (T568A type socket): I cut one standard 2-wire RJ11 telephone cable assembly in half and connected them to Blue and Orange lines of the T568A. That will enable me to connect a phone onto the wall outlet at any room to my PAP2T.
   

VOIP trunks in Asterisk (Gizmo5, GTalk, VoiceStick and Stanaphone)

Add VOIP trunks by AsteriskNow GUI or edit users.conf manually. Type asterisk -r -vvv for more verbose debug information.

1. Gizmo5/Google Voice:
   [1sipnumber]
   context = DID_1sipnumber
   host = proxy01.sipphone.com
   trunkname = Gizmo5 ; GUI metadata
   username = 1sipnumber
   secret = password
   hasiax = no
   registeriax = no
   hassip = yes
   registersip = yes
   trunkstyle = voip
   hasexten = no
   canreinvite = yes
   disallow = all
   qualify = yes
   allow = ulaw,alaw
   insecure = port,invite
   
   The context can be found in the file extensions.conf as below
   [DID_1sipnumber]
   exten = s,1,GotoIf($[${LEN(${CALLERID(num)})} > 10]?1-setcid,1)
   exten = s,n,Goto(1-dial,1)
   exten = 1-setcid,1,Set(CALLERID(num)=${CALLERID(num):2})
   exten = 1-setcid,n,Goto(1-dial,1)
   exten = 1-dial,1,Goto(default,6000,1)
   exten = 1-dial,n,Hangup()
   
   The above context strips the leading "+1" from the incoming caller ID the provider(sipphone) sends to Asterisk and rings extension 6000 for the incoming calls.
   
   Ref: How to change incoming CallerID
   


2. VoiceStick (avoid it if possible): it uses outbound proxy 72.5.80.116:5060 or 72.5.80.117:80. But I couldn't make it work with my Asterisk or Linksys PAP2T under their Next2Nothing or Asterisk Two plan.
   Add the following to /etc/hosts
   72.5.80.116 i2telecom.com
   and the trunk in users.conf
   [1phonenumber]
   context=DID_1phonenumber
   host=i2telecom.com
   trunkname=i2telecom.com
   username=1phonenumber
   secret=password
   hasiax=no
   registeriax=no
   hassip=yes
   registersip=yes
   trunkstyle=voip
   hasexten=no
   disallow=all
   allow=all
   qualify = yes
   canreinvite = no
   insecure = port,invite
   


3. GTalk:
   I have the following in the file extensions.conf to set the correct incoming caller ID for the google account that's calling in. The name of the caller will be shown as Gtalk/google_account_name
   [gtalk-in]
   exten = _.,1,NoOp(${CHANNEL})
   exten = _.,2,Set(CALLERID(name)=${CUT(CHANNEL,,1)})
   exten = _.,3,Set(CALLERID(num)=${CUT(CHANNEL,,2)})
   exten = _.,4,Goto(default,6000,1)
   exten = _.,5,Hangup()
   
   
4. Stanaphone: It's important to have the right insecure setting. Otherwise it will try Digest-MD5 authentication for incoming calls and fail instantly.
   [username]
   context = DID_username
   host = sip.stanaphone.com
   trunkname = Stanaphone ; GUI metadata
   username = username
   secret = password
   hasiax = no
   registeriax = no
   hassip = yes
   registersip = yes
   trunkstyle = voip
   hasexten = no
   disallow = all
   allow = all
   qualify = yes
   canreinvite = yes
   insecure = port,invite

Reduce the number of ports opened by Asterisk

When I type the command netstat -lnp | grep asterisk as root, I found the following ports were opened by Asterisk.
tcp 0 0 192.168.0.1:5038 0.0.0.0:* LISTEN 2850/asterisk
tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN 2850/asterisk
tcp 0 0 192.168.0.1:8088 0.0.0.0:* LISTEN 2850/asterisk
udp 0 0 0.0.0.0:4569 0.0.0.0:* 2850/asterisk
udp 0 0 0.0.0.0:2727 0.0.0.0:* 2850/asterisk
udp 0 0 0.0.0.0:4520 0.0.0.0:* 2850/asterisk
udp 0 0 0.0.0.0:5060 0.0.0.0:* 2850/asterisk
unix 2 [ ACC ] STREAM LISTENING 762262 2850/asterisk /var/run/asterisk/asterisk.ctl

I know that the following ports are typically used by my Asterisk
tcp 5038 manager
tcp 8088 AsteriskNOW
udp 4569 iax2
udp 5060 sip
udp 18000-20000 rtp (rtp.conf)
Therefore I put the following lines into /etc/asterisk/modules.conf
; Don't load skinny (tcp port 2000)
noload => chan_skinny.so
; Don't load MGCP (udp port 2727)
noload => chan_mgcp.so
; Don't load dundi (udp port 4520)
noload => pbx_dundi.so

Upon restarting Asterisk, the command netstat -lnp | grep asterisk only shows the following:
tcp 0 0 192.168.0.1:5038 0.0.0.0:* LISTEN 3168/asterisk
tcp 0 0 192.168.0.1:8088 0.0.0.0:* LISTEN 3168/asterisk
udp 0 0 0.0.0.0:4569 0.0.0.0:* 3168/asterisk
udp 0 0 0.0.0.0:5060 0.0.0.0:* 3168/asterisk
unix 2 [ ACC ] STREAM LISTENING 764510 3168/asterisk /var/run/asterisk/asterisk.ctl

Enable the CDR viewer of AsteriskNow GUI

CDR stands for Call Data Records. By default, Asterisk 1.4 generates CDR records in comma-separated text files in the /var/log/asterisk/cdr-csv directory. The file Master.csv contains all records. I have the following in the file /etc/asterisk/cdr.conf
[csv]
usegmtime=no ; log date/time in GMT. Default is "no"
loguniqueid=no ; log uniqueid. Default is "no"
loguserfield=no ; log user field. Default is "no"

In the file /var/lib/asterisk/static-http/config/cdr.html there's a statement to load the csv file for viewing the CDRs in web browser: ASTGUI.loadHTML("./Master.csv"). However, it fails since it couldn't find the file Master.csv in the folder /var/lib/asterisk/static-http/config. What I did is to create a symbolic link in this folder by the following command
ln -s /var/log/asterisk/cdr-csv/Master.csv
and the CDR viewer started working in AsteriskNow GUI (after Showing Advanced Options) .

Edit the file /etc/logrotate.d/asterisk to roate the CDRs monthly:
/var/log/asterisk/cdr-csv/*csv {
monthly
missingok
rotate 6
compress
delaycompress
}