Show some LOVE, LIKE our page :)

Friday, December 4, 2015

Opening multiple ports on Microsoft Azure (e.g. for an Asterisk deployment)


http://azurespeaks.azurewebsites.net/

If you publish an Asterisk servers on Azure, you might find it a daunting task to open multiple ports (called endpoints) on Azure, the task is simply slow if you use the web (portal or the old one). And we RTP folks, need a lot of ports to get a single call going (at least 3 ports required)

So, let's say you're gonna create a default Asterisk installation and open the usual ports such as;

IAX2- UDP4569
SIP - UDP5060
RTP-UDP10000 to UDP20000 (in this article, i only needed 100 ports)

Here's how you can open all those ports in under 10 minutes.

1) Download and install the Azure Powershell extensions.
https://github.com/Azure/azure-powershell/releases/download/v1.0.1-November2015/azure-powershell.1.0.1.msi

2) Start it up - it should be called Windows Azure Powershell (this is not the usual powershell, it must read Azure Powershell)

3) Once in there, copy paste the following (modify where applicable)

Task inside powershell (copy paste will do)
1) Add an azure account (this will launch the authentication windows, do your thing and authenticate)

Add-AzureAccount

2) Now, declare which subscription this VM is tied to (My subscription is called Visual Studio Premium with MSDN)

Select-AzureSubscription -SubscriptionName "Visual Studio Premium with MSDN"

3) Declare the name of the VM you wish to setup
$vm = Get-AzureVM -ServiceName myazurebox -Name myazurebox;

NOTE: ServiceName is the cloud service, if it is not part of a cloud service, just enter the actual VM name, repeat that in NAME variable like above.

4) Add for IAX2
$VM | Add-AzureEndpoint -Name IAX2 UDP -LocalPort 4569 -PublicPort 4569

5) Add for SIP (UDP)
$VM | Add-AzureEndpoint -Name SIPUDP UDP -LocalPort 5060 -PublicPort 5060 

Add for SIP TCP (if using)
$VM | Add-AzureEndpoint -Name SIPTCP TCP -LocalPort 5060 -PublicPort 5060

6) Add for RTP
Now, since RTP is a bunch of ports that needed to be opened, in a default setup would be 10000 to 20000, you can do a loop and add them like this; Note, you can only open up to 150 ports at a time, apparently. So add more into the loop if needed.

10000..10100| ForEach { $VM | Add-AzureEndpoint -Name RTP$_ -Protocol UDP -LocalPort $_ -PublicPort $_} ; $vm | Update-AzureVM

This will add ports 10000 to 10100, name them RTP10000...and so on with UDP as the protocol. You don't really need that many RTP ports opened on Asterisk unless you have a ridiculous amount of concurrency on SIP. Otherwise, you don't really need that many ports opened.

Guides: http://www.asteriskdocs.org/en/2nd_Edition/asterisk-book-html-chunk/asterisk-APP-D-SECT-37.html

Freepbx: Use the GUI, look under Settings | Asterisk Sip Settings, look for RTP port range. *You might need to restart Asterisk.

7) Finally, update the VM (this is when you will see the changes on Azure's web management portals)

$vm | Update-AzureVM

And you're done!

Sunday, November 15, 2015

Apple MacBook 2015 Bootcamp/Drivers

Image from www.apple.com

If you were in my position that you had to have some drivers and couldn't find them cause you wiped out the OSX partition etc and there's literally nothing on Apple's website to point you to a way to independently download drivers, well, here they are;

Download Apple Bootcamp 6.0 for MacBook Pro 2015 here:
https://goo.gl/yZjHvp (approximately 1.44GB)

Until Apple makes their bootcamp software and drivers public, here's all of it.

This particular set is for the MBP Retina early 2015 edition. (Mine had the AMD Radeon graphics card).

I do not have any rights to these, nor claiming any rights, its from Apple and is only posted here for people's convenience.

All files scanned with Norton Internet Security 2015 edition with latest signatures as of 15Nov2015.

Have fun and all credit for drivers/software to Apple Inc.

Thanks


Thursday, January 29, 2015

GHOST Vulnerability check and fix for Debian 6 or 7

More info on the GHOST vulnerability by Qualys | More from debian’s security tracker here

IMPORTANT

  • USETHIS GUIDE AT YOUR OWN RISK, we are not responsible for any broken apps/programs etc etc.
  • We do not know the extent of the vulnerability/fixes this is from best knowledge and effort, you are advised to research of your own too and not completely rely on these below. Some of these methods are also described in many online articles, i put them together mainly for our customers and people using Deb6/7.
  • This article is to be done/performed by those who have sufficient knowledge in these apps/software
  • Please read more articles and follow online security resources for updates should there be any.

Check for vulnerability against GHOST by running the following

1) wget http://goo.gl/MgtleY --no-check-certificate -O gistfile1.c
2) gcc gistfile1.c -o GCHECKER
3) ./GCHECKER

To check which services/software that’s probably vulnerable (for restarting affected services, instead of rebooting)
1) lsof | grep libc | awk '{print $1}' | sort | uniq

 

Fix for Debian 6 Squeeze

1) Add the following repos into /etc/apt/sources.list (Add them at the end is fine)
deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src
http://http.debian.net/debian/ squeeze-lts main contrib non-free

2) apt-get update

3) apt-get install libc6

4) Reboot (i didn’t have to reboot, some do say to reboot, some say just restart services that use glibc/libc6)

5) Check again as shown above to verify.

Fix for Debian 7 Wheezy

1) apt-get update

2) apt-get install libc6

3) Reboot (i didn’t have to reboot, some do say to reboot, some say just restart services that use glibc/libc6)

4) Check again as shown above to verify.


All the best and do advice if you find problems or suggestions to improve this guide above.

Thanks!

Saturday, December 13, 2014

Google Voice/Google Talk no audio behind a NATted Asterisk Server

Thought i’d quickly write this for those having no audio issues with Gtalk.

First, follow the guide here to get it setup properly. Remember to have the DTMF(1) in your dialplan before executing into the actual internal dialplan per the document referred to earlier.

The issue is the headers that are sent out to google contain your internal IP (since you’re NATting), so you need a helper per-se otherwise the RTP is discarded. The solution is simple, use a stun server.

For FreePBX users, edit the /etc/asterisk/rtp_custom.conf, rest of you, simply edit the /etc/asterisk/rtp.conf in general section

Add the following line in bold, here i am using Google’s Stun server.

icesupport=yes
stunaddr=stun.l.google.com:19302

PS> Ice support must already be there, anyway…

And you should get two way audio without an issue.

Have a great weekend.

Wednesday, December 3, 2014

FreePBX Device User Mode – “User” password change using touchtone keypad (or a feature code)

One client requested this as his entire office of 200 users use the Device User mode of FreePBX 2.11. This office is also a hybrid office use and call center of up to 20 agents.
With this feature, users can dial a code and change whenever they want.

Firstly, you need to have the following in your setup:

- FreePBX 2.9 or higher (i used 2.11)
- Asterisk 1.6 or higher (i used 11.x)

This dialplan is intended to be used with FreePBX since it uses MySQL to write most of its configs in. This dialplan changes stuff in MySQL directly with the Asterisk’s MYSQL app. Follow as guided and you will get this running in no time.

Steps in short:

1) Create a low privilege user in MySQL
2) Put up a custom code dialplan
3) Enable the custom dialplan code in FreePBX

1) Create low privilege user in MySQL

Since we want this low priv user to only query and write to very little table fields, we give it that much permission

a) Log into MySQL, login as root with the password you’ve previously set,
NOTE: If you have trouble running these commands, be sure to check using single quotes and double quote per the guide. If something other than that appear when pasting, change accordingly.

#mysql –u root –p

When inside MySQL, copy paste the following; and this guide creates a user called “pwdmgr” with password “letmeinbaby

CREATE USER ‘pwdmgr’@localhost IDENTIFIED BY “letmeinbaby”;
GRANT SELECT (extension) ON asterisk.users TO pwdmgr@localhost;
GRANT SELECT,UPDATE (password) ON asterisk.users TO pwdmgr@localhost;
FLUSH PRIVILEGES;

2) Paste the following dialplan into extensions_custom.conf

[macro-change-loginpw]
exten => s,1,Answer()
    same => n,NoOp(User password changing app)
    same => n,ExecIf($["${AMPUSER}" = ""]?Hangup(16))
    same => n,Set(DEVICETYPE=${DB(DEVICE/${AMPUSER}/type)})
    same => n,ExecIf($["${DEVICETYPE}" = "fixed"]?Hangup(16))
    same => n,Set(CURRENTPW=${DB(AMPUSER/${AMPUSER}/password)})
    same => n,Authenticate(${CURRENTPW})
    same => n,Read(NEWPASS,vm-newpassword)
    same => n,Set(DB(AMPUSER/${AMPUSER}/password)=${NEWPASS})
    same => n,MYSQL(Connect connid localhost pwdmgr letmeinbaby asterisk)
    same => n,MYSQL(Query resultid ${connid} UPDATE users set password='${NEWPASS}' WHERE extension='${AMPUSER}')
    same => n,MYSQL(Disconnect ${connid})
    same => n,PlayBack(your&vm-password&has-been-changed-to)
    same => n,SayDigits(${NEWPASS})
    same => n,Hangup(16)


Save and exit!.

3) Set it up in FreePBX to invoke that custom macro you did above using feature code like dialing


Go to FreePBX, select Admin, then select Custom Extensions, add like below
Custom Destination=macro-change-loginpw,s,1
Description: AnythingYouLike
image
 

Then click on Submit Changes

Next, go to Applications, select Misc Application, do like below

Description=Anything you like
Feature Code: Any code not conflicting with current FeatureCodes, e.g. *15 is not really used in a Standard FreePBX setup
Status: Enabled (you can disable this in FreePBX)
Destination: The Custom Destination you created just now.

image  

Click Submit Changes, now click the Apply Conf button.

 

All done, now go ahead and try it out for yourself, dial *15 on a logged on user. You can also hack the dialplan to ask for username in case you want to change for non-logged on user.

As usual, do suggest improvements and report bugs.

Wednesday, November 19, 2014

Limiting calls by DIDs for FreePBX users, with dynamic configurable parameters

Image Source: http://appcrawlr.com/android-apps/best-apps-restrict-access

So, we had this challenge by our customer to do this as they are using PRI and supporting multiple customers. Each customer needs to be limited to n number of channels on PRI. When they were using analog that was simply straightforward, its a physical line, so nothing much you can do about “limiting” it is limited by design!

The following guide allows you to limit calls based on

  • A single DID
  • A group of DIDs (in this guide the amount of DIDs per group is limited to 5, add more, improv as you wish)
  • Group DIDs will be a union meaning, if you have DID1 and DID2 with limit of 3 calls, at any one time either calls coming to those DIDs are added up and if exceed 3, it will hangup.

Anyway, here’s a quick how-to to give you an idea how to go about it. Improv as you see fit :-)

Requirements: (my system)

1) FreePBX 2.10 or 2.11
2) Asterisk 1.8 or higher
3) Dahdi based PRI or SIP or just about anything with the use of proper declarations (variables)
4) Use MySQL
5) Debian Wheezy
6) Adminer to run a few MySQL tasks such as creating db/tables, editing values in them etc…

So here’s how:

  1. Create a database inside MySQL called LIMITER
  2. Use adminer and paste the following codes to using the “SQL Command” feature

    USE ` LIMITER`;
    CREATE TABLE `tbl_didlimiter` (
    `group` int(255) NOT NULL AUTO_INCREMENT,
    `data` varchar(100) DEFAULT NULL,
    PRIMARY KEY (`group`)
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;

  3. Now, we will create a user superuser with password dbgod00, paste the following codes in SQL Command again

    CREATE USER 'superuser'@'localhost' IDENTIFIED BY ‘dbgod00';
    GRANT ALL PRIVILEGES ON LIMITER.* TO 'superuser'@'localhost';
    FLUSH PRIVILEGES;

  4. Now, we edit the dialplan, the most important part! Since i use FreePBX, we use the _custom.conf to add new hacks. So that’s exactly what we are doing here, copy and paste the codes into extensions_custom.conf, like below

    #nano /etc/assterisk/extensions_custom.conf

    ;; DIALPLAN START ;;

    ;; READ ME FIRST
    ;; copyleft sanjay@astiostech.com
    ;; 1. Set trunks to use from-pstn, from-dahdi, from-zaptel OR from-trunk contexts
    ;; 2. The bold highlights may need to be changed depending on what you see in the
    ;; channel variables, most cases we see either EXTEN or FROM_DID or even CALLERID(DNID)
    ;; 3. Be sure this value is available and matching each other, in my case, the value
    ;; ${EXTEN} eventually matches the value ${CALLERID(DNID)} and they must
    ;; 4. This only supports one unique DID entry in DB. IF there are multiple entries
    ;; by mistake or whatever, it will pickout the first result that returns only
    ;;
    ;; 5. Feel free to add more G numbers as shown below, right now its just 5
    ;; 6. Maxdefault is set for global when no DB definitions are found for that DID and its limit,
    ;; if you do not want blanket settings, simply set MAXDEFAULT to blank (as per default) if you want to set a global
    ;; limit then set it with MAXDEFAULT which then applies to
    all DIDs not set in DB.
    ;; Only when
    there’s a value found in DB then that DB value’s limits overrides maxdefault 

    [from-pstn-custom]
    exten => _X.,1,NoOp(Handling incoming to do cool stuff)
    same => n,Set(GROUP()=${EXTEN})
    same => n,Macro(didchoke)

    [macro-didchoke]
    exten => s,1,NoOp(Checking for incoming limits and applying if needed)
    exten => s,n,Set(MAXDEFAULT=””)
    exten => s,n,MYSQL(Connect connid localhost superuser dbgod00 LIMITER)
    exten => s,n,MYSQL(Query resultid ${connid} SELECT data from tbl_didlimiter where data like '%${CALLERID(DNID)}%' LIMIT 1)
    exten => s,n,MYSQL(Fetch fetchid ${resultid} DBRESULT)
    exten => s,n,MYSQL(Clear ${resultid})
    exten => s,n,MYSQL(Disconnect ${connid})

    exten => s,n,ExecIf($["${DBRESULT}"=""]?Set(DBRESULT=${CALLERID(DNID)})
    exten => s,n,GotoIf($["${DBRESULT}"=""]?exception)

    ;
    exten => s,n,Set(GROUPLIMIT=${CUT(DBRESULT,:,2)})
    exten => s,n,ExecIf($["${GROUPLIMIT}"=""]?Set(GROUPLIMIT=${MAXDEFAULT})
    exten => s,n,GotoIf($["${GROUPLIMIT}"=""]?exception)
    ;
    exten => s,n,Set(DIDS=${CUT(DBRESULT,:,1)})
    exten => s,n,Set(DID1=${CUT(DIDS,\,,1)})
    exten => s,n,Set(DID2=${CUT(DIDS,\,,2)})
    exten => s,n,Set(DID3=${CUT(DIDS,\,,3)})
    exten => s,n,Set(DID4=${CUT(DIDS,\,,4)})
    exten => s,n,Set(DID5=${CUT(DIDS,\,,5)})
    ;
    exten => s,n,ExecIf($["${DID1}"!=""]?Set(G1=${GROUP_COUNT(${DID1})}))
    exten => s,n,ExecIf($["${DID2}"!=""]?Set(G2=${GROUP_COUNT(${DID2})}))
    exten => s,n,ExecIf($["${DID3}"!=""]?Set(G3=${GROUP_COUNT(${DID3})}))
    exten => s,n,ExecIf($["${DID4}"!=""]?Set(G4=${GROUP_COUNT(${DID4})}))
    exten => s,n,ExecIf($["${DID5}"!=""]?Set(G5=${GROUP_COUNT(${DID5})}))
    ;
    exten => s,n,ExecIf($["${DID1}"=""]?Set(G1=0)
    exten => s,n,ExecIf($["${DID2}"=""]?Set(G2=0)
    exten => s,n,ExecIf($["${DID3}"=""]?Set(G3=0)
    exten => s,n,ExecIf($["${DID4}"=""]?Set(G4=0)
    exten => s,n,ExecIf($["${DID5}"=""]?Set(G5=0)
    ;
    exten => s,n,Set(TOTALGGROUPCHANS=$[${G1}+${G2}+${G3}+${G4}+${G5}])
    exten => s,n,NoOp(So total channels here are ${TOTALGGROUPCHANS} of GROUPLIMIT of ${GROUPLIMIT})
    exten => s,n,GotoIf($[${TOTALGGROUPCHANS} > ${GROUPLIMIT}]?overlimit)
    exten => s,n,MacroExit()
    ;
    exten => s,n(overlimit),Busy(20)
    exten => s,n,Hangup(16)
    exten => s,n,MacroExit()
    ;
    exten => s,n(exception),MacroExit()

    ;; DIALPLAN END ;;

  5. Now, reload asterisk dialplan, be sure to tail the log file to start troubleshooting if things don’t go right.
    #asterisk -rx “dialplan reload”
  6. Now, edit the DB values and add DIDs like show in example below, use adminer or similar for easy editing
    E.g. 1 Format: DID1:3
    Where DID1 is DID you wish to limit to 3 channels
    E.g. 2 Format: DID1,DID2,DID3,DID4,DID5:3
    Where DID1-5 are the DIDs you wish to limit to 3 channels combined

    Here’s sample data from my own server!
    image   

Fire away, test it out…! As usual, appreciate the feedback and ideas to improve! Do let us know how it went for you!

Thursday, November 13, 2014

Setting up DHCP in a clustered (heartbeat) for Debian users

Some may want to do this in case you use a HA setup and where DHCP is required to be in HA too. Doing it via heartbeat isn’t good as it doesn’t keep track of IPs already issued and can cause long delays in providing IPs to clients should a failover/failback occur.

For document purpose we will assume the following, please take note and document the IPs as match below in the config files

  • Primary IP 10.10.10.1
  • Secondary IP 10.10.10.2
  • IP range offered to dhcp clients = from 10.10.10.20 to 10.10.10.250
  • Netmask 255.255.255.0 (class B)
  • Gateway is 10.10.10.254
  • NTP is referred to own servers and if you run NTP on the respective servers
  • Be sure if there’s a firewall to allow these servers to communicate per port 647 tcp/udp
  • Monitor the activities in /var/log/syslog
  • This config does NOT handle TFTP options, see add tftp manually if you need

 1) First, install DHCP (on both servers)

#apt-get install isc-dhcp-server

2) Setup rndc key, paste the single liner like below (on both servers)
#echo randomdh | base64
NOTE: Change, “randomdh” to anything you want. The above command should give you an output like this “cmFuZG9tZGgK”. Use this key where applicable, like below; Then paste it into relevant files like shown below;

#nano /etc/rndc.key

cmFuZG9tZGgK

3) Edit the dhcp defaults and ensure that the DHCP is only offering DHCP via the required interface, and in most cases may be eth0, locate work INTERFACES and add accordingly (on both servers)

#nano /etc/default/isc-dhcp-server

INTERFACES="eth0"

4) Edit the DHCPD config file as per below, change items accordingly (on master only)

#nano /etc/dhcp/dhcpd.conf

authoritative;
option domain-name "customername.internal";
option domain-name-servers 10.10.10.1,10.10.10.2;

key rndckey {
algorithm hmac-md5;
secret "cmFuZG9tZGgK";
}

failover peer "failover" {
primary;
address 10.10.10.1;
port 647;
peer address 10.10.10.2;
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
mclt 3600;
split 128;
load balance max seconds 3;
}

subnet 10.10.10.0 netmask 255.255.255.0
{
pool {
failover peer "failover";
range 10.10.10.20 10.10.10.250;
option dhcp-server-identifier 10.10.10.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
default-lease-time 43200;
max-lease-time 43200;
option routers 10.10.10.254;
deny dynamic bootp clients;
option ntp-servers 10.10.10.1;
}
allow unknown-clients;
ignore client-updates;
}

5) Restart DHCP (on master only)
#/etc/init.d/isc-dhcp-server restart

6) Edit the DHCPD config file as per below, change items in red (on slave only)

#nano /etc/dhcp/dhcpd.conf

authoritative;
option domain-name "customername.internal";
option domain-name-servers 10.10.10.2,10.10.10.1;

key rndckey {
algorithm hmac-md5;
secret "
mydhcprndckey2014";
}

failover peer "failover" {
secondary;
address 10.10.10.2;
port 647;
peer address 10.10.10.1;
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
mclt 3600;
load balance max seconds 3;
}

subnet 10.10.10.0 netmask 255.255.255.0
{
pool {
failover peer "failover";
range
10.10.10.20 10.10.10.250;
option dhcp-server-identifier 10.10.10.2
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
default-lease-time 43200;
max-lease-time 43200;
option routers 10.10.10.254;
deny dynamic bootp clients;
option ntp-servers 10.10.10.2;
}

allow unknown-clients;
ignore client-updates;
}

7) Restart DHCP (on slave only)
#/etc/init.d/isc-dhcp-server restart

Tuesday, October 21, 2014

POODLE SSLv3 Vulnerabilities Fixes on Debian/pfSense for common widely used apps

Systems or apps that enabled SSLv3 is vulnerable and the only way currently is to disable SSLv3 in various software, applications. Whenever you see any cert that says Version V3, it is vulnerable and must be disabled until further notice.
Ref: CVE-2014-3566

IMPORTANT

  • USETHIS GUIDE AT YOUR OWN RISK, i am not responsible for any broken apps/programs etc etc.
  • We do not know the extent of the vulnerability/fixes this is from best knowledge and effort, you are advised to research of your own too and not completely rely on these below. These methods are also described in many many online articles, i put them together mainly for our customers and people using Deb6/7.
  • This article is to be done/performed by those who have sufficient knowledge in these apps/software
  • Please read more articles and follow online security resources for updates should there be any.
  • Until a patch is released, customers are advised to simply disable SSLv3 as part of an enforced or fallback method for providing encryption.

Software that we use/distribute

1) Apache
2) Asterisk
3) Nagios (and related software)
4) pfSense and related software (e.g. OpenVPN)
5) Other related software

There are many guides out there and (i’ve) we have copied some of them for the ease of our clients

Apache fix

#nano /etc/apache2/mods-available/ssl.conf
Locate the value SSLProtocol, if it doesn’t exist, add exactly as below within the </ifmodule> tag
SLProtocol all -SSLv2 –SSLv3
if exist in that file, change as below
SLProtocol all -SSLv2 to  SLProtocol all -SSLv2 –SSLv3

Restart apache
#/etc/init.d/apache2 restart

A simple test for apache would be to run
#openssl s_client -ssl3 -connect localhost:443

It should throw an error like handshake failure, that’s good!, SSLv3 is disabled on Apache!

Asterisk fix

Read stuff here: http://downloads.asterisk.org/pub/security/AST-2014-011.html

For Asterisk 11

Go to your Asterisk 11 source directory
#cd /usr/src/asterisk-11…..
If don't exist, just download from http://downloads.asterisk.org/pub/telephony/asterisk/. NOTE: Asterisk 11.13.1 fixes this so you don’t have to patch as below if you are redownloading.
#wget http://downloads.asterisk.org/pub/security/AST-2014-011-11.diff
#patch –p0 < AST-2014-011-11.diff

For recent installs (2013 onwards):
#make clean && ./configure --with-crypto --with-ssl --with-srtp=/usr/local/lib --prefix=/usr
#make && make install

Older Installs simply run (Skip if the above worked!)
#make clean && ./configure

For Asterisk 1.8

Go to your Asterisk 1.8 source directory
#cd /usr/src/asterisk-1.8…..
If don't exist, just download from http://downloads.asterisk.org/pub/telephony/asterisk/. NOTE: Asterisk 1.8.31.1 fixes this, so you don’t have to patch as below if you are redownloading
#wget http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.diff
#patch –p0 < AST-2014-011-1.8.diff
#make clean && ./configure --with-crypto --with-ssl --with-srtp=/usr/local/lib --prefix=/usr

Older Installs simply run (Skip if the above worked!)
#make clean && ./configure

#make && make install

For both 1.8 and 11, restart Asterisk (FreePBX users!)
#amportal kill
#amportal start

Nagios fix

[Nagios info contributor: Anthony [at..]] Astiostech.com
Nagios itself as a monitoring system doesn't use SSL in the monitoring core itself. With the POODLE SSLv3 Vulnerabilities in mind, so far Nagios itself is not vulnerable to the issue as the following explains.

Nagios Console (Monitoring Core)

Nagios Core monitoring engine doesnt use SSL in itself. It is only used by the Nagios Web Console or any Nagios Web Configuration Editor. These web consoles are very dependant on the running HTTP server in the system. Therefore the POODLE vulnerabilities on the CORE Nagios should be properly handled by the HTTP server itself.

Nagios NRPE

SSL option in NRPE is used to encrypt the monitoring data. When this is switched on Nagios NRPE encrypts the data between the Nagios Core and the remote server. According to the file 'src/nrpe.c' line 256, since January 19th 2004, by default SSLv3 and SSLv2 has been disabled in NRPE and only TLS protocols are used. Therefore it is considered safe if the SSL is enabled in the NRPE agent.

Nagios NDO2DB

SSL option in NDO2DB is used to encrypt the received monitoring data from Nagios. When this is switched on Nagios NDO2DB encrypts the data between the Nagios Core and the NDO2DBserver. According to the file 'src/ndo2db.c' in line 167, since January 19th 2004, by default SSLv3 and SSLv2 has been disabled in ndo2db and only TLS protocols are used. Therefore it is

pfSense fix

The webserver

Go into the shell of pfsense, and run
#openssl s_client -connect localhost:443 -ssl3
If you see a value other than NONE in the cipher then its vulnerable and must be fixed.

Using the WebUI, we will download and install the system patch manager
1) Goto System, go to Packages, click on Available Packages
2) Locate System Patches and add it/install it
3) Go back to System, click on Patches
4) Click on + to add new patch
5) If using 2.2x, enter this “5ff7f58e5903cca4f99edd20f9db402163527fd6” without quotes as the commit ID
6) If using 2.1x, enter “29be59ad8ed25830f4e50a89977aca53ad8a29f4” without quotes as the commit ID
7) Click on Save, then it will bring you out to the main page, click on Fetch. Wait for it to complete. Now, you should see the word test, click on test. Once you can test, it will tell you patch can be applied cleanly. If only so, click Apply. If not, you’ve done something wrong :(
8) Restart the webservice
9) Point your browser to /restart_httpd.php, say if your pfsense IP is https://10.10.10.1 then just point to https://10.10.10.1/restart_httpd.php
10) Run again
#openssl s_client -connect localhost:443 –ssl3
You should now get an error!

The OpenVPN

OpenVPN uses TLS so it is not vulnerable. OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. [src pfsense forum]

Other software that uses SSLv3

If you are aware of any other encrypting software that may use SSLv3, you might need to search for documents online on how to disable SSLv3 within the app’s implementation. If you know of such app and need help from us, do contact us and we will have a look at it.

Saturday, October 11, 2014

Debian 7 (wheezy) based Asterisk 13, Freepbx 12 on VMware / Virtualbox (Asterisk VM/Asterisk Ready Virtual Machine)

Show some love,  do like our FB page www.fb.com/Astiostech |

[UPDATED: 03 FEB 2015]

Here’s a VMDK image to run a full featured Asterisk PaBX with FreePBX as the management UI using our default and secure install practices. No registrations, no username/password, no signing up for newsletter.

Get it from Sourceforge: https://sourceforge.net/projects/debianasterisk/ [Select SWSterisk13 folder, then download the zip file therein]

 

After extracting, You either need VirtualBox or VMPlayer/VMWare or any Virtualization products that supports VMDK files or if you’re using Hypervisor, convert the image to VHD using MVMC from here.  This is to give you a feel of Asterisk with FreePBX without worrying about installation etc., its plug and play, literally. Just start up to your VirtualBox/VMplayer and get it up and running in seconds. Go in to FreePBX and start creating extensions and enable other features.

This image is free from any lockdowns or customizations that you cannot reverse or disable or enable as you wish. It is completely FREE from any personal restrictions.

This image does not trace usage, or “dials home” or anything strange like that. Totally clean, totally lean and totally fast. It is functional and you can hook it up to a real production environment and you almost have a full fledge PBX, just add a Digium VoIP Gateway or another IP based PSTN.

IMPORTANT

  • DISCLAIMER: By using this VIRTUAL MACHINE IMAGE, i disclaim any sorts of liability whatsoever. What you do with this image is purely your choice/actions.
  • This is not "another distros", nothing proprietary, i don't claim any copyrights, just make it look and feel like its mine for fun, but of course any of those customizations can be reversed. All other trademarks are properties of their respective owners. All rights reserved.
Here’s some information about the VM image you just downloaded
  • It’s in ZIP compression, just get WinRAR or 7-ZIP to extract. After extracting, there should be one vmdk just mount the vmdk into VMWare/VMPlayer or Virtualbox and start the image
  • Username/password
  • OS
    - Username: root (the other non root user is support with same password as below)
    - Password: asteriskrocks (change this!)
  • FreePBX(admin), MySQL(root), AMI(admin): usernames and passwords;
    username: admin
    password: @steriskRocks1 (change this, here’s a good guide to start you off withhttp://www.freepbx.org/support/documentation/installation/first-steps-after-installation)
  • REMEMBER REMEMBER REMEMBER: CHANGE PASSWORDS!
  • The network adapter is set to auto on eth0.
  • Image needs at least 384M memory (or more if you have more)
  • All source files except kernel-headers are removed to save disk space for downloading, you need to download them manually (Size before compression ~ 2.2GB, size after compression ~600M)

OS features/settings

  • Debian 7.6.0 64bit (Source AMD64 netinstall) UPDATED, Bash Vulnerability Fixed with latest patch no33, SSLV3 disabled and Ghost Vulnerability fixed.
  • Disks are LVM so you can add more storage
  • The interface, eth0, is set to use DHCP, so be sure to hook up DHCP or manually edit the IP. IPV6 is disabled. In case you can’t bring the interface up, run #ifconfig –a . Then edit the file in /etc/network/interfaces and set all values to correspond to the interface shown when you run ifconfig –a (not loopback of course)
  • Webmin installed but not started (# /etc/init.d/webmin start , then access using https://<ipaddress>:10000) . Use sparingly, has many holes if it doesn’t get updated constantly.
  • Apache as webserver with enforced HTTPS (Port 443)
  • MySQL administration with Adminer in https://<ipaddress>/dbmanage.php
  • Phpsysinfo https://<ipaddress>/phpsysinfo
  • Munin for monitoring in https://<ipaddress>/munin
  • DHCP and TFTP server downloaded, not installed
  • Firewalled with IPTables (be sure to see /bin/wallfire.sh) –UPDATED bug fixes can be stopped and started #wallfire stop #wallfire start
  • Time i.e NTP autosyncs with ntp.org daily, when starting and when stopping
  • Exim4 (mailserver) configured to relay, configure your email appropriately #dpkg-reconfigure exim4-config
  • fail2ban properly set up and ready for ssh and asterisk failed attempts (modify notification email here /etc/fail2ban/jail.conf) - UPDATED
  • Many CLI tools for troubleshooting like tcpdump, ntop, htop…
  • Astribank support [if ever u need it]
  • Removed Virtualbox OSE addons for best compatibility
FreePBX/Asterisk features
  • FreePBX 12 with most basic and extended modules pre-installed – UPDATED to v12.0.36
  • Asterisk 13.1.1 (Dahdi tools/linux 2.10.0.1/LibPRI). NOTE I have set to chan_sip as the default sip driver, not pjssip. Had issues with fail2ban and other things. But all other components will work fine, not to worry. Change as you see fit.
  • Asterisk runs as high priority (Nice = 10)
  • New version of g711 selected
  • H323 Enabled
  • SRTP enabled (GoogleTalk/XMPP/Jingle + Secure RTP)
  • Iksemel for GoogleTalk/XMPP/Jingle
  • Asterisk-CEL logging enabled (in DB/table asteriskcdr/cel)
  • Log rotation enabled for files inside /var/log/asterisk/
  • Extra codecs: Speex (wanted to add SILK and openg729 but they seem to crash Asterisk codec translators)
  • WebRTC ready using FreePBX’s UAC
    • Notes on using this
      • A test user has been created for you to immediately use.
      • Click on UCP.
      • Username: 2000, password 2000 (password can be changed under User Management)
      • When using Chrome, be sure to check and enable “unsafe script” on top right corner in the address bar
      • Be sure ports 80 (or 443), ports 8088 both TCP are opened to this box
      • Here’s me making a test call with that user 2000 inside UCP
      • image 

Tuesday, October 7, 2014

Error 0x0000005d when installing Windows 10 tech preview on Oracle VirtualBox (4.3.x)

Thought of quickly setting a note on this. If you get this error with Windows 10 Tech Preview on Virtual Box, you probably have to set the in the General Setting to Windows 8.1 (32 or 64 bit depending on your version you’ve downloaded).

image

Also be sure to have sufficient video memory > 32M, reboot and start installation. Cheers :-)