Topic: Asterisk on SME7 (me again)

[arne]

It is certainly not the right way to do it, but I modify the files /etc/yum.conf and /home/e-smith/db/yum_respositores, and as a "quick and dirty mod" to make the Asterisk installation it seems to work.


See my post before:

I changed the yum configuration of the SME server (with som "unstandard" method):

baseurl=http://mirror.centos.org/centos/4/os/$basearch

[arne]

Cyr ->

I have now installed your Asterisk variant on a SME 7B5 gatway as well. It works rather perfect now both for the "server only" and the "gateway" installation. Have tested with inbound and outbund telephone calls.

No bugs until now, but there is anyhow still two minor things to be mentioned.

1. Some sip telephony vendors will require a configuration with portforwarding to a "server only" or a "aditional port opening" for the gateway installation. (I guess it will not work like this for all connections, but for my two cnnected at the moment, it works like this.) I think that without this forwarding/portopening you will not be able to make other calls than local calls.

2. Then there is also the problem with the default configuration of the Asterisk@home, that is set to reject by hanging up incomming telephones by default. This requires a minor "hack" or reconfiguration.

Fir item 1 I believe that the best soulution will be some "howto description" as the needs for proper and right configuration might wary from sip telephony vendor to vendor (!!??).

For item two there might be a "howto description" or possibly that the "enable inncomming calls hack" should be included by default.

I think that there might be bether ways of doing it but I could eventually post my little hack of the extensions configuration file.

Thanks again Cyr. When I started to read your tread I knew allmost nothing about iptelephones and Asterisk vere just some strange "bussword" I had heared somwhere. Now I just got my own "allmost perfect" gateway/internet server/lan server/telephony server running.

Nice    !

[cyr]

Hi Arne,

I'm really happy to see that we finally obtain a rc for our contrib  

For the pb of port oppening, there is a rpm wich seems to work with sme7, I use it for openvpn installation

http://sme.swerts-knudsen.dk/downloads/dmc-mitel-portopening-0.0.1-4.noarch.rpm

perhaps it can help you or someone else.

Now we need a Asterisk/SME community  

[fpausp]

Is this port-opening-rpm working with a server only installation ?

I tried to install openvpn from swert-knudsen sme7b5, but i think the port 1194 is not open.

fpausp

[cyr]

I don't try it on server only installation but you can check

iptables -L

or check http://smeserver.sourceforge.net/sme70/FAQs

[arne]

Firewall configuration rpm have been tested at the gateway/Asterisk. Looks like it is working quite ok. thanks again !

About port opening at a server only installation - this should not give any meaning at all as the server only does not have any firewall at all. There is no need to make any openings in a wall that does not exist.

If anything shall be done for a "server only" this will be to forward the right ports via the nat router/firewall/gateeway.

You will have to open ports if the Asterisk run on a gateway and forward ports if it is on a server on lan/dmz. It's the same ports.

The little hack of my extensions.conf file:
(For opening for inbound sip telephony)

; ############################################################################
; Inbound Contexts [from]
; ############################################################################

[from-sip-external]

;give external sip users congestion and hangup
;exten => _.,1,AbsoluteTimeout(15)
;exten => _.,2,Congestion
;exten => _.,3,Hangup

exten => _X.,1,Goto(from-pstn,s,1)
# the line above is new

I don't know if this is a smart hack, but it opens for incomming calls. Possible it could have been improved. As it is it, I think it will disable some standard telephone functions. If these should work, it might be bether to use:

exten => _XXXX.,1,Goto(from-pstn,s,1)

and internal lines more than 4 digits.

Don't know for sure ..

Possible there is petrher ways of doing the hack for inbound sip telephones ??

Arne.

[fpausp]

yes, but if i use nmap i got this:

[root@server ~]# nmap server

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-10-26 17:43 CEST
Interesting ports on server.xxxxx.xx (192.168.x.x):
(The 1642 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
113/tcp  open  auth
139/tcp  open  netbios-ssn
143/tcp  open  imap
389/tcp  open  ldap
443/tcp  open  https
445/tcp  open  microsoft-ds
465/tcp  open  smtps
515/tcp  open  printer
548/tcp  open  afpovertcp
993/tcp  open  imaps
995/tcp  open  pop3s
2000/tcp open  callbook
3128/tcp open  squid-http


what mean´s that ???

[arne]

I guess that this means you are doing a default nmap scan against a unprotected server on a lan. It shows some of the tcp ports that would be visible only on a unprotected server on lan (or using a scan against "localhost".

A default nmap scan (from the internet outside) against a sme 7 firewall/gateway/server with the firewall on (and a working Asterisk server running) givs this pattern:

[root@blackie /]# nmap xxx.exsample.dk

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on xxxxxxxxx.xxxxxxxxx.com (123.123.123.123):
(The 1548 ports scanned but not shown below are in state: filtered)
Port       State       Service
22/tcp     open        ssh
25/tcp     open        smtp
80/tcp     open        http
113/tcp    closed      auth
443/tcp    open        https
465/tcp    open        smtps

I think/belive that the reason that the Asterisk server is not visible is two:

1. The port range of the Asterisk server is anyhow outside the default scan range of nmap.
2. I guess that the nmap by default scans only tcp and not udp ports.

I will try to make a nmap udp scan to se the Asterisk ports, and post the result if possible ..

[arne]

Well I tried to make a UDP scan, but I did not obtain the result as expected (at all):

[root@blackie /]# nmap -sU -p 5055-5065 my.domain.dk

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on my.server.com (123.123.123.123):
Port       State       Service
5055/udp   open        unknown
5056/udp   open        unknown
5057/udp   open        unknown
5058/udp   open        unknown
5059/udp   open        unknown
5060/udp   open        unknown
5061/udp   open        unknown
5062/udp   open        unknown
5063/udp   open        unknown
5064/udp   open        unknown
5065/udp   open        unknown

I guess that the nmap command should make a UDP port scan in the port range 5055-5065. It should be only one port open (in this range). I dont know why it shows all ports open. (I am now using the port opening rpm). (My first guess is that the UDP scan has a number of error sources and that the indicated open ports are really not open. Will try to check on this.)

[arne]

As a aditional security check I tried to lock one of the Asterisk port. The Asterisk server stopped to work as it should. When the port were opened again the Asterisk server started working again. All the time it was scanned as open. (But actually it was not.)

I don't know why it is this faulty indication. Possible reasons: 1. "Incorrect" answer from bridged adsl modem or sme server 2. Incorrect use of nmap

The UDP protocol is a one way protocol that is not expected to give an answer in the same way as the TCP protocol. I guess that is the reason why many portscanners are TCP scanners only by default and that it could be a part of the explanation of the incorrect indications (??).

It's possible that a Google search on how to do a UDP scan using nmap could give something more ..

[arne]

OK. As an aditional check I tried to use Superscan 4.0 to do a UDP scan against the unprotected LAN interphase (od the SME7 gateway.)

The Superscan 4.0 vere not able to detect the running Asterisk server while running as a UDP port scanner.

Conclusion: A Asterisk server seems to be a server function that is not to easy to detect using a standard port scanner (but of course it can still be done.)

[arne]

Changing the configuration of the Superscan it showed 0 open UDP ports or all open udp ports (like the nmap). None of the sans were able to detect the Asterisk correctely.

I think this is rather nice. "Normally" I would expect a relatively new technology like IP telephony would attract a new generation of "ip telephony hackers". I guess the "expectable" way such hacking would be to do broad automated scans over huge ranges of ip adresses, and from that to pull out detected Asterisk servers for "further investigation".

But the Asterisk server will have to be visible using the right scanner eqipment. Reason: It is possible to connect from an external sip/iax client where the location is initially unknown for the server. This means that the right reqest from "the outside" will give an answer. A standard port scanner does not seem to be that equipment that will send the right request.

[arne]

.... Or could it work that way that only requests against registred extension names/numbers will give an anwer (??!!) If this should be the case it should be a good thing for security and make things quite more difficult for the hackers.

If this should be the case, it would be of importance to choose non standard extension numbers like "109579" and not "201" or "401".

Any how this would be a good idea as the hacker would have to guess/find a user acount and a password to be able to come in.

I think I understand why the Asterisk server has a default configuration where incomming sip connections are blocked. So if it is opened and one set up a number of test acounts 200,201,202 with password 1234 and a outgoing line you are paying for, this might be a bit dangerous situation.

By the way I found a more general report of iptelephone security that might be of some interest:
http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

If anybody knows something more about why a Asterisk server seems to be not so easy to detect using a scanner or other intersting things about Asterisk security, plase leave a message  

I think that the security problem releted to the installation of a Asterisk server is a part of it that should not be forgotten.

[arne]

Im rather surpriced abouth how rather little there is about this subject Asterisk and security:

http://www.voip-info.org/wiki/view/Asterisk+security

See also this:
http://www.voip-info.org/wiki/index.php?page=Asterisk+security+dialplan

I don't know really how safe this hack is that I use for allowing incomming sip telephones:

[from-sip-external]

;give external sip users congestion and hangup
;exten => _.,1,AbsoluteTimeout(15)
;exten => _.,2,Congestion
;exten => _.,3,Hangup

exten => _X.,1,Goto(from-pstn,s,1)
# the line above is new

Anybody who got ideas about this ?

As far as I have been able to test it out it is only the internal extensions that is available for external calls.

By the way, I think the most important issue about setting up an Asterisk server with some payed "lines" is that to allways use prepaid services that will stop when the account is empty, or accounts with limited credit, that also has an "credit limit".

Hacked accounts or also something rather trivial like "hanging lines" might otherways be a rather big risk. (When testing and making some incorrect configuration my Asterisk server were hanging on the paid line for 4 hours without my knowledge, but it was a local call with only small money involved.)

I'm sorry to use a lot of the space on the forum, but I think that the security aspect of it is a rather important one, to make some investigation on.

Actually I think that a incorrect configured Asterisk server with the incorrect type of ip telephony connection (typical with unlimited credit) has the potensial of giving you some terrible problems.

First of all it should be a prepaid line or line with limited credit. Next it should be done some steps to avoid loosing those money as well.

[arne]

Aaterisk@sme rund just nice and without problems.
I just found a free new 350 page book about Aterisk.
It's a rather good one ..
http://voipspeak.net/index.php?option=com_content&task=view&id=33&Itemid=2

Arne.