Topic: Asterisk & SAIL on Virtual Server appliance (VMware)

[madadam]

Hi All,

I'm experimenting running Asterisk (1.4.36) and SAIL (2.6.1-7) on a VMware virtual server running SME Server 7.5 in server-only mode.

So far everything is running well.

As the server is in a data centre all extensions are remote extensions. This is the only real problem that we can see.

I'd like to ask if anyone has some advice about securing the server and SIP against attack.

Currently a number of SIP ports are open to all, the IAX ports are tied down to our trunking provider. Has any had some experience on what ports (TCP/UDP) NEED to be open and which ones can be closed as they are used on outbound initiated connections only.

I've reviewed the security document published by Selintra on their wiki and fortunately we use Snom phones so will look into using VPN.

Many thanks.

Adam

PS If you would like any information on doing this then give me a yell here and I will attempt to document it for those interested, if any there is any interest.

[SARK devs]

couple of things you might consider...

The most important bits you've probabaly already done, however, it is also a good idea to lock your SIP and IAX2 ports (5060 and 4569 respectively) to only those IP's you know are coming inbound.  You can do this in SME server with  the AllowHosts parameter (see here http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual:Section4#Restricting_services_to_specific_external_hosts:_AllowHosts_and_DenyHosts )

In SAIL-2.6 we define the objects SIP and IAX2 in the SME server database to manage the ports and this is where you can add your AllowHosts statement (in 3.1 the objects are called sailSIP and sailIAX) .

Code: [Select]

config setprop SIP AllowHosts 111.111.111.111/0,222.222.222.222/24
signal-event remoteaccess-update

For earlier releases of SAIL you must do an additional step...

Code: [Select]

config setprop sark UDPPorts 10000-20000
signal-event remoteaccess-update
In this way you can limit access to just those hosts you want to allow in.

The other alternative is to deploy your SAIL/SARK box behind a proper firewall which can control access to the ports on behalf of the PBX.

For frequently changing IP addresses such as home workers or road warriors we would recommend bringing them in over VPN if you can.  Adding openvpn to SME server is straightforward and you can then use softphones on VPN connected PC's or hardphones which can run VPN.   We've just deployed a bunch of remote phones for a client and we chose Snom 820's running openvpn.  The most remote unit they've currently got deployed is in Singapore and it comes into a SARK cluster in the UK.  The call quality is outrageously good.  The latency is a pretty constant 250ms which is fine for normal speech.

Kind Regards

S

[madadam]

Thanks for the information. I am taking all this onboard and working through it.

The SME virtual server has indeed been setup behind a firewall. At present I think I've got more ports than necessary open. Would you mind please listing all ports that should be opened on the firewall?

For example:
SIP 5060-5070 TCP/UDP
SIP-TCP 5004 UDP
SIP-RTP 10000-20000 UDP

The IAX ports (5036 and 4569) are open but are locked down to the IP of my trunk provider so they are secure.

Cheers,
Adam

[madadam]

Just for the purposes of other people looking into running Asterisk/SAIL on a Virtual SME Server I am happy to report that it's been running now for two months without any drama.

We did have to re-purchase our g.729 license but other than that it's working a treat.

The "specs" of the virtual machine are not high: 0.8Ghz CPU, 512mb RAM and plenty of HDD space. We can upgrade that at any time obviosuly if more SIP clients means more strain on the "system".

Hope this helps some people. Would love to hear your experiences.

Adam

[madadam]

Have come up with a problem with running Asterisk on a virtual server. The problem is that there is no timing source (at least that I've got working) which is needed by the Conference Rooms feature and probably some other similar features.

Am hoping the SARK boys may have a solution.

Cheers,
Adam

[SARK devs]

Hello

You can run the Asterisk dummy driver (ztdummy or dahdi_dummy) .  If you are running dahdi then dahdi_dummy will be loaded automatically when dahdi starts.   For earlier releases you need to modprobe ztdummy.

Kind Regards

S

 

[madadam]

You can run the Asterisk dummy driver (ztdummy or dahdi_dummy) .  If you are running dahdi then dahdi_dummy will be loaded automatically when dahdi starts.   For earlier releases you need to modprobe ztdummy.

Thanks. I did go to PCI Cards and do an Initialize and ReGen before doing a commit but that didn't do anything. There is nothing about dahdi_dummy in the two textarea boxes on the page (system.conf and dahdi-channels.conf).

I'm running SAIL 2.6.1-9 with Asterisk 1.4.36 (BTW any chance you can add the Asterisk version to the Global Settings page?).

What do I need to do to load the dahdi_dummy module? (Sorry for the dumb question).

Cheers,

Adam

[SARK devs]

You should see it load automatically when you stop/start dahdi

Code: [Select]

/etc/init.d/sark stop
/etc/init.d/dahdi stop
/etc/init.d/dahdi start
/etc/init.d/sark start
It will be loaded during dahdi start

Kind Regards

S

[madadam]

Right, obviously I've screwed something up because this is what I got:

Code: [Select]

[root@casper ~]# /etc/init.d/sark stop
Shutting down asterisk:                                    [  OK  ]
[root@casper ~]# /etc/init.d/dahdi stop
Unloading DAHDI hardware modules: done
[root@casper ~]# /etc/init.d/dahdi start
Loading DAHDI hardware modules:
FATAL: Module dahdi not found.
  wct4xxp:  FATAL: Module wct4xxp not found.
                                                           [FAILED]
  wcte12xp:  FATAL: Module wcte12xp not found.
                                                           [FAILED]
  wct1xxp:  FATAL: Module wct1xxp not found.
                                                           [FAILED]
  wcte11xp:  FATAL: Module wcte11xp not found.
                                                           [FAILED]
  wctdm24xxp:  FATAL: Module wctdm24xxp not found.
                                                           [FAILED]
  wcfxo:  FATAL: Module wcfxo not found.
                                                           [FAILED]
  wctdm:  FATAL: Module wctdm not found.
                                                           [FAILED]
  wcb4xxp:  FATAL: Module wcb4xxp not found.
                                                           [FAILED]
  wctc4xxp:  FATAL: Module wctc4xxp not found.
                                                           [FAILED]
  xpp_usb:  FATAL: Module xpp_usb not found.
                                                           [FAILED]

Error: missing /dev/dahdi!
[root@casper ~]# /etc/init.d/sark start
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
Starting asterisk: Asterisk already running on /var/run/asterisk/asterisk.ctl.  Use 'asterisk -r' to connect.
                                                           [FAILED]
[root@casper ~]#


[SARK devs]

likelyhood is that you have a mismatch between your dahdi kmdl and your kernel.

What does the folowing give?

uname -r

and

rpm -qa | grep dahdi


Kind Regards

S

[madadam]

Results are as follows:

Code: [Select]

[root@casper /]# uname -r
2.6.9-89.31.1.EL
[root@casper /]# rpm -qa | grep dahdi
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
dahdi-linux-kmdl-2.6.9-89.0.25.EL-2.3.0-68.el4
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
dahdi-linux-2.3.0-68.el4
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
warning: only V3 signatures can be verified, skipping V4 signature
dahdi-tools-2.4.0-67.el4
[root@casper /]#
Cheers!

[SARK devs]

and there you go....

You have kernel
2.6.9-89.31.1.EL
but you have dahdi kmdls
dahdi-linux-kmdl-2.6.9-89.0.25.EL-2.3.0-68.el4

The kmdl must match the kernel or dahdi won't load.  So, you need to install  dahdi-linux-kmdl-2.6.9-89.31.1.EL-2.3.0-68.el4, if it exists (it may not). The other alternative is to run an earlier kernel (2.6.9-89.0.25.EL)

Kind Regards

S

[madadam]

The kmdl must match the kernel or dahdi won't load.  So, you need to install  dahdi-linux-kmdl-2.6.9-89.31.1.EL-2.3.0-68.el4, if it exists (it may not). The other alternative is to run an earlier kernel (2.6.9-89.0.25.EL)

Thanks for that. I realised that was the problem and was looking for dahdi-linux-kmdl-2.6.9-89.31.1.EL-2.3.0-68.el4 but it seems it did once exist on ATrpms but not anymore. I can't find a copy of it. Will continue to look some more but otherwise may need to do as you suggest and revert back to an earlier kernel.

Does anyone have dahdi-linux-kmdl-2.6.9-89.31.1.EL-2.3.0-68.el4 thanks?

Cheers,
Adam

[madadam]

OK. Resolved.

I did a yum update adding the smeupdate-testing repo to bring my system up to the 2.6.9-89.33.1 Linux kernel.

Then removed all current Dahdi rpms before manually downloading each of the Dahdi rpms for 2.6.9-89.33.1 from ATrpms and doing a yum install of those which worked a treat.

The system is now running fine with Dahdi 2.4.0-6x.

Cheers,

Adam