Re: [asterisk-users] Securing Asterisk
Here are a few guidelines that I think may serve you well... Firstly, every network port that is being listened-to on any publicly-reachable system MUST be carefully protected - typically by firewalling. So, for example, you're likely going to want to block SSH from all but certain IPs. In certain situations you may need to expose a port to the entire world. In these cases you really have to take measures to limit the amount of probing that you allow from the entire world. One approach that has worked for me with SIP are these with iptables: iptables -N SIP_CHECK iptables -A INPUT -p udp --dport 5060 -m state --state NEW -j SIP_CHECK iptables -A SIP_CHECK -m recent --set --name SIP iptables -A SIP_CHECK -m recent --update --seconds 180 --hitcount 5 --name SIP -j DROP This rate-limits any source to 5 new SIP communication attempts every 3 minutes. If you service a lot of SIP devices all running behind one IP, then it may simply be wise to dodge this security by accepting all SIP communication from that IP... if that one IP remains static, of course. (I can't take credit for this... I found it shared on-line by someone else.) Secondly, disable the guest account in your sip.conf (allowguest=no). I recognize that this is enabled by default for the sake of convenience, but it's a nasty pitfall for those who are unaware of it. Lastly, in sip.conf set alwaysauthreject = yes in order to avoid revealing to a brute-force attacker when they have hit on a valid username. I'm sure there are many other good habits to follow that others here could share, but those come to mind with respect to the problem you've experienced. Thanks, Lee. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] MusicOnHold not loaded
Hello, We're running 2 Asterisk 1.6.2.x systems, one installed from source and one from AsteriskNow. On the system installed form source, MOH works fine and these are the results we get for the different relevant queries: Asterisk CLI commands: -- sip*CLI moh show classes Class: default Mode: files Directory: moh sip*CLI moh show files Class: default File: /var/lib/asterisk/moh/macroform-cold_day File: /var/lib/asterisk/moh/macroform-the_simplicity File: /var/lib/asterisk/moh/reno_project-system File: /var/lib/asterisk/moh/macroform-robot_dity File: /var/lib/asterisk/moh/manolo_camp-morning_coffee sip*CLI module show like music Module Description Use Count res_musiconhold.so Music On Hold Resource 0 1 modules loaded musiconhold.conf: - [general] [default] mode=files directory=moh On the AsteriskNow based system, the files/classes are not loaded, for some reason. These are the results we get: Asterisk CLI commands: -- pbx*CLI moh show classes pbx*CLI moh show files pbx*CLI module show like music Module Description Use Count res_musiconhold.so Music On Hold Resource 0 1 modules loaded musiconhold.conf: - ; ; Music on hold class definitions ; This is using the new 1.2 config file format, and will not work with 1.0 ; based Asterisk systems ; include musiconhold_custom.conf include musiconhold_additional.conf musiconhold_additional.conf: [default] mode=files directory=/var/lib/asterisk/moh/ [none] mode=files directory=/var/lib/asterisk/moh/.nomusic_reserved When a call is placed on hold on this system, we get this message: Music class default requested but no musiconhold loaded We tried to change the directory line to match the working one (only =moh), but it didn't help despite a moh reload command. I'm not sure what to do next to solve this issue. Please help. Thanks, Michael -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Why no traction for Windows version?
Hello, Since Asterisk has been ported to exotic platforms like SOHO routers (Linksys, Buffalo, etc.) and non-MMU CPUs (Blackfin, etc.), I was wondering why the Windows port never really took off. As far as I can tell, www.asteriskwin32.com is a one-man effort (Patrick Deruel's) that is not going anywhere (latest version based on 1.2.26.2). Are there just not enough interest and too many, deep, Linux-specific assumptions in the code, that would explain why Asterisk was never officially ported to Windows? Thank you. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why no traction for Windows version?
Hi Gilles, For me the main question would be first, why would you want to port asterisk to Windows where you would need to pay license fees ? And asterisk just runs fine on linux why bother ? Cheers Soeren -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Gilles Sent: Tuesday, July 26, 2011 12:52 PM To: asterisk-users@lists.digium.com Subject: [asterisk-users] Why no traction for Windows version? Hello, Since Asterisk has been ported to exotic platforms like SOHO routers (Linksys, Buffalo, etc.) and non-MMU CPUs (Blackfin, etc.), I was wondering why the Windows port never really took off. As far as I can tell, www.asteriskwin32.com is a one-man effort (Patrick Deruel's) that is not going anywhere (latest version based on 1.2.26.2). Are there just not enough interest and too many, deep, Linux-specific assumptions in the code, that would explain why Asterisk was never officially ported to Windows? Thank you. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk
That is pretty interesting. I am writing a similar tool but using OSSEC to identify the attacks and then share the data between nodes using Memcached and AnyEvent. Both Asterisk and Apache, or any other server that can run OSSEC, will be able to feed into the shared ban database. -- Thanks, Phil - Original Message - Why not firewall hack attempts after 3 tries? When we started doing that the quantity of hacking attempts dropped right off. We also setup our own fail2ban sharing server so that we could share the bans across multiple servers. Have a look at http://www.f2bshare.org/index.php?title=Main_Page if you want to do something similar. Why try to make Asterisk into something it's not intended to be? Just use your firewall for what it's good at. -- Darren Wiebe On 7/23/11 11:38 AM, CDR wrote: I beg to differ. Digium is hiding from the real world and somebody is going take the software and run with it. My customers lost in excess of $50.000 and cut my pay in half, because of hackers. The hackers figured out how to scan every asterisk for weak passwords or open ports, and bang them real good. We need two things: a) disable in sip.conf the reply for INVITES that have wrong user information, and also, b) disable any response to any REGISTER packet altogether. Can somebody please write patch? Or should we go broke trying to stop the flood of criminals coming from abroad? Federico On Sat, Jul 23, 2011 at 1:00 PM, asterisk-users-requ...@lists.digium.com wrote: Send asterisk-users mailing list submissions to asterisk-users@lists.digium.com To subscribe or unsubscribe via the World Wide Web, visit http://lists.digium.com/mailman/listinfo/asterisk-users or, via email, send a message with subject or body 'help' to asterisk-users-requ...@lists.digium.com You can reach the person managing the list at asterisk-users-ow...@lists.digium.com When replying, please edit your Subject line so it is more specific than Re: Contents of asterisk-users digest... Today's Topics: 1. Re: use dahdi for local terminal modem access? (Lyle Giese) 2. dialplan pattern help (Armand Fumal) 3. Re: Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined (Patrick Lists) 4. Re: Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined (Paul Belanger) -- Message: 1 Date: Sat, 23 Jul 2011 09:29:26 -0500 From: Lyle Giesel...@lcrcomputer.net Subject: Re: [asterisk-users] use dahdi for local terminal modem access? To: asterisk-users@lists.digium.com Message-ID:4e2adac6.4010...@lcrcomputer.net Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 07/22/11 22:47, William Stillwell wrote: Um, no VOIP involved here. Wrong. What do you think Asterisk is? Chopped meat? It's a VoIP switch. All traffic inside Asterisk is VoIP. I have an asterisk server with 2 23B+D PRI's I want to telnet/ssh into the asterisk server, and make an outbound call serial based modem/terminal connection (Like the 80/90's BBS Days). No TCP/IP or PPP or crazyness (ie, dialing into a Modem set to AA hooked to a Cisco Console Port) -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users- boun...@lists.digium.com] On Behalf Of Lyle Giese Sent: Friday, July 22, 2011 8:07 PM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] use dahdi for local terminal modem access? On 07/22/11 18:13, William Stillwell wrote: I have some terminals that have phone lines. One of my tech had an idea of using IAXmodem or something similar to use existing PRI/DAHDI Trucks for dial out via the asterisk/Linux console. Anybody ever heard of doing this? I would think maybe would use iaxmodem maybe and a shell terminal app? (basically I'm dialing into a remote access device that uses a pots like for remote administration, and don't want to string a channel bank off my asterisk box, and a hook to a modem) -- Depends on your expectation. Because of compression in the codecs, it will be hard to get fast dialup. If you mean ssh or telnet, it might work. If you mean vnc or RDP over this, you may not get enough usable bandwidth to do that. Given this, I have in an emergency dialed into a RAS server via a VoIP line. My laptop connected at 14,400bps. All I needed to do was telnet into an APC masterswitch to toggle power on one outlet. It worked. I was surprised at getting a 14,400bps connect. I was not expecting that high and really did not need that high. 300 baud probably would have been fast enough to telnet into an APC masterswitch. Lyle Giese LCR Computer Services, Inc. --
Re: [asterisk-users] Asterisk as a Operator Phone
I am using asterisk as a client not as a server. For client I need features like transfer ,call forward ,multiple lines as in normal IP Phones like CISOC,polycom. In asterisk ,we have chan_alsa driver that will communicate to the local soundcard. If I installed asterisk in my ubuntu system,and using CLI command I can make calls outside and once call connected I can hear and talk from my Headphone. I planing to enhance chan_alsa module to get the features same as in SIP client. Thanks Nikhil On 07/26/2011 12:57 AM, Duncan Turnbull wrote: Asterisk can run operator phones with no problem, there are multiple phones out there with addon buttons for automating shared line appearances forwards and other functions For example yealink have the t38 with 6 lines and 16 buttons and the ex 38 with 38 additional programmable buttons to add to that if you need Are you talking about a phone that is not sip based? I am not sure why you need to use chan_alsa? Cheers Duncan Sent from my iPhone please excuse the typos On 25/07/2011, at 12:30 AM, Nikhild.nik...@cem-solutions.net wrote: Any reply on this.. On 07/22/2011 12:56 PM, Nikhil wrote: Hi Does anyone used asterisk as a operator phone,with multiple lines and features like transfer forward and etc.I used chan_alsa driver to make asterisk as SIP Phone,but it has limitation,we cant make or receive multiple calls,and will not able to do any features like transfer forward etc. Is any other application available in asterisk to do this . Thanks Nikhil -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why no traction for Windows version?
On Tue, 26 Jul 2011 07:28:27 +, Soeren Malchow (MCon) soeren.malc...@mcon.net wrote: And asterisk just runs fine on linux why bother ? Because I, for one, would like to run Asterisk on my Windows workstation at home as an enhanced answering machine :-) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why no traction for Windows version?
On Tuesday 26 Jul 2011, Gilles wrote: Hello, Since Asterisk has been ported to exotic platforms like SOHO routers (Linksys, Buffalo, etc.) and non-MMU CPUs (Blackfin, etc.), I was wondering why the Windows port never really took off. A better question would be: Why would anyone even *want* to port Asterisk to Windows? You have to pay for Windows *and* you don't even get the Source Code. And you can't run Windows without the CPU-hogging GUI. Worst of all possible worlds, surely? If you want to run Asterisk on a Windows PC, it is far easier just to boot up an AsteriskNOW CD. -- AJS Answers come *after* questions. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why no traction for Windows version?
On Tue, Jul 26, 2011 at 09:45:35AM +0200, Gilles wrote: On Tue, 26 Jul 2011 07:28:27 +, Soeren Malchow (MCon) soeren.malc...@mcon.net wrote: And asterisk just runs fine on linux why bother ? Because I, for one, would like to run Asterisk on my Windows workstation at home as an enhanced answering machine :-) Patches are welcomed. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why no traction for Windows version?
On Tuesday 26 Jul 2011, Gilles wrote: On Tue, 26 Jul 2011 07:28:27 +, Soeren Malchow (MCon) soeren.malc...@mcon.net wrote: And asterisk just runs fine on linux why bother ? Because I, for one, would like to run Asterisk on my Windows workstation at home as an enhanced answering machine :-) And you can't just run Asterisk on a separate Linux box at home as an enhanced answering machine because . ? -- AJS Answers come *after* questions. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why no traction for Windows version?
On Tue, 26 Jul 2011 10:59:22 +0300, Tzafrir Cohen tzafrir.co...@xorcom.com wrote: Patches are welcomed. Does someone know the kind of changes that were made by AsteriskWin32, and how hard it'd be to apply them to more recent releases of Asterisk? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why no traction for Windows version?
On Tue, Jul 26, 2011 at 10:45:59AM +0200, Gilles wrote: On Tue, 26 Jul 2011 10:59:22 +0300, Tzafrir Cohen tzafrir.co...@xorcom.com wrote: Patches are welcomed. Does someone know the kind of changes that were made by AsteriskWin32, and how hard it'd be to apply them to more recent releases of Asterisk? There were some later fixes at around 1.6.0 to try to get the code built on cygwin. I would suggest you to try building it on cygwin and see where things fail. Also grep for CYGWIN or such in the source (especially in Makefile-s). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why no traction for Windows version?
On Tue, 26 Jul 2011 12:07:10 +0300, Tzafrir Cohen tzafrir.co...@xorcom.com wrote: There were some later fixes at around 1.6.0 to try to get the code built on cygwin. I would suggest you to try building it on cygwin and see where things fail. Also grep for CYGWIN or such in the source (especially in Makefile-s). Thanks for the infos. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Functions not autoloading
Have filed https://issues.asterisk.org/jira/browse/ASTERISK-18167 as its always repeatable. -- Thanks, Phil - Original Message - Is anybody else seeing this at all ? -- Thanks, Phil - Original Message - Just received a call and on checking messages I now see: ERROR[14824] pbx.c: Function MASTER_CHANNEL not registered Grrr, looks like time to go back to 1.8.3 as all the apps and functions exist in /usr/lib/asterisk/modules. How could I help to debug this please ? -- Thanks, Phil - Original Message - On 07/21/2011 04:31 AM, --[ UxBoD ]-- wrote: Since upgrading to 1.8.5.0 I have had to add into modules.conf: load = func_callerid.so load = func_cdr.so otherwise they do not get loaded even though I have set autoload=yes. Is this something you would expect as it is different behavior to 1.8.3.0 and I do not see any issues in /var/log/asterisk/messages ? No, this is not expected behavior. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why no traction for Windows version?
...and why do we all mess around with IT stuff and asterisk in special? Spoiler: because we can...! ;-) regards, Ruben Am 26.07.2011 10:16, schrieb A J Stiles: On Tuesday 26 Jul 2011, Gilles wrote: On Tue, 26 Jul 2011 07:28:27 +, Soeren Malchow (MCon) soeren.malc...@mcon.net wrote: And asterisk just runs fine on linux why bother ? Because I, for one, would like to run Asterisk on my Windows workstation at home as an enhanced answering machine :-) And you can't just run Asterisk on a separate Linux box at home as an enhanced answering machine because . ? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Why no traction for Windows version?
I think the real answer has mostly to do with the fact that no serious person, in their right mind, would run Windows in a server role in 2011. Not unless their hands are tied by legacy systems or big-corporate IT logic. Asterisk is firmly intended to run on servers. It's not a desktop app. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ On Jul 26, 2011, at 3:45 AM, Gilles codecompl...@free.fr wrote: On Tue, 26 Jul 2011 07:28:27 +, Soeren Malchow (MCon) soeren.malc...@mcon.net wrote: And asterisk just runs fine on linux why bother ? Because I, for one, would like to run Asterisk on my Windows workstation at home as an enhanced answering machine :-) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Callback + DISA
Hello, I am trying to use a Callback system that return the call to some number then give it a dial tone with DISA. The callback works well and i can hear the dial tone, the problem is that DISA doesn't do anything when i press any extension number of the current context and hangs the call up after few seconds. If i use callback just to return to the number then call an extension (ex: a sip phone) it works fine, do you know if there is some incompatibility about DISA + Callback? Obs. I use DTMF signaling. (Brazil) Regards. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] MusicOnHold not loaded
On 07/26/2011 02:46 AM, Michael wrote: Hello, We're running 2 Asterisk 1.6.2.x systems, one installed from source and one from AsteriskNow. On the system installed form source, MOH works fine and these are the results we get for the different relevant queries: Do you have at least one of the asterisk-sounds-moh RPMs installed? -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] MusicOnHold not loaded
On Tue, Jul 26, 2011 at 3:10 PM, Kevin P. Fleming kpflem...@digium.comwrote: Do you have at least one of the asterisk-sounds-moh RPMs installed? No idea. How/where do I check/find them? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] MusicOnHold not loaded
On Tue, Jul 26, 2011 at 3:31 PM, Michael voip.quest...@gmail.com wrote: On Tue, Jul 26, 2011 at 3:10 PM, Kevin P. Fleming kpflem...@digium.comwrote: Do you have at least one of the asterisk-sounds-moh RPMs installed? No idea. How/where do I check/find them? I performed the following: [root@pbx ~]# yum install asterisk-sounds-moh-opsound-wav.noarch Loaded plugins: fastestmirror, kmod Loading mirror speeds from cached hostfile ... --- Package asterisk-sounds-moh-opsound-wav.noarch 0:0.0-4_centos5 set to be updated -- Finished Dependency Resolution Dependencies Resolved === Package Arch Version Repository Size === Installing: asterisk-sounds-moh-opsound-wav noarch 0.0-4_centos5 asterisk-current15 M Transaction Summary === Install 1 Package(s) Upgrade 0 Package(s) Total download size: 15 M Is this ok [y/N]: y Downloading Packages: asterisk-sounds-moh-opsound-wav-0.0-4_centos5.noarch.rpm | 15 MB 00:08 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : asterisk-sounds-moh-opsound-wav 1/1 Installed: asterisk-sounds-moh-opsound-wav.noarch 0:0.0-4_centos5 Complete! Then I restarted asterisk, but the moh show classes command still doesn't give any result. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] NAT yes
Hello averybody, In a no natted environment if I letnat=yes on sip.conf it would cause some thing bad or it is irrelevant ? Anybody know ? thanks in advanced! Att, Flavio Roberto Miranda MSN:flaviormira...@hotmail.com Skype: flaviormiranda -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] NAT yes
On 07/26/2011 09:19 AM, Flavio Miranda wrote: In a no natted environment if I letnat=yes on sip.conf it would cause some thing bad or it is irrelevant ? Anybody know ? There is no harm unless the endpoint you are dealing with does not do symmetric RTP. The nat=yes option assumes that it is okay to send RTP back to the source port from which it originated, irrespectively of what's in the SDP. This will cause one-way audio if the endpoint happens to want to receive RTP on a different port than the one it is sending it from. Almost all endpoints these days do symmetric RTP, though, so it's not a huge concern. That said, from a methodological and aesthetic perspective, it is better not to break standard RFC-compliant behaviour unnecessarily. Thus, I would not enable nat=yes unless there really is no direct network and transport-layer reachability to the endpoint. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] NAT yes
Thanks Alex Balashov, I am experiencing some one-way audio, that's the reason of the questions! Att, Flavio Roberto Miranda MSN:flaviormira...@hotmail.com Skype: flaviormiranda Date: Tue, 26 Jul 2011 09:23:42 -0400 From: abalas...@evaristesys.com To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] NAT yes On 07/26/2011 09:19 AM, Flavio Miranda wrote: In a no natted environment if I letnat=yes on sip.conf it would cause some thing bad or it is irrelevant ? Anybody know ? There is no harm unless the endpoint you are dealing with does not do symmetric RTP. The nat=yes option assumes that it is okay to send RTP back to the source port from which it originated, irrespectively of what's in the SDP. This will cause one-way audio if the endpoint happens to want to receive RTP on a different port than the one it is sending it from. Almost all endpoints these days do symmetric RTP, though, so it's not a huge concern. That said, from a methodological and aesthetic perspective, it is better not to break standard RFC-compliant behaviour unnecessarily. Thus, I would not enable nat=yes unless there really is no direct network and transport-layer reachability to the endpoint. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] NAT yes
On 07/26/2011 09:29 AM, Flavio Miranda wrote: I am experiencing some one-way audio, that's the reason of the questions! There are many possible reasons for it, but asymmetric RTP + 'nat=yes' may be one of them. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] NAT yes
Also consider the setting localnet in sip.conf -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Alex Balashov Sent: Tuesday, July 26, 2011 9:24 AM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] NAT yes On 07/26/2011 09:19 AM, Flavio Miranda wrote: In a no natted environment if I letnat=yes on sip.conf it would cause some thing bad or it is irrelevant ? Anybody know ? There is no harm unless the endpoint you are dealing with does not do symmetric RTP. The nat=yes option assumes that it is okay to send RTP back to the source port from which it originated, irrespectively of what's in the SDP. This will cause one-way audio if the endpoint happens to want to receive RTP on a different port than the one it is sending it from. Almost all endpoints these days do symmetric RTP, though, so it's not a huge concern. That said, from a methodological and aesthetic perspective, it is better not to break standard RFC-compliant behaviour unnecessarily. Thus, I would not enable nat=yes unless there really is no direct network and transport-layer reachability to the endpoint. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Browser based SIP UA
Hello, can anyone recommend a browser based SIP client that works well with Asterisk? I need something that requires authentication (based on Asterisks peer name and pass). Thanks in advance! Alex -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Browser based SIP UA
On 07/26/2011 10:13 AM, Alexandru Oniciuc wrote: can anyone recommend a browser based SIP client that works well with Asterisk? I need something that requires authentication (based on Asterisks peer name and pass). What do you mean browser-based? Any particular preference of technology? Flash? Silverlight? Java applet? Browser extension? -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] R: Browser based SIP UA
I mean anything not an extension that can run on Linux (Apache/Tomcat). Thanks, Alex -Messaggio originale- Da: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] Per conto di Alex Balashov Inviato: martedì 26 luglio 2011 16:15 A: asterisk-users@lists.digium.com Oggetto: Re: [asterisk-users] Browser based SIP UA On 07/26/2011 10:13 AM, Alexandru Oniciuc wrote: can anyone recommend a browser based SIP client that works well with Asterisk? I need something that requires authentication (based on Asterisks peer name and pass). What do you mean browser-based? Any particular preference of technology? Flash? Silverlight? Java applet? Browser extension? -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Securing Asterisk
Only way to cope with hackers would be that Digium comes to its senses and accepts to disable any response to a REGISTER whose username is unknown. I cannot think of a good reason why Digium finds this proposal unacceptable, given the onslaught of hacking that we are seeing in the industry. It may take a single line of code and it would save millions of $$$. Not only because the hackers will never get in, but because we would save a huge CPU impact responding to hundreds of REGISTER attempts per minute. It is a NO brainer. Can please the Powers that Be reconsider and add this option to sip.conf? Please? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk
On 07/26/2011 02:09 PM, CDR wrote: Only way to cope with hackers would be that Digium comes to its senses and accepts to disable any response to a REGISTER whose username is unknown. I cannot think of a good reason why Digium finds this proposal unacceptable, given the onslaught of hacking that we are seeing in the industry. It may take a single line of code and it would save millions of $$$. Not only because the hackers will never get in, but because we would save a huge CPU impact responding to hundreds of REGISTER attempts per minute. It is a NO brainer. Can please the Powers that Be reconsider and add this option to sip.conf? Please? No, because that's absolutely ridiculous. The proper, RFC-compliant behaviour is to return an authentication failure in response to invalid credentials. This mechanism is relied upon for legitimate functionality, such as letting the UAs of intended users know that they are sending incorrect credentials. As was pointed out before, Asterisk is a mostly application-level construct. Applications usually have some rudimentary means of self-defense such as ACLs, but applications are often conceptually distinct from the most appropriate means of securing them. That's what firewalls, SBCs, intrusion detection systems, etc. are for. Your position is equivalent to saying that stock SSH should not return authentication errors for invalid passwords. The proper solution to dictionary attacks is to firewall the SSH service, use RSA keys, VPNs, etc., not to tell the maintainers of the OpenSSH project to come to its senses. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk
On 07/26/2011 02:14 PM, Alex Balashov wrote: On 07/26/2011 02:09 PM, CDR wrote: Only way to cope with hackers would be that Digium comes to its senses and accepts to disable any response to a REGISTER whose username is unknown. I cannot think of a good reason why Digium finds this proposal unacceptable, given the onslaught of hacking that we are seeing in the industry. It may take a single line of code and it would save millions of $$$. Not only because the hackers will never get in, but because we would save a huge CPU impact responding to hundreds of REGISTER attempts per minute. It is a NO brainer. Can please the Powers that Be reconsider and add this option to sip.conf? Please? No, because that's absolutely ridiculous. The proper, RFC-compliant behaviour is to return an authentication failure in response to invalid credentials. This mechanism is relied upon for legitimate functionality, such as letting the UAs of intended users know that they are sending incorrect credentials. As was pointed out before, Asterisk is a mostly application-level construct. Applications usually have some rudimentary means of self-defense such as ACLs, but applications are often conceptually distinct from the most appropriate means of securing them. That's what firewalls, SBCs, intrusion detection systems, etc. are for. Your position is equivalent to saying that stock SSH should not return authentication errors for invalid passwords. The proper solution to dictionary attacks is to firewall the SSH service, use RSA keys, VPNs, etc., not to tell the maintainers of the OpenSSH project to come to its senses. Two additional points to the ones Alex already made: * We *must* behave identically for any REGISTER request, regardless of whether the requested URI represents a 'known' or an 'unknown' address of record (user). If that is not done, then it's easy for an attacker to learn which usernames *are* valid, and focus their dictionary attack efforts on those usernames. * The processing workload in Asterisk for a REGISTER request is to parse, validate and process it, *not* sending the failure (or 'authentication required') response. Making Asterisk not send the response would *not* cause hackers to stop sending masses of REGISTER requests; once they have *any* reason to suspect that a particular IP address/port combination has a SIP registrar listening on it, they'll attack it. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Scheduling destruction of SIP dialog
Hello, I am receiving the following message all the time, all sip peers, and always finishing with destructing dialog... : --- (13 headers 0 lines) --- Sending to 192.168.0.106 : 5060 (no NAT) Reliably Transmitting (no NAT) to 192.168.0.106:5060: OPTIONS sip:2036@192.168.0.106:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.0.254:5060;branch=z9hG4bK58b8c6b7;rport Max-Forwards: 70 From: asterisk sip:asterisk@192.168.0.254;tag=as34ab67bd To: sip:2036@192.168.0.106:5060 Contact: sip:asterisk@192.168.0.254 Call-ID: 21adef7521218c116309d7784527451c@192.168.0.254 CSeq: 102 OPTIONS User-Agent: Asterisk PBX 1.6.2.18 Date: Tue, 26 Jul 2011 18:09:32 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO Supported: replaces, timer Content-Length: 0 --- --- Transmitting (no NAT) to 192.168.0.106:5060 --- SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.0.106:5060;branch=z9hG4bK1228024af6;received=192.168.0.106;rport=5060 From: Central2 sip:2036@192.168.0.254;tag=40e337db To: Central2 sip:2036@192.168.0.254;tag=as11725d36 Call-ID: 393c15291791541a4628830c0db3acd0@192.168.0.106 CSeq: 802 REGISTER Server: Asterisk PBX 1.6.2.18 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO Supported: replaces, timer Expires: 60 Contact: sip:2036@192.168.0.106:5060;expires=60 Date: Tue, 26 Jul 2011 18:09:32 GMT Content-Length: 0 Scheduling destruction of SIP dialog '393c15291791541a4628830c0db3acd0@192.168.0.106' in 32000 ms (Method: REGISTER) --- SIP read from UDP:192.168.0.106:5060 --- SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.0.254:5060;rport=5060;received=192.168.0.254;branch=z9hG4bK58b8c6b7 From: asterisk sip:asterisk@192.168.0.254;tag=as34ab67bd To: sip:2036@192.168.0.106:5060;tag=0c6ccbbd Call-ID: 21adef7521218c116309d7784527451c@192.168.0.254 Contact: sip:2036@192.168.0.106:5060 CSeq: 102 OPTIONS Allow: INVITE,CANCEL,ACK,BYE,NOTIFY,REFER,OPTIONS Content-Length: 0 Nay body know what's wrong here ? Thanks! Att, Flavio Roberto Miranda MSN:flaviormira...@hotmail.com Skype: flaviormiranda -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Scheduling destruction of SIP dialog
On 07/26/2011 02:20 PM, Flavio Miranda wrote: Hello, I am receiving the following message all the time, all sip peers, and always finishing with destructing dialog... : --- (13 headers 0 lines) --- Sending to 192.168.0.106 : 5060 (no NAT) Reliably Transmitting (no NAT) to 192.168.0.106:5060: OPTIONS sip:2036@192.168.0.106:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.0.254:5060;branch=z9hG4bK58b8c6b7;rport Max-Forwards: 70 From: asterisk sip:asterisk@192.168.0.254;tag=as34ab67bd To: sip:2036@192.168.0.106:5060 Contact: sip:asterisk@192.168.0.254 Call-ID: 21adef7521218c116309d7784527451c@192.168.0.254 CSeq: 102 OPTIONS User-Agent: Asterisk PBX 1.6.2.18 Date: Tue, 26 Jul 2011 18:09:32 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO Supported: replaces, timer Content-Length: 0 --- --- Transmitting (no NAT) to 192.168.0.106:5060 --- SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.0.106:5060;branch=z9hG4bK1228024af6;received=192.168.0.106;rport=5060 From: Central2 sip:2036@192.168.0.254;tag=40e337db To: Central2 sip:2036@192.168.0.254;tag=as11725d36 Call-ID: 393c15291791541a4628830c0db3acd0@192.168.0.106 CSeq: 802 REGISTER Server: Asterisk PBX 1.6.2.18 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO Supported: replaces, timer Expires: 60 Contact: sip:2036@192.168.0.106:5060;expires=60 Date: Tue, 26 Jul 2011 18:09:32 GMT Content-Length: 0 Scheduling destruction of SIP dialog '393c15291791541a4628830c0db3acd0@192.168.0.106' in 32000 ms (Method: REGISTER) --- SIP read from UDP:192.168.0.106:5060 --- SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.0.254:5060;rport=5060;received=192.168.0.254;branch=z9hG4bK58b8c6b7 From: asterisk sip:asterisk@192.168.0.254;tag=as34ab67bd To: sip:2036@192.168.0.106:5060;tag=0c6ccbbd Call-ID: 21adef7521218c116309d7784527451c@192.168.0.254 Contact: sip:2036@192.168.0.106:5060 CSeq: 102 OPTIONS Allow: INVITE,CANCEL,ACK,BYE,NOTIFY,REFER,OPTIONS Content-Length: 0 Nay body know what's wrong here ? What makes you think something is wrong? Nothing is wrong here, this is perfectly normal. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk
I would have to err on the side of CDR to say that the only difference in analogy you provided (SSH vs Asterisk) is that people lose much more in VoIP than they ever did in SSH hacking. So, if this is an exceptional case bending a rule or two of RFC in favor of security won't harm specially if it's provided as an option. After-all, RFC does stand for Referral For Comment as in always open to be improved. Secondly, there is no trade off with the responses as local and private IP networks are well know from the public range so the option for such a security measure can be tuned to be smart to that end. The only thing I like about MS OSs is that it's secure out of box and that is really what a Linux OS should be as well but it's not and so it's not solely Digium's issue and I see your point giving the analogy. I think it's a good idea if such a security option is provided by default in Asterisk knowing it can save a lot of headache. If budget is an issue maybe make it a bounty and watch support pouring in... - Bruce On Tue, Jul 26, 2011 at 2:14 PM, Alex Balashov abalas...@evaristesys.comwrote: On 07/26/2011 02:09 PM, CDR wrote: Only way to cope with hackers would be that Digium comes to its senses and accepts to disable any response to a REGISTER whose username is unknown. I cannot think of a good reason why Digium finds this proposal unacceptable, given the onslaught of hacking that we are seeing in the industry. It may take a single line of code and it would save millions of $$$. Not only because the hackers will never get in, but because we would save a huge CPU impact responding to hundreds of REGISTER attempts per minute. It is a NO brainer. Can please the Powers that Be reconsider and add this option to sip.conf? Please? No, because that's absolutely ridiculous. The proper, RFC-compliant behaviour is to return an authentication failure in response to invalid credentials. This mechanism is relied upon for legitimate functionality, such as letting the UAs of intended users know that they are sending incorrect credentials. As was pointed out before, Asterisk is a mostly application-level construct. Applications usually have some rudimentary means of self-defense such as ACLs, but applications are often conceptually distinct from the most appropriate means of securing them. That's what firewalls, SBCs, intrusion detection systems, etc. are for. Your position is equivalent to saying that stock SSH should not return authentication errors for invalid passwords. The proper solution to dictionary attacks is to firewall the SSH service, use RSA keys, VPNs, etc., not to tell the maintainers of the OpenSSH project to come to its senses. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- __**__**_ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/**mailman/listinfo/asterisk-**usershttp://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk
On 07/26/2011 02:33 PM, Bruce B wrote: I would have to err on the side of CDR to say that the only difference in analogy you provided (SSH vs Asterisk) is that people lose much more in VoIP than they ever did in SSH hacking. So, if this is an exceptional case bending a rule or two of RFC in favor of security won't harm specially if it's provided as an option. Again: _Applications are often conceptually distinct from the most appropriate means of securing them._ Moreover, as Kevin Fleming pointed out, refraining from responding to invalid credentials while continuing to responding to valid ones simply shifts the presentation of the information, from the point of view of the scanner. It doesn't accomplish your goal at all. After-all, RFC does stand for Referral For Comment as in always open to be improved. Adopted ones are standards to be followed. You're right, though; the IETF SIP working group welcomes incremental improvements; submit yours and see what they think. If you get your draft adopted, I am sure Digium would be more than happy to implement it in chan_sip. I think it's a good idea if such a security option is provided by default in Asterisk knowing it can save a lot of headache. If budget is an issue maybe make it a bounty and watch support pouring in... The issue is not lack of resources, but rather that it's conceptually incorrect behaviour, and that the UAS is the wrong place to solve this problem. The best advice that has been given in relation to this topic so far came from Lee Howard earlier today: http://lists.digium.com/pipermail/asterisk-users/2011-July/265012.html -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk
Hello all, Just out of curiosity, why are you not using something like fail2ban. It tends to work flawlessly against brute force attacks. It works good on invalid registrations / invites / etc. You can go pretty much fanatic with that tool (ban IP addr for a week if they fail to register more than 6 times). What you are proposing is not hard to be achieved but it won't introduce any improvement in the security of any protocol supported by Asterisk. Regards, Stefan Lekov On Tue, 26 Jul 2011 14:42:01 -0400, Alex Balashov abalas...@evaristesys.com wrote: On 07/26/2011 02:33 PM, Bruce B wrote: I would have to err on the side of CDR to say that the only difference in analogy you provided (SSH vs Asterisk) is that people lose much more in VoIP than they ever did in SSH hacking. So, if this is an exceptional case bending a rule or two of RFC in favor of security won't harm specially if it's provided as an option. Again: _Applications are often conceptually distinct from the most appropriate means of securing them._ Moreover, as Kevin Fleming pointed out, refraining from responding to invalid credentials while continuing to responding to valid ones simply shifts the presentation of the information, from the point of view of the scanner. It doesn't accomplish your goal at all. After-all, RFC does stand for Referral For Comment as in always open to be improved. Adopted ones are standards to be followed. You're right, though; the IETF SIP working group welcomes incremental improvements; submit yours and see what they think. If you get your draft adopted, I am sure Digium would be more than happy to implement it in chan_sip. I think it's a good idea if such a security option is provided by default in Asterisk knowing it can save a lot of headache. If budget is an issue maybe make it a bounty and watch support pouring in... The issue is not lack of resources, but rather that it's conceptually incorrect behaviour, and that the UAS is the wrong place to solve this problem. The best advice that has been given in relation to this topic so far came from Lee Howard earlier today: http://lists.digium.com/pipermail/asterisk-users/2011-July/265012.html -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] file2ban
I want to add an entry to a database every time a brute force registration attempt is done. from this database we are updating cisco routers with our ban list so our entire network is protected. The database side of things is working and has been for some time. I really would like to add the file2ban side of it to protect our asterisk system better. How would I best go about doing this using file2ban with asterisk? Any feed back is appreciated. Thanks zktech -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] file2ban
On 07/26/2011 09:21 PM, Bryant Zimmerman wrote: I want to add an entry to a database every time a brute force registration attempt is done. from this database we are updating cisco routers with our ban list so our entire network is protected. The database side of things is working and has been for some time. I really would like to add the file2ban side of it to protect our asterisk system better. How would I best go about doing this using file2ban with asterisk? Any feed back is appreciated. Try: http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk Regards, Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] file2ban
Hello,
That is relatively easy :)
fail2ban is actually executing a command. Check out the actions configs
that are stored in your fail2ban directory. E.g:
ls -1 /etc/fail2ban/action.d/
You can write your own script (bash/php/perl/C/you name it) that inputs
the information in the DB or attempt to use something like:
echo INSERT INTO ban_addresses VALUES ('ip'); | mysql -u someuser
-p'somepass'
However I am not sure if this solution will work under fail2ban
(forwarding output to another app via pipe)
Regards,
Stefan Lekov
On Tue, 26 Jul 2011 15:21:39 -0400, Bryant Zimmerman
brya...@zktech.com wrote:
I want to add an entry to a database every time a brute force
registration attempt is done.
from this database we are updating cisco routers with our ban list so
our entire network is protected.
The database side of things is working and has been for some time. I
really would like to add the file2ban side of it to protect our
asterisk system better.
How would I best go about doing this using file2ban with asterisk?
Any feed back is appreciated.
Thanks
zktech
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] file2ban
-Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users- boun...@lists.digium.com] On Behalf Of Bryant Zimmerman Sent: Tuesday, July 26, 2011 3:22 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] file2ban I want to add an entry to a database every time a brute force registration attempt is done. from this database we are updating cisco routers with our ban list so our entire network is protected. The database side of things is working and has been for some time. I really would like to add the file2ban side of it to protect our asterisk system better. Look at the /etc/fail2ban/action.d/ Actions in the default config runs an iptables command to insert the ban into IPTables, but you can have it run most any command. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk
On Tue, 26 Jul 2011, Bruce B wrote: After-all, RFC does stand for Referral For Comment as in always open to be improved. Actually, it stands for 'Request' and I don't think Digium or the Asterisk mailing lists made the request :) Maybe the proper path is for you to submit a comment to the responsible parties and see if you can get any traction there. Failing that, if your unfunded requests for this feature fall on deaf ears on the mailing list, maybe a bounty would help. I don't think having each application (Asterisk, SSH, Apache, MySQL, etc.) handle security in an incompatible way is going to advance the state of security. As long as the application can be configured to log what you consider a security event, you have the ability to implement whichever security policies make sense to you. Why do you find the 'fail2ban' and 'iptables' suggestions insufficient? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk
Can please the Powers that Be reconsider and add this option to sip.conf? What Powers that Be? This is open-source software! If you need an option in sip.conf, just add it! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk
On 07/26/2011 03:51 PM, Richard Kenner wrote: Can please the Powers that Be reconsider and add this option to sip.conf? What Powers that Be? This is open-source software! If you need an option in sip.conf, just add it! Or don't. Just because it's open source doesn't mean you should put dumb stuff in there that doesn't belong. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk
On 11-07-26 02:33 PM, Bruce B wrote: I would have to err on the side of CDR to say that the only difference in analogy you provided (SSH vs Asterisk) is that people lose much more in VoIP than they ever did in SSH hacking. So, if this is an exceptional case bending a rule or two of RFC in favor of security won't harm specially if it's provided as an option. After-all, RFC does stand for Referral For Comment as in always open to be improved. Secondly, there is no trade off with the responses as local and private IP networks are well know from the public range so the option for such a security measure can be tuned to be smart to that end. The only thing I like about MS OSs is that it's secure out of box and that is really what a Linux OS should be as well but it's not and so it's not solely Digium's issue and I see your point giving the analogy. I think it's a good idea if such a security option is provided by default in Asterisk knowing it can save a lot of headache. If budget is an issue maybe make it a bounty and watch support pouring in... ProTip: Nothing is 'secure out of box' and believe this marketing tag-line only provides a false sense of security. Even if the community does as you ask, it would not guarantee security. Good security required upkeep and maintenance. As an example, what version of Asterisk are you running on your production sites? -- Paul Belanger Digium, Inc. | Software Developer twitter: pabelanger | IRC: pabelanger (Freenode) Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] file2ban
If you are using OSSEC here are some rules: rule id=1 level=5 decoded_aslocal-asterisk-denied/decoded_as descriptionAsterisk Potentially Under Attack/description /rule rule id=10001 level=8 frequency=5 timeframe=10 if_matched_sid1/if_matched_sid same_source_ip / descriptionAsterisk Under Brute Force Attack/description /rule and for the local_decoder: decoder name=local-asterisk-denied prematchNOTICE[\d+] \S+: Registration from /prematch regex offset=after_prematch^\S+ failed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder OSSEC can then use Active Response to block the IP using IPtables. -- Thanks, Phil - Original Message - -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users- boun...@lists.digium.com] On Behalf Of Bryant Zimmerman Sent: Tuesday, July 26, 2011 3:22 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] file2ban I want to add an entry to a database every time a brute force registration attempt is done. from this database we are updating cisco routers with our ban list so our entire network is protected. The database side of things is working and has been for some time. I really would like to add the file2ban side of it to protect our asterisk system better. Look at the /etc/fail2ban/action.d/ Actions in the default config runs an iptables command to insert the ban into IPTables, but you can have it run most any command. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk
On Jul 26, 2011, at 2:33 PM, Bruce B bruceb...@gmail.com wrote: people lose much more in VoIP than they ever did in SSH hacking. Um, what? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] libpri rpm version 1.4.12 for CentOS 5.6
Hi, Is libpri rpm version 1.4.12 for CentOS 5.6 made available ? [root@ ~]# rpm -qa | grep libpri libpri-1.4.11.5-1_centos5 [root@ ~]# cat /etc/redhat-release CentOS release 5.6 (Final) [root@ ~]# [root@ ~]# yum list updates | grep libpri [root@ ~]# Please suggest/guide further. Regards, Kaushal -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
