Re: [asterisk-users] Avaya 9608G and DHCP and TFTP and HTTP oh my
On Thu, Mar 01, 2018 at 02:46:31PM +, Thomas Peters wrote: > Right-- I've seen the Avaya document you cite below. It says "To > administer DHCP option 242, make a copy of an existing option 176" but > I don't have any example of option 176 or 242 to copy, and don't know > what to do to /etc/dhcpd.conf to make it offer option 242. > > Then there's this long table of parameters to use with (presumably) > option 242. > > I was hoping someone had a working minimal example of a dhcp option > 242 config I could copy and modify. Example for our old IP Office (192.168.250.1) setup: option option-242 code 242 = string; subnet 10.0.0.0 netmask 255.255.0.0 { #option option-242 "L2Q=1,L2QVLAN=4"; #option option-242 "HTTPSRVR=10.1.2.3/files"; option option-242 "MCIPADD=192.168.250.1,MCPORT=1719,HTTPSRVR=192.168.250.1"; } My guess is you only need HTTPSRVR=hostname/path This should point to a dir where a 46xxsettings.txt exists. Must contain something like: SET SIPPROXYSRVR 172.16.0.2 SET SIPPORT 5060 SET SIPDOMAIN 172.16.0.2 SET SIPREGISTRAR 172.16.0.2 SET SIP_CONTROLLER_LIST 172.16.0.2:5060;transport=tcp SET ENABLE_AVAYA_ENVIRONMENT 0 SET CONFIG_SERVER_SECURE_MODE 0 SET SIPSIGNAL 0 SET REGISTERWAIT 900 SET CLDISPCONTENT 0 SET DISPLAY_NAME_NUMBER 3 SET DIALPLAN 2xx|0[1-7]|08[458]xxx SET PHNNUMOFSA 2 SET GMTOFFSET 1:00 SET DSTOFFSET 1 SET DSTSTART LSunMar2L SET DSTSTOP LSunOct2L SET BRANDING_VOLUME 1 SET AGCHAND 0 SET AGCHEAD 0 SET AGCSPKR 0 SET DATETIMEFORMAT 2 SET TIMEFORMAT 1 SET SNTPSRVR 109.235.32.103,109.235.32.119 SET ENTRYNAME 0 SET PHNOL > They only have minimal function? No speed dials, BLFs, etc? Not as fas as I know. I configured this in 2013 and at that time only call/transfer and conference worked. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Blacklist failed attempts
Hi You could do somethink like this in Perl: #!/usr/bin/perl -w use strict; use warnings; my (@failhost); my %currblocked; my %addblocked; my $action; open (MYINPUTFILE, "/var/log/asterisk/messages") or die "\n", $!, "Does log file file exist\?\n\n"; while () { my ($line) = $_; chomp($line); if ($line =~ m/\' failed for \'(.*?):\d+\' - No matching peer found/) { push(@failhost,$1); } if ($line =~ m/\' failed for \'(.*?):\d+\' - Wrong password/) { push(@failhost,$1); } } my $blockedhosts = `/sbin/iptables -n -L asterisk`; while ($blockedhosts =~ /(.*)/g) { my ($line2) = $1; chomp($line2); if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) { $currblocked{ $1 } = 'blocked'; } } if (@failhost) { _unique(@failhost); while (my ($ip, $count) = each(%addblocked)) { if (exists $currblocked{ $ip }) { } else { $action = `/sbin/iptables -I asterisk -s $ip -j REJECT`; print "$ip blocked. $count attempts.\n"; } } } else { #print "no failed registrations.\n"; } sub count_unique { my @array = @_; my %count; map { $count{$_}++ } @array; map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count); } Mind, this would NOT block attempts via IPv6. So I have stopped using that script, also reading the file over and over again is not very performant. I have not opted to using my MirkroTik Firewall to block failed attempts, similar rules can also be make with iptables: In the Mangle Ruleset: 1;;; SIP Check Unauth chain=forward action=add-dst-to-address-list protocol=udp src-address-list=SIP-Servers address-list=sip-auth-fail address-list-timeout=10m out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized log=no log-prefix="" 2;;; tcp sip check auth fail chain=forward action=add-dst-to-address-list protocol=tcp src-address-list=SIP-Servers address-list=sip-auth-fail address-list-timeout=10m out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized log=no log-prefix="" And then you just block all source address from sip-auth-fail in your forwarding table. This works for IPv6 and IPv4. (Als yes, depending on the speed of your link, this also could be ressource intensive on your firewall, as it does full packet inspection. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Avaya 9608G and DHCP and TFTP and HTTP oh my
Right-- I've seen the Avaya document you cite below. It says "To administer DHCP option 242, make a copy of an existing option 176" but I don't have any example of option 176 or 242 to copy, and don't know what to do to /etc/dhcpd.conf to make it offer option 242. Then there's this long table of parameters to use with (presumably) option 242. I was hoping someone had a working minimal example of a dhcp option 242 config I could copy and modify. They only have minimal function? No speed dials, BLFs, etc? -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Daniel Tryba Sent: Thursday, March 01, 2018 3:42 AM To: Asterisk Users Mailing List - Non-Commercial DiscussionSubject: Re: [asterisk-users] Avaya 9608G and DHCP and TFTP and HTTP oh my On Wed, Feb 28, 2018 at 08:48:38PM +, Thomas Peters wrote: > I'd like to start configuring my Avaya 9608G phones for use on > Asterisk / FreePBX / PBX-In-a-Flash. I'm using a variety of other > phones on my system without major issues. > > I've read the discussion back in March, May and August of 2016, but > unfortunately, my difficulty is much more basic. I think it has to do > with DHCP, specifically, what options I'm offering the phone via DHCP. So you might want to start without configurations from DHCP. Enter the file/http server in the phone manually and point it to a http server containing the needed firmware files and a correct 46xxsettings.txt for you asterisk. Avaya uses other dhcp options for these phone (242): https://downloads.avaya.com/elmodocs2/one-X_Deskphone_Edition/R1.5/output/16_300698_4/admn054.html BTW these phones are a terrible waste when used with Asterisk. They only provided minimal functionality (calls and transfer). -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Blacklist failed attempts
On Thursday 01 March 2018 at 14:02:37, Atux Atux wrote: > Hi. I would like to protect my system from failed attempts. I would like to > ask if there is a way to do a blacklist for certain amount of time > consecutive attempts from the same IP. fail2ban > For example if we have an IP that gets a wrong passwd an it had tried more > than 3 times the last 5 minutes, blacklist it for an hour. Good plan. > I have tried to implement it through fail2ban, What have you tried? Show us the configuration. > but it does not seem to work for my asterisk implementation. Which version of Asterisk are you using and how have you set up fail2ban? > Is there any other way? There may be other ways, but fail2ban really is the right tool for this job. Antony. -- I conclude that there are two ways of constructing a software design: One way is to make it so simple that there are _obviously_ no deficiencies, and the other way is to make it so complicated that there are no _obvious_ deficiencies. - C A R Hoare Please reply to the list; please *don't* CC me. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Blacklist failed attempts
Hi. I would like to protect my system from failed attempts. I would like to ask if there is a way to do a blacklist for certain amount of time consecutive attempts from the same IP. For example if we have an IP that gets a wrong passwd an it had tried more than 3 times the last 5 minutes, blacklist it for an hour. I have tried to implement it through fail2ban, but it doe snot seem to work for my asterisk implementation. Is there any other way? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Avaya 9608G and DHCP and TFTP and HTTP oh my
On Wed, Feb 28, 2018 at 08:48:38PM +, Thomas Peters wrote: > I'd like to start configuring my Avaya 9608G phones for use on > Asterisk / FreePBX / PBX-In-a-Flash. I'm using a variety of other > phones on my system without major issues. > > I've read the discussion back in March, May and August of 2016, but > unfortunately, my difficulty is much more basic. I think it has to do > with DHCP, specifically, what options I'm offering the phone via DHCP. So you might want to start without configurations from DHCP. Enter the file/http server in the phone manually and point it to a http server containing the needed firmware files and a correct 46xxsettings.txt for you asterisk. Avaya uses other dhcp options for these phone (242): https://downloads.avaya.com/elmodocs2/one-X_Deskphone_Edition/R1.5/output/16_300698_4/admn054.html BTW these phones are a terrible waste when used with Asterisk. They only provided minimal functionality (calls and transfer). -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users