00:06.04 | *** join/#asterisk MLC (~MLC@rrcs-98-6-21-229.sw.biz.rr.com) |
00:13.43 | life_of_e | Is Kamailio in front of Asterisk a useful thing for a very small phone system (just a few endpoints, one or two calls at a time) or is it really meant for larger systems like at a large business? |
00:18.29 | *** join/#asterisk cemotyz09 (~cemotyz09@cpe-70-121-128-59.satx.res.rr.com) |
00:24.44 | sibiria | in my opinion there's no real point to having a SIP proxy in front of a single asterisk system |
00:25.01 | sibiria | Samot may offer a scenario where it would be useful |
00:53.03 | *** join/#asterisk [TK]D-Fender (~joe@64.235.216.2) |
01:02.18 | *** join/#asterisk cemotyz09 (~cemotyz09@cpe-70-121-128-59.satx.res.rr.com) |
01:03.20 | *** join/#asterisk cemotyz09 (~cemotyz09@cpe-70-121-128-59.satx.res.rr.com) |
01:06.23 | *** join/#asterisk Pegasus_RPG (~Thunderbi@71-222-100-80.lsv2.qwest.net) |
01:22.33 | Pegasus_RPG | Hello. I have an * set up for federated voip and of course it's getting abused. 'sip show channels' shows tons of them from one IP address with a few appearing to be active outbound calls, from the g722 codec I'm seeing on those. |
01:22.56 | Pegasus_RPG | Is there a best-practices guide to federated voip security? I'd rather not disable the feature. |
01:26.58 | Samot | Disable what feature? |
01:27.17 | Pegasus_RPG | Federated voip |
01:27.29 | Samot | That's not a feature. |
01:27.33 | Pegasus_RPG | I.e. calling my users by e-mail address |
01:27.43 | Pegasus_RPG | without using the PSTN |
01:27.57 | Samot | That's standard SIP. |
01:28.17 | Samot | When you say email address are you just referring to a format? |
01:28.21 | Pegasus_RPG | Yes, I know, I meant "feature" in the abstract sense. |
01:28.30 | Samot | Or are you using actual NAPTR to convert it? |
01:29.43 | Pegasus_RPG | I'm using NAPTR |
01:30.10 | Samot | OK so you're using their email to lookup a SIP URI... |
01:30.39 | Samot | Asterisk doesn't care about emails. So by the time Asterisk has the call it's a SIP URI. |
01:30.45 | Pegasus_RPG | Of course |
01:31.06 | Samot | So how have you secured your Asterisk box thus far? |
01:31.13 | [TK]D-Fender | appearing to be active outbound calls <- look at your actual channel list |
01:31.17 | [TK]D-Fender | not driver channel |
01:31.24 | [TK]D-Fender | because that holds misc comms. |
01:31.43 | [TK]D-Fender | not exclsively actual calls that were accepted and processing |
01:33.16 | Pegasus_RPG | ah okay |
01:33.25 | Samot | What security do you have in place now? |
01:33.47 | Samot | Because "Federated VoIP" is no different than "Regular VoIP" when it comes to securing Asterisk overall. |
01:34.03 | Samot | There may be some tweaks for some of the extra services but INVITEs are INVITes. |
01:34.11 | [TK]D-Fender | There is no Federation. The Klingons destroyed it ages ago... |
01:35.15 | Pegasus_RPG | Not much unfortunately. A firewall, fail2ban running on the * box, and non-numeric extensions. |
01:35.18 | [TK]D-Fender | "Random attackers" sending you calls igoing to "just happen". Legit people don't magically come up with the idea of guessing you have a SIP server and can address calls to you .. let alone pass you calls targeting #'s that should go "out" |
01:35.39 | Samot | Do you have Asterisk setup to accept calls from any source? |
01:35.39 | [TK]D-Fender | You should be looking for the SIP debug of these... |
01:35.52 | Samot | Or are you limiting calls to known sources? |
01:35.58 | [TK]D-Fender | <Samot> Do you have Asterisk setup to accept calls from any source? <- because this is what I'm pretty much sure is the case |
01:36.32 | Pegasus_RPG | yes, allowguest=yes |
01:36.39 | [TK]D-Fender | = fail |
01:36.40 | Samot | Well that's problem #1. |
01:36.48 | Pegasus_RPG | Isn't that required for direct SIP comms? |
01:36.53 | [TK]D-Fender | tath = no fail2ban |
01:37.08 | [TK]D-Fender | what does "direct" mean? |
01:37.21 | [TK]D-Fender | You use a lot of dubious terms.... |
01:37.27 | Samot | No.. |
01:37.33 | Samot | This is a 15 year ago setup |
01:37.42 | Pegasus_RPG | Allowing someone with a SIP phone and nothing else to be able to call me using my email address. |
01:37.50 | Samot | That a subset of SIP people insist is the way to go |
01:38.04 | [TK]D-Fender | never call it an "e-mail address" |
01:38.06 | [TK]D-Fender | it isn't |
01:38.18 | Pegasus_RPG | I know, it's a SIP URI |
01:38.25 | [TK]D-Fender | Are you expecting calls specifically from these people? |
01:38.31 | Samot | Wait. |
01:38.44 | Samot | Pegasus_RPG: What format are they using to call you? |
01:39.01 | Pegasus_RPG | sip:me@example.com |
01:39.05 | [TK]D-Fender | If you allow ANY random person to call you then there is no fail2ban pretty much |
01:39.18 | Samot | OK so yeah, that's what I asked earlier.. |
01:39.46 | Samot | This whole ENUM, "Federation VoIP" stuff failed 15+ years ago. |
01:39.51 | [TK]D-Fender | unless you accept all calls with a catch-all that manually logs it as a failure if they ask for a # you didn't specifically match otherwise |
01:40.02 | Samot | This is just some die hard group that wants SIP a certain way.. |
01:40.53 | Pegasus_RPG | ideology aside, though it's not currently required in my setup, I want to offer people the ability to call me with nothing more than my E-mail address |
01:41.07 | Samot | It's not an email address. |
01:41.09 | Pegasus_RPG | Are you saying that's not really realistic or am i just doing it wrong? |
01:41.13 | Samot | Please stop calling it that. |
01:41.34 | Pegasus_RPG | okay okay |
01:41.44 | Samot | Because with ENUM and NAPTR you actually can convert me@email.com to sip:me@email.com:5060 |
01:41.57 | [TK]D-Fender | I've already answered that |
01:42.05 | [TK]D-Fender | <[TK]D-Fender> unless you accept all calls with a catch-all that manually logs it as a failure if they ask for a # you didn't specifically match otherwise |
01:42.10 | Samot | It's not realistic. |
01:42.18 | [TK]D-Fender | And then you'll ban people who "typo" a name |
01:43.06 | Samot | Federation VoIP is the SIP version of HAM Radio basically. |
01:44.19 | Pegasus_RPG | I don't know much about HAM radio, but I'm thinking of it as essentially p2p calling instead of having to use the PSTN |
01:44.35 | Pegasus_RPG | or other central control service a la Skype or what have you |
01:44.40 | Samot | Right so both sides need the ability to do that |
01:44.44 | Samot | The average person does not. |
01:44.55 | [TK]D-Fender | You've got your answer. Get ready to start logging all of this yourself and running your own firewall |
01:44.56 | Samot | The average VoIP user isn't doing SIP URI dialing. |
01:45.02 | Samot | They are dialing phone numbers. |
01:45.32 | Pegasus_RPG | [TK]D-Fender: yes, thank you. I am now just trying to correct my understanding |
01:45.39 | Samot | People doing direct SIP URI dialing or P2P calling is akin to HAM Radio because all parties have to be setup for it. |
01:46.06 | [TK]D-Fender | If you want to let the world throw calls at you then the whole world can ... including people you don't want. |
01:46.20 | Samot | They either need a direct route/connection or in this case an ENUM system to do the lookup and routing conversion. |
01:46.27 | [TK]D-Fender | Can't call it a "fail" and thus "ban" it ... if nothing qualifies as a "fail". |
01:46.41 | Samot | This is basically IP tables. |
01:46.58 | Pegasus_RPG | [TK]D-Fender: of course. The problem I'm currently having is essentially resource starvation. It looks like people are somehow getting calls out, though I'll check 'core show channels' the next time it happens |
01:47.03 | Samot | You're going to have to setup rate limiting and drop traffic that doesn't fit criteria. |
01:47.16 | [TK]D-Fender | are they? You haven't shown anything that proves they got "out" |
01:47.17 | Samot | Because you have allowguests=yes |
01:47.28 | Samot | You have no method of authing your callers I'm guessing.. |
01:47.39 | [TK]D-Fender | "allowguests" should still never ALLOW them to go "out" |
01:47.49 | Pegasus_RPG | I do have a script that checks inbound requests for matches in the voicemail table |
01:47.58 | [TK]D-Fender | even if the SIP call is not rejected on auth terms they should not succeed in going "out" |
01:48.01 | Samot | No but I'm sure the rest of the setup is lacking any validation checks. |
01:48.14 | [TK]D-Fender | if you set your system up sanely at all that is |
01:48.48 | [TK]D-Fender | You wouldn't have done something so suicidal as pointing the [general] context to somewhere USEFUL would you? |
01:49.33 | Pegasus_RPG | No, just to a context that validates the request |
01:50.06 | Pegasus_RPG | calling Congestion() if there's no match |
01:51.09 | Pegasus_RPG | http://paste.debian.net/hidden/5e4eb975/ if you're intersted |
01:51.30 | *** join/#asterisk cemotyz09 (~cemotyz09@cpe-70-121-128-59.satx.res.rr.com) |
01:51.30 | [TK]D-Fender | Then show us that they actually made it "out" like You worded it. |
01:52.07 | Pegasus_RPG | yes, I'm waiting for them to try again. I had blocked the offending IP at the firewall before I jumped in here. Lifted it a few minutes ago |
01:52.09 | [TK]D-Fender | Or amend your previous description. |
01:52.26 | [TK]D-Fender | Yo should have logging of basic CLI execution which would prove it |
01:52.41 | [TK]D-Fender | and CDR which could also be used to do those searches for the full log |
01:53.59 | Pegasus_RPG | oops forgot to apply. Wow that didn't take long. |
01:54.02 | Pegasus_RPG | 147.135.9.77 3330 1525612160-1773 (alaw) No Rx: INVITE <guest> |
01:54.58 | [TK]D-Fender | tht isn't a READ channel |
01:55.01 | [TK]D-Fender | REAL |
01:55.06 | [TK]D-Fender | "core show channels" |
01:55.44 | [TK]D-Fender | I can throw an invite that is either not accepted or not processing any longer and it'd STILL show up in "sip show channels" |
01:56.02 | [TK]D-Fender | Stop doing the wrong tests. |
01:56.20 | Pegasus_RPG | core show channels has nothing right now. |
01:56.28 | [TK]D-Fender | "not a call in progress" |
01:56.38 | [TK]D-Fender | where the logging for this? |
01:56.44 | Pegasus_RPG | (it's hard to read the results due to the massive number of warning messages being logged to the console.) |
01:57.21 | [TK]D-Fender | Why would there be a massive # of them? |
01:57.26 | [TK]D-Fender | What do they say? |
01:57.42 | Pegasus_RPG | res_rtp_asterisk.c: Unable to allocate RTP socket: Too many open files |
01:57.52 | Pegasus_RPG | DoS effectively |
01:58.21 | Pegasus_RPG | and chan_sip.c: Failed to authenticate device <sip:3370@myserversip>;tag=1978222027 |
01:58.33 | [TK]D-Fender | Sounds like you should be blobking those.... |
01:59.12 | Pegasus_RPG | I agree. I need to find out how |
01:59.52 | Pegasus_RPG | searches Web for the latter message |
02:01.26 | Pegasus_RPG | Thank you, stackoverflow |
02:01.42 | [TK]D-Fender | What version are you running? |
02:02.20 | Pegasus_RPG | oh also acl.c: Cannot create socket to 147.135.9.77: Too many open files (that's the attacker's IP) |
02:03.06 | Pegasus_RPG | *cough* 13.14 I'm afraid I'll need to build from source as the distro's package manager is not keeping up |
02:03.33 | [TK]D-Fender | That's new enough to support proper security logging for those ath failures for fail2ban to hit |
02:03.56 | [TK]D-Fender | then you need to do your own dialplan logging for that ones where they aren't claiming to come from one of your defined peers |
02:06.03 | *** join/#asterisk kunwon1 (~kunwon1@unaffiliated/kunwon1) |
02:07.55 | Pegasus_RPG | I thought I did. But the security log is not showing anything on those failures |
02:08.31 | Pegasus_RPG | I do get some Failed ACL items |
02:09.12 | Pegasus_RPG | But nothing when that "chan_sip.c: Failed to authenticate device" is logged to the console |
02:09.54 | [TK]D-Fender | Then something isn't being done right |
02:09.59 | Pegasus_RPG | I have just "security" being logged to the security file |
02:10.08 | [TK]D-Fender | And the speed and level of detail we're getting this as isn't looking promising |
02:10.31 | [TK]D-Fender | Keep looking and readin on it till you see what's happening... |
02:12.37 | Pegasus_RPG | I hesitate to just pipe all warning level messages to security |
02:15.32 | Pegasus_RPG | Thank you very much for all of your help and patience. |
02:18.14 | Pegasus_RPG | okay, so basically, I'd like messages of the form NOTICE[10503][C-0007f1f3] chan_sip.c: Call from '' (147.135.9.77:54802) to extension '+443331010050' rejected because extension not found in context 'unauthenticated'. to go to the security log |
02:18.46 | Pegasus_RPG | then I have to add a filter to fail2ban to snag those |
02:23.41 | [TK]D-Fender | they don't |
02:23.51 | [TK]D-Fender | because it isn't a SECURITY failure |
02:24.02 | [TK]D-Fender | and I've already described what you have to do |
02:25.05 | Pegasus_RPG | yeah, I'm looking up how to do that now, thank you again |
02:44.34 | *** join/#asterisk kunwon1 (~kunwon1@unaffiliated/kunwon1) |
02:54.57 | Pegasus_RPG | got it, actually did have to just add notice to the security log. fal2ban already has rules for this case |
02:55.04 | Pegasus_RPG | s/rules/filters/ |
02:56.34 | *** join/#asterisk Pegasus_RPG (~Thunderbi@71-222-100-80.lsv2.qwest.net) |
03:58.58 | *** join/#asterisk lankanmon (~LKNnet@CPE64777d632383-CM64777d632380.cpe.net.cable.rogers.com) |
04:15.06 | *** join/#asterisk cemotyz09 (~cemotyz09@cpe-70-121-128-59.satx.res.rr.com) |
04:28.28 | *** join/#asterisk Pegasus_RPG (~Thunderbi@71-222-100-80.lsv2.qwest.net) |
04:45.12 | *** join/#asterisk cemotyz09_ (~cemotyz09@cpe-70-121-128-59.satx.res.rr.com) |
05:24.13 | *** join/#asterisk cemotyz09 (~cemotyz09@cpe-70-121-128-59.satx.res.rr.com) |
05:25.09 | *** join/#asterisk cemotyz09 (~cemotyz09@cpe-70-121-128-59.satx.res.rr.com) |
05:25.40 | *** join/#asterisk cemotyz09 (~cemotyz09@cpe-70-121-128-59.satx.res.rr.com) |
05:31.14 | *** join/#asterisk Downlots (~Downlots@2a02:85f:1f01:b400:ddf3:4d84:ea7f:41b0) |
05:55.28 | *** join/#asterisk gerhard7 (~gerhard7@ip5657ee30.direct-adsl.nl) |
06:07.57 | *** join/#asterisk Downlots (~Downlots@ppp185145165108.access.hol.gr) |
07:13.42 | *** join/#asterisk jkroon (~jkroon@165.16.203.57) |
07:19.02 | *** join/#asterisk pchero_work (~pchero@87.213.240.121) |
07:26.00 | *** join/#asterisk esteban (~esteban@gateway/tor-sasl/esteban) |
08:23.15 | *** join/#asterisk Downlots (~Downlots@185.73.41.1) |
09:23.38 | *** join/#asterisk Chainsaw (~chainsaw@gentoo/developer/chainsaw) |
09:27.04 | *** join/#asterisk esteban (~esteban@gateway/tor-sasl/esteban) |
09:41.24 | *** join/#asterisk bhuddah (~michael@unaffiliated/bhuddah) |
10:13.59 | *** join/#asterisk TriJetScud (~TriJetScu@van-mig-svr.ad.v10networks.ca) |
10:41.54 | *** join/#asterisk duo_kali (b61e5a84@gateway/web/freenode/ip.182.30.90.132) |
10:42.12 | *** join/#asterisk hehol (~hehol@gatekeeper.loca.net) |
10:56.34 | *** join/#asterisk Jesterboxboy (~Thunderbi@84-115-150-8.cable.dynamic.surfer.at) |
11:23.11 | *** join/#asterisk Jesterboxboy (~Thunderbi@84-115-150-8.cable.dynamic.surfer.at) |
12:17.27 | *** join/#asterisk lankanmon (~LKNnet@CPE64777d632383-CM64777d632380.cpe.net.cable.rogers.com) |
12:29.24 | *** join/#asterisk miralin (~Thunderbi@81.177.57.153) |
13:29.12 | *** join/#asterisk rpifan (~rpifan@ipb218f1de.dynamic.kabel-deutschland.de) |
13:33.57 | *** join/#asterisk MLC (~MLC@63.249.40.11) |
13:37.55 | *** join/#asterisk Janos (~Janos@201.204.94.76) |
13:43.46 | *** join/#asterisk gerhard7 (~gerhard7@ip5657ee30.direct-adsl.nl) |
14:04.53 | *** join/#asterisk brad_mssw (~brad@66.129.88.50) |
14:10.28 | *** join/#asterisk LoKoMurdoK (~LoKoMurdo@fedora/LoKoMurdoK) |
14:26.25 | *** join/#asterisk [TK]D-Fender (~joe@216.191.106.165) |
14:53.41 | *** join/#asterisk MLC (~MLC@63.249.40.11) |
15:22.52 | *** join/#asterisk MLC (~MLC@63.249.40.11) |
15:23.49 | *** join/#asterisk cresl1n (uid299068@asterisk/libpri-and-libss7-expert/Cresl1n) |
15:23.49 | *** mode/#asterisk [+o cresl1n] by ChanServ |
15:35.07 | *** join/#asterisk kharwell (kharwell@nat/digium/x-thbrkkltgkazkqen) |
15:35.07 | *** mode/#asterisk [+o kharwell] by ChanServ |
15:39.44 | *** join/#asterisk bford (uid283514@gateway/web/irccloud.com/x-frwdxmkvruehhrbn) |
15:39.44 | *** mode/#asterisk [+o bford] by ChanServ |
15:39.45 | *** join/#asterisk rmudgett (rmudgett@nat/digium/x-mtepwhdueymxysgf) |
15:39.45 | *** mode/#asterisk [+o rmudgett] by ChanServ |
15:48.48 | *** join/#asterisk Pegasus_RPG (~Thunderbi@71-222-100-80.lsv2.qwest.net) |
16:00.46 | *** join/#asterisk cranq (~crank@107.161.164.124) |
16:34.42 | *** join/#asterisk salviadud (~ralfalfa@187-162-213-198.static.axtel.net) |
17:02.46 | *** join/#asterisk jkroon (~jkroon@165.16.204.40) |
17:08.44 | *** join/#asterisk rpifan (~rpifan@ipb218f0f4.dynamic.kabel-deutschland.de) |
17:09.32 | *** join/#asterisk rpifan (~rpifan@ipb218f0f4.dynamic.kabel-deutschland.de) |
17:13.23 | *** join/#asterisk [J]oules (uid223833@gateway/web/irccloud.com/x-vqhwkyhrzlasbhvt) |
18:14.06 | *** join/#asterisk rpifan (~rpifan@ipb218f031.dynamic.kabel-deutschland.de) |
18:26.09 | *** join/#asterisk alexandre9099 (~alexandre@unaffiliated/alexandre9099) |
18:27.30 | *** join/#asterisk _0x5eb_ (~seb@seb-hpws2.elen.ucl.ac.be) |
18:36.10 | *** join/#asterisk defsdoor (~Andrew@cpc120600-sutt6-2-0-cust232.19-1.cable.virginm.net) |
18:54.12 | *** join/#asterisk rpifan_ (~rpifan@45.77.199.32) |
19:01.13 | *** join/#asterisk jeffspeff (~jeffspeff@12.49.160.131) |
19:17.14 | jeffspeff | in my dialplan, i have "exten=s,n,GotoIf("$[${LEN(${USER_PIN})}" = "0"]?,hangup)" and then further down in the same context i have "exten=s,n(hangup),Hangup()" ... when USER_PIN was evaluated I get the following in my * console --- "Cannot find extension '' in context 'INBOUND'" and "Priority 'hangup' must be a number > 0, or valid label" |
19:24.16 | Samot | Well I can see you have incorrect syntax. |
19:24.28 | Samot | exten=s |
19:24.38 | Samot | ^^ bad. |
19:24.43 | Samot | exten => s |
19:24.47 | Samot | ^^ good |
19:24.53 | jeffspeff | i thought => was legacy |
19:24.58 | Samot | No. |
19:24.58 | jeffspeff | 1.x stuff |
19:25.01 | *** join/#asterisk cranq (~crank@107.161.164.124) |
19:25.09 | Samot | Not at all. |
19:25.50 | jeffspeff | ok. other than that. do you see any issues? |
19:25.51 | Samot | GotoIf("$[${LEN(${USER_PIN})}" = "0"]?,hangup) <-- You don't need the comma. |
19:26.39 | jeffspeff | I want the call to proceed to the next n if the condition is false or hangup if true. |
19:26.53 | Samot | OK then that's completely wrong. |
19:27.15 | jeffspeff | gotoif...]?true,false) right? |
19:27.26 | Samot | GotoIf("$[${LEN(${USER_PIN})}" = "0"]?hangup:) |
19:27.31 | Samot | true:false |
19:27.46 | jeffspeff | i had it backwards |
19:27.54 | Samot | Plus you had a , |
19:27.56 | Samot | Not a : |
19:28.07 | jeffspeff | ah |
19:28.20 | Samot | Since you can have ?context,exten,priority:context,exten,priority |
19:28.35 | jeffspeff | thanks for the help |
19:29.15 | jeffspeff | do you know how that would be evaluated if if USER_PIN is null? |
19:29.31 | jeffspeff | that var is grabbed from func_odbc. |
19:30.23 | jeffspeff | or would it better to do GotoIf($["${USER_PIN}" = ""]?h) ? |
19:33.53 | [TK]D-Fender | Don't go jumping to H |
19:34.01 | [TK]D-Fender | or you risk double execution |
19:51.52 | *** join/#asterisk troyt (zncsrv@2601:681:4100:8981:44dd:acff:fe85:9c8e) |
19:55.46 | rmudgett | Samot: Asterisk doesn't care if you use 'exten = s,..' or 'exten => s,..' |
19:56.45 | *** join/#asterisk FF2456 (~FF@198.245.97.90) |
20:01.16 | FF2456 | Hello, everyone. I am running FreePBX 13.0.195.26 with a TDM400P card (4 FXO) and I am not able to receive any calls on it. I plugged in a regular phone and it is working properly. The 4 FXO channels show up under Connectibity -> Dahdi config -> Analog Hardware, but the output of 'dahdi show channels' results in 1 channel identified as pseudo. Where should I start troubleshooting this matter? Thanks in advance for any help. |
20:05.54 | [TK]D-Fender | ~freepbx |
20:05.54 | infobot | [~freepbx] FreePBX is unable to be supported here. It is made up of complex dialplans and scripts which can't be easily supported by people who aren't deeply involved. Try joining #freepbx and asking there |
20:06.09 | FF2456 | ok, thanks |
20:06.42 | *** part/#asterisk FF2456 (~FF@198.245.97.90) |
20:07.51 | *** join/#asterisk Jesterboxboy (~Thunderbi@84-115-150-8.cable.dynamic.surfer.at) |
20:34.03 | *** join/#asterisk troyt (zncsrv@2601:681:4100:8981:44dd:acff:fe85:9c8e) |
23:03.26 | *** join/#asterisk yeehi (~n@unaffiliated/yeehi) |
23:09.33 | *** join/#asterisk tomaluca95 (~quassel@kde/developer/tomaluca) |
23:23.02 | *** join/#asterisk zaf (~zaf@104.254.192.70) |
23:28.31 | *** join/#asterisk Janos (~Janos@201.204.94.76) |
23:57.40 | *** join/#asterisk paulgrmn (~paulgrmn@162.219.176.22) |