Showing posts with label VOIP. Show all posts
Showing posts with label VOIP. Show all posts

Monday, March 30, 2015

Block Asterisk SIP registrations from internet/WAN hackers with iptables/shorewall

As a result of hundreds of hacking attempts targeted at my Asterisk server from internet, I've installed Fail2ban to automatically ban the IP addresses of the hackers from accessing after 3 failed attempts with the following in my jail.conf
[asterisk-udp]

enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-udp, port="5060", protocol=udp]
           sendmail-whois[name=Asterisk-udp, dest=root, sender=root]
logpath  = /var/log/asterisk/messages
maxretry = 3

However, then I started to receive hundreds of email from Fail2ban telling me IP address were banned by it one after another. Below is an example email for banning an IP address in France:
Hi,
The IP 195.154.38.225 has just been banned by Fail2Ban after
63 attempts against Asterisk-udp.


Here is more information about 195.154.38.225:

[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '195.154.38.0 - 195.154.39.255'

% Abuse contact for '195.154.38.0 - 195.154.39.255' is 'abuse@proxad.net'

inetnum:        195.154.38.0 - 195.154.39.255
netname:        ISDNET-4
descr:          Tiscali France Backbone
country:        FR
admin-c:        BG34
tech-c:         TTFR1-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

role:           Tiscali Telecom France Registry
remarks:        now known as Online S.A.S. / Iliad-Entreprises
address:        8 rue de la ville l'évèque
address:        75008 Paris
address:        France
abuse-mailbox:  abuse@iliad-entreprises.fr
admin-c:        IENT-RIPE
tech-c:         IENT-RIPE
tech-c:         NR1053-RIPE
nic-hdl:        TTFR1-RIPE
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

person:         Benoit Grange
address:        Tiscali Telecom
address:        37 bis rue Greneta
address:        75002 Paris - France
phone:          +33 1 45 08 20 00
fax-no:         +33 1 45 08 20 01
remarks:        +-----------------------------------------------------------------------+
remarks:        | ATTENTION: Pour nous signaler un probleme (intrusion, spam, etc),     |
remarks:        | merci de respecter la procedure suivante:                             |
remarks:        | Envoyer un mail a "abuse@tiscali.fr" avec les informations suivantes: |
remarks:        | - date & heure (y compris le fuseau horaire ou l'heure GMT)           |
remarks:        | - adresse IP source ou toutes les en-tetes du mail                    |
remarks:        | - nature du probleme (en quelques mots)                               |
remarks:        | Nous ne repondons pas aux demandes par telephone.                     |
remarks:        | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
remarks:        | Je ne suis que le representant legal de Tiscali et non pas            |
remarks:        | l'utilisateur final de l'adresse IP renvoyee par votre firewall       |
remarks:        | Les adresses IP sont generalement allouees dynamiquement a nos abonnes|
remarks:        | et donc votre logiciel ne peut PAS connaitre le nom de l'utilisateur  |
remarks:        | reel de l'IP. Merci d'avoir lu jusqu'au bout.                         |
remarks:        +-----------------------------------------------------------------------+
nic-hdl:        BG34
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

% Information related to '195.154.0.0/16AS12876'

route:          195.154.0.0/16
descr:          Online SAS
descr:          Paris, France
origin:         AS12876
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.78 (DB-3)

Regards,

Fail2Ban

I've had enough such emails therefore I started looking for a way to block these hacking attempts from reaching my Asterisk server. I had shorewall installed on the Asterisk server as my firewall and NAT router. It has interface net defined on the internet/WAN side and the iptables chain net2fw is relevant for managing the traffic from internet to my firewall.
Therefore I added the following into /etc/shorewall/started to drop all SIP registration packets (containing string "REGISTER sip:") from internet destined to UDP port 5060 of my firewall
/usr/sbin/iptables -I net2fw -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
The --algo is a required parameter that specifies the pattern matching strategy (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris). After restarting shorewall, the following is shown from iptables
# iptables -L net2fw
Chain net2fw (1 references)
target     prot opt source               destination      
DROP       udp  --  anywhere             anywhere             udp dpt:sip STRING match  "REGISTER sip:" ALGO name bm TO 65535
And I'm happy now that all these annoying hacking attempts are properly handled.
Posted by at No comments:
Labels: , ,

Thursday, November 7, 2013

Where should I go after the End of XMPP with Google Voice on 5/14/2014?

As Obihai announced on its blog page, Google Sets the Date for the End of XMPP with Google Voice (GV) to be 5/14/2014. http://blog.obihai.com/2013/10/important-message-about-google-voice.html

After I read it, I decided to port my number out of GV to ANVEO (http://www.anveo.com/) since they are running a porting promotion at the moment (porting request must be submited before December 31st 2013). I can enjoy one year of unlimited incoming calls at ANVEO for $24. The terms for the free porting is copied below from their website:
 * Free Porting Specific Terms: When the FREE porting is complete the phone number will be pre-paid for 12 months and account will be charged a non-refundable $24 (12 x $2/month) for Personal Unlimited rate plan

Otherwise porting a US number needs $15 porting fee without the promotion. Another option to keep the old GV number working is to order a new phone number at ANVEO and forward the GV number to the ANVEO number. There is no setup fee for a new ANVEO phone number when it is ordered on 'Personal Unlimited' rate plan ($2/month). However, I'm not convinced that free GV forwarding will last long therefore I chose to port the GV number out.

I first went to the following web page to unlock my GV number. It was unlocked immediately after I paid $3 to Google for porting it out. https://www.google.com/voice/unlock
I need to submit a copy of the GV confirmation page for unlocking the number to ANVEO together with the porting request. The ANVEO porting request form can be downloaded from here. I submitted the porting request on night of 10/31 and added $30 into my ANVEO account with google checkout. I received an email from ANVEO on 11/5 saying that "the phone number porting is almost complete and it will be switched to our carrier within 48-72 hours. The phone number is now in your account." 

I tried to use the ANVEO number in Asterisk and it worked. Before I can used it on a SIP device, I needed to activate SIP service at ANVEO website under Account Options->SIP Device Registration. An SIP password is generated after the activation and Asterisk needs this SIP password to register for SIP. The username for a SIP device is the ANVEO account number. 

The following are the context for ANVEO in users.conf for Asterisk
[general]
hassip = yes
hasiax = no
registeriax = no
callwaiting = yes
threewaycalling = yes
callwaitingcallerid = yes
transfer = yes
canpark = yes
cancallforward = yes
callreturn = yes
call-limit = 100
qualify = yes
disallow = all
allow = ulaw,alaw
type = friend

[anveo]
host=sip.anveo.com
port=5010
username= {account number}
secret= {SIP password}
insecure=port,invite
group = null
hasexten = yes
canreinvite = yes
callcounter = yes
disallow=all
allow=ulaw
context=anveo-in
registersip = yes

And the following is the context in extensions.conf for ANVEO incoming calls(6666 is the extension number of my home)
[anveo-in]
exten => s,1,NoOp(From Anveo ${EXTEN})
exten => s,n,Dial(SIP/6666) 

I prefer Nonoh for outgoing calls, which currently offers free calling to countries such as US, Canada and China for 120 days after a credit (10 Euro minimum) is bought. And I found it a good idea to set the caller ID for outgoing calls to the ANVEO number at the Nonoh account settings.

The following are the context for Nonoh in users.conf for Asterisk
[nonoh]
host = sip.nonoh.net
username = {nonoh username}
secret = {nonoh password}
group = null
registersip = yes
canreinvite = yes
insecure = port,invite
hasexten = no

And the following is the context in extensions.conf for Nonoh (assuming the numbers dialed start with 00 then country code)
[DLPN_6666]
include = CallingRule_Out
include = default
include = parkedcalls
include = conferences
include = ringgroups
include = voicemenus
include = queues
include = voicemailgroups
include = directory
include = pagegroups
include = page_an_extension

[CallingRule_Out]
exten => _00[1-9]X.,1,Dial(SIP/nonoh/${EXTEN:0})

It is also possible to use ANVEO for outgoing calls, which costs 1 cent/minute in the US. The SIP device settings for outgoing calls can be found at
https://www.anveo.com/faq.asp?code=faq_sip_config

ANVEO also provides E911 service for $0.8/month per address and a bunch of add-ons for additional services.
Posted by at 3 comments:
Labels: ,

Saturday, September 17, 2011

gvoice login error

My pygooglevoice 0.5 suddenly stopped working and if I run gvoice at the command line like
 # gvoice -b -e myname@gmail.com -p wtfpasswd call 18664254745 1CALLBKNUMBER 3
I got a error saying Login failed.

I found at this thread that it's probably due to recent changes in the Google voice web login interface. And after I have the following in the file /usr/lib/python2.7/site-packages/googlevoice/settings.py (the folder might be python2.6 depending on the python version installed), it works again and gvoice can dial out without any problems
LOGIN = 'https://accounts.google.com/ServiceLogin?service=grandcentral&passive=1209600&continue=https://www.google.com/voice&followup=https://www.google.com/voice&ltmpl=open'
Posted by at No comments:
Labels: ,

Saturday, January 23, 2010

pygooglevoice 0.5

When I tried to run gvoice within Asterisk 1.6 by System command, I always got an error after using the method described here.

After some digging, I found the following were not clear to me:
  1. The configuration file ~/.gvoice is unavaible to Asterisk. I need to invoke gvoice with all necessary arguments.
  2. The phoneType argument is required for a Gizmo5 ringback number, which is 7. I found the declaration of call in voice.py.
    def call(self, outgoingNumber, forwardingNumber=None, phoneType=None, subscriberNumber=None). Therefore if I invoke gvoice like this
    exten => _X.,n,Set(DB(gv_dialout/channel)=${CHANNEL})
    exten => _X.,n,System(/usr/bin/gvoice -e ${ACCTNAME} -p ${ACCTPASS} call ${EXTEN} ${RINGBACK} ${PHONETYPE})
    Then it succeeds. RINGBACK is my Gizmo5 747 number and PHONETYPE is 7.
  3. It's important to set the key gv_dialout/channel in the Asterisk database before calling the system(gvoice) command in [gv-outbound] since it may take a second or two for the System command to return and the chance is good that Asterisk might receive the ring back call from gvoice before the key gv_dialout/channel is set, which caused the bridge command to fail.
Posted by at 13 comments:
Labels: ,

Sunday, November 8, 2009

Asterisk (PBX) and PAP2T

  1. hasexten=yes|no
    If the context for a peer sets hasexten=yes, Asterisk creates a hint for the user in the default context as shown below for a SIP peer 6000.
    CLI> dialplan show default
    [ Context 'default' created by 'pbx_config' ]
    '6000' => hint: SIP/6000 [pbx_config]
    1. Dial(${HINT}) [pbx_config]
    Therefore I can use Goto(default,6000,1) to ring it
  2. [general] user in users.conf
    It's set the default contexts for all other users. They can be overridden though. The following are in my [general] user (all my users are using SIP):
    fullname = My Name
    ;
    ; Starting point of allocation of extensions
    ;
    userbase = 6000
    ;
    ; Create SIP Peer
    ;
    hassip = yes
    ;
    ; Create IAX friend
    ;
    hasiax = no
    registeriax = no
    ;
    ; Create manager entry
    ;
    hasmanager = no
    callwaiting = yes
    threewaycalling = yes
    callwaitingcallerid = yes
    transfer = yes
    canpark = yes
    cancallforward = yes
    callreturn = yes
    call-limit = 100
    qualify = yes
    disallow = all
    allow = ulaw,alaw
    type = friend
  3. Asterisk directed call pickup
    I have two extensions: 6000 and 8888. Typically when there's a incoming call, only extension 6000 rings. I can pick up the call from the other extension though by pressing the # key from extension 8888. Therefore I have the following in features.conf
    [general]
    pickupexten = #
    and the following in extensions.conf:
    [globals]
    voipbuster = SIP/voipbuster

    [CallingRule_pickup]
    exten = _#,1,Pickup(6000@default)
    exten = _#,n,Hangup()

    [DLPN_8888]
    include = CallingRule_pickup
    include = CallingRule_VBOut
    include = default

    [CallingRule_VBOut]
    exten => _001.,1,Dial(Local/${EXTEN:2}@gv-outbound/n)
    exten => _00[2-9]X.,1,Macro(trunkdial-failover-0.3,${voipbuster}/${EXTEN:0},,voipbuster,)
    I had to add the following to the Dial Plan of the line that will pickup the call in my PAP2T to pass # key directly to Asterisk: #S0
  4. Blind transfer
    I use the * key for Blind transfer. Therefore I have the following in features.conf
    [featuremap]
    blindxfer = *
    and the following in extensions.conf:
    [globals]
    DIALOPTIONS = tT

    [DLPN_6000]
    include = CallingRule_VBOut
    include = default
    include = parkedcalls
    include = conferences
    include = ringgroups
    include = voicemenus
    include = queues
    include = voicemailgroups
    include = directory
    include = pagegroups
    include = page_an_extension
    exten = _*,1,Transfer(8888)
    I had to add the following to the Dial Plan of the line that will initiate the transfer in my PAP2T to pass * key directly to Asterisk: *S0
  5. Connecting PAP2T to the telephone lines 1&2 in my house (T568A type socket): I cut one standard 2-wire RJ11 telephone cable assembly in half and connected them to Blue and Orange lines of the T568A. That will enable me to connect a phone onto the wall outlet at any room to my PAP2T.
Posted by at No comments:
Labels: ,

Friday, August 7, 2009

VOIP trunks in Asterisk (Gizmo5, GTalk, VoiceStick and Stanaphone)

Add VOIP trunks by AsteriskNow GUI or edit users.conf manually. Type asterisk -r -vvv for more verbose debug information.
  1. Gizmo5/Google Voice:
    [1sipnumber]
    context = DID_1sipnumber
    host = proxy01.sipphone.com
    trunkname = Gizmo5 ; GUI metadata
    username = 1sipnumber
    secret = password
    hasiax = no
    registeriax = no
    hassip = yes
    registersip = yes
    trunkstyle = voip
    hasexten = no
    canreinvite = yes
    disallow = all
    qualify = yes
    allow = ulaw,alaw
    insecure = port,invite

    The context can be found in the file extensions.conf as below
    [DID_1sipnumber]
    exten = s,1,GotoIf($[${LEN(${CALLERID(num)})} > 10]?1-setcid,1)
    exten = s,n,Goto(1-dial,1)
    exten = 1-setcid,1,Set(CALLERID(num)=${CALLERID(num):2})
    exten = 1-setcid,n,Goto(1-dial,1)
    exten = 1-dial,1,Goto(default,6000,1)
    exten = 1-dial,n,Hangup()

    The above context strips the leading "+1" from the incoming caller ID the provider(sipphone) sends to Asterisk and rings extension 6000 for the incoming calls.

    Ref: How to change incoming CallerID

  2. VoiceStick (avoid it if possible): it uses outbound proxy 72.5.80.116:5060 or 72.5.80.117:80. But I couldn't make it work with my Asterisk or Linksys PAP2T under their Next2Nothing or Asterisk Two plan.
    Add the following to /etc/hosts
    72.5.80.116 i2telecom.com
    and the trunk in users.conf
    [1phonenumber]
    context=DID_1phonenumber
    host=i2telecom.com
    trunkname=i2telecom.com
    username=1phonenumber
    secret=password
    hasiax=no
    registeriax=no
    hassip=yes
    registersip=yes
    trunkstyle=voip
    hasexten=no
    disallow=all
    allow=all
    qualify = yes
    canreinvite = no
    insecure = port,invite

  3. GTalk:
    I have the following in the file extensions.conf to set the correct incoming caller ID for the google account that's calling in. The name of the caller will be shown as Gtalk/google_account_name
    [gtalk-in]
    exten = _.,1,NoOp(${CHANNEL})
    exten = _.,2,Set(CALLERID(name)=${CUT(CHANNEL,,1)})
    exten = _.,3,Set(CALLERID(num)=${CUT(CHANNEL,,2)})
    exten = _.,4,Goto(default,6000,1)
    exten = _.,5,Hangup()

  4. Stanaphone: It's important to have the right insecure setting. Otherwise it will try Digest-MD5 authentication for incoming calls and fail instantly.
    [username]
    context = DID_username
    host = sip.stanaphone.com
    trunkname = Stanaphone ; GUI metadata
    username = username
    secret = password
    hasiax = no
    registeriax = no
    hassip = yes
    registersip = yes
    trunkstyle = voip
    hasexten = no
    disallow = all
    allow = all
    qualify = yes
    canreinvite = yes
    insecure = port,invite
Posted by at No comments:
Labels: ,

Friday, July 31, 2009

My PAP2T can't log into Voipbuster any more

I found the last registration date shown on my PAP2T was on 7/28/2009 and that's three days ago. I was using sip.voipbuster.com as the proxy and I can still ping it. But with Wireshark, I found it's not responding any packets back to the SIP Register requests from my PAP2T.

However, the voipbuster software can still log into my account and it's trying to register on another proxy: connectionserver2.voipbuster.com. Although I can't ping it, my PAP2T can now successfully register on it after I change the proxy. The server connectionserver.voipbuster.com also works.
Posted by at No comments:
Labels: ,

Friday, July 4, 2008

Make ATS 6011S work with Stanaphone-IN

After my old PAP2 ATA died, I tried to make my ATS 6011s work with Stanaphone since I can use Voipbuster from my cell phone with its local access number. The WAN port of 6011s is connected to one of the LAN ports of my router as is PAP2.

The HTTP server listening port of the built-in router is 8080 instead of the standard port 80.

The following was obtained from Ref 1 after a search in the internet:
Login: user/welcome - Regular user login that changes router settings
Login: tech/kaboom - Administrative that also adds voice changes

I set the NAT WAN Address to the WAN IP address of my router and NAT WAN Port to 5060 in the voice setup as shown below (click to enlarge):

I also forwarded the SIP and RTP ports to the ATA and set an IP filter to block its provisioning on my D-link router as shown below:

Then I did a reset of the unit from the handset "VOIP Settings->Reset" menu and waited for a few minutes. After it restarted with the above setting, the SIP status became "Needs Restart" as shown below, but I can receive incoming calls on my Stanaphone-IN number and call out too.


References:
Posted by at 6 comments:
Labels: ,

Wednesday, July 2, 2008

My PAP2 stopped working

The VOIP ATA LinkSYS PAP2 at my home stopped working today. It has been working without any problems for more than 2 years since Oct. 2005. Now neither FXS port has dial tone any more although both lines appear online on its web interface. The two LEDS for the line status are both solid blue on the unit. I think the analog telephony chip which connects to the two FXS ports must be dead.

I ordered a PAP2T-NA as a replacement for ~$50 (including shipping) from Telephony depot. The model number on the box says PAP2T-NA but the sticker on the back of the unit says PAP2T. Anyway, after plugging into my home network, I can access its web server immediately:
  • DHCP is enabled
  • Blank passwords for user and admin
  • Provision is enabled with blank GPP-K value
  • On the info page under Product Information:
    • Product Name: PAP2T
    • Software Version: 3.1.15(LS)
    • Hardware Version: 0.3.5
The web interface is essentially identical to that of PAP2. So I changed the passwords and upgraded its firmware to the latest official version 5.1.6(LS) obtained from Linksys website after selecting "Version 1.0".
Posted by at No comments:
Labels: ,

Monday, August 20, 2007

Settings for my Linksys PAP2

I have been using a Linksys VOIP adaptor PAP2 for 2 yearts. It has two phone ports and supports two phone lines. So far I've been using Voipbuster for outgoing calls and Stanaphone for incoming calls. There's a lengthy discussion thread on Fatwallet about PAP2 and its setup.

I don't use STUN for either lines so I need to forward the SIP ports on my router to PAP2 (with a IP address of 192.168.0.106) as suggested in the user guide of PAP2. The router is a D-Link DI-614+, which I have been using reliably for more than 4 years. The settings are shown here:


Some usefule informations about PAP2:
  • Dial plan for Voipbuster:
    • (<:001919>[2-9]xxxxxx|<:00>1[2-9]xx[2-9]xxxxxxS0|<:001>[2-9]xx[2-9]xxxxxxS0|<011:00>xx.)
  • Dial Plan for Stanaphone:
    (<:1>[2-9]xx[2-9]xxxxxxS0|<:1919>[2-9]xxxxxx|1[2-9]xx[2-9]xxxxxxS0|08xxxxxxS0)
  • Protect RESET# in IVR with password
  • GPP_K value: it is located in the "Provisioning" tab of the adapter's web-interface (i.e login as "admin," switch to "advanced" mode and click on the "Provisioning" tab). Attributes of the FACTORY FRESH GPP_K value:
    • 44 characters long
    • Comprised of alpha (A-Z, a-z), numeric (0-9), and symbols
    • Ends with an EQUAL SIGN (=)
    • Example: Q7CeXsESr8Q3qfaFympWUXJpXlWeohe8V2OxzdgzpX8=
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)