Saturday, December 13, 2014

Google Voice/Google Talk no audio behind a NATted Asterisk Server

Thought i’d quickly write this for those having no audio issues with Gtalk.

First, follow the guide here to get it setup properly. Remember to have the DTMF(1) in your dialplan before executing into the actual internal dialplan per the document referred to earlier.

The issue is the headers that are sent out to google contain your internal IP (since you’re NATting), so you need a helper per-se otherwise the RTP is discarded. The solution is simple, use a stun server.

For FreePBX users, edit the /etc/asterisk/rtp_custom.conf, rest of you, simply edit the /etc/asterisk/rtp.conf in general section

Add the following line in bold, here i am using Google’s Stun server.

icesupport=yes
stunaddr=stun.l.google.com:19302

PS> Ice support must already be there, anyway…

And you should get two way audio without an issue.

Have a great weekend.

Wednesday, December 3, 2014

FreePBX Device User Mode – “User” password change using touchtone keypad (or a feature code)

One client requested this as his entire office of 200 users use the Device User mode of FreePBX 2.11. This office is also a hybrid office use and call center of up to 20 agents.
With this feature, users can dial a code and change whenever they want.

Firstly, you need to have the following in your setup:

- FreePBX 2.9 or higher (i used 2.11)
- Asterisk 1.6 or higher (i used 11.x)

This dialplan is intended to be used with FreePBX since it uses MySQL to write most of its configs in. This dialplan changes stuff in MySQL directly with the Asterisk’s MYSQL app. Follow as guided and you will get this running in no time.

Steps in short:

1) Create a low privilege user in MySQL
2) Put up a custom code dialplan
3) Enable the custom dialplan code in FreePBX

1) Create low privilege user in MySQL

Since we want this low priv user to only query and write to very little table fields, we give it that much permission

a) Log into MySQL, login as root with the password you’ve previously set,
NOTE: If you have trouble running these commands, be sure to check using single quotes and double quote per the guide. If something other than that appear when pasting, change accordingly.

#mysql –u root –p

When inside MySQL, copy paste the following; and this guide creates a user called “pwdmgr” with password “letmeinbaby

CREATE USER ‘pwdmgr’@localhost IDENTIFIED BY “letmeinbaby”;
GRANT SELECT (extension) ON asterisk.users TO pwdmgr@localhost;
GRANT SELECT,UPDATE (password) ON asterisk.users TO pwdmgr@localhost;
FLUSH PRIVILEGES;

2) Paste the following dialplan into extensions_custom.conf

[macro-change-loginpw]
exten => s,1,Answer()
    same => n,NoOp(User password changing app)
    same => n,ExecIf($["${AMPUSER}" = ""]?Hangup(16))
    same => n,Set(DEVICETYPE=${DB(DEVICE/${AMPUSER}/type)})
    same => n,ExecIf($["${DEVICETYPE}" = "fixed"]?Hangup(16))
    same => n,Set(CURRENTPW=${DB(AMPUSER/${AMPUSER}/password)})
    same => n,Authenticate(${CURRENTPW})
    same => n,Read(NEWPASS,vm-newpassword)
    same => n,Set(DB(AMPUSER/${AMPUSER}/password)=${NEWPASS})
    same => n,MYSQL(Connect connid localhost pwdmgr letmeinbaby asterisk)
    same => n,MYSQL(Query resultid ${connid} UPDATE users set password='${NEWPASS}' WHERE extension='${AMPUSER}')
    same => n,MYSQL(Disconnect ${connid})
    same => n,PlayBack(your&vm-password&has-been-changed-to)
    same => n,SayDigits(${NEWPASS})
    same => n,Hangup(16)


Save and exit!.

3) Set it up in FreePBX to invoke that custom macro you did above using feature code like dialing


Go to FreePBX, select Admin, then select Custom Extensions, add like below
Custom Destination=macro-change-loginpw,s,1
Description: AnythingYouLike
image
 

Then click on Submit Changes

Next, go to Applications, select Misc Application, do like below

Description=Anything you like
Feature Code: Any code not conflicting with current FeatureCodes, e.g. *15 is not really used in a Standard FreePBX setup
Status: Enabled (you can disable this in FreePBX)
Destination: The Custom Destination you created just now.

image  

Click Submit Changes, now click the Apply Conf button.

 

All done, now go ahead and try it out for yourself, dial *15 on a logged on user. You can also hack the dialplan to ask for username in case you want to change for non-logged on user.

As usual, do suggest improvements and report bugs.

Thursday, November 13, 2014

Setting up DHCP in a clustered (heartbeat) for Debian users

Some may want to do this in case you use a HA setup and where DHCP is required to be in HA too. Doing it via heartbeat isn’t good as it doesn’t keep track of IPs already issued and can cause long delays in providing IPs to clients should a failover/failback occur.

For document purpose we will assume the following, please take note and document the IPs as match below in the config files

  • Primary IP 10.10.10.1
  • Secondary IP 10.10.10.2
  • IP range offered to dhcp clients = from 10.10.10.20 to 10.10.10.250
  • Netmask 255.255.255.0 (class B)
  • Gateway is 10.10.10.254
  • NTP is referred to own servers and if you run NTP on the respective servers
  • Be sure if there’s a firewall to allow these servers to communicate per port 647 tcp/udp
  • Monitor the activities in /var/log/syslog
  • This config does NOT handle TFTP options, see add tftp manually if you need

 1) First, install DHCP (on both servers)

#apt-get install isc-dhcp-server

2) Setup rndc key, paste the single liner like below (on both servers)
#echo randomdh | base64
NOTE: Change, “randomdh” to anything you want. The above command should give you an output like this “cmFuZG9tZGgK”. Use this key where applicable, like below; Then paste it into relevant files like shown below;

#nano /etc/rndc.key

cmFuZG9tZGgK

3) Edit the dhcp defaults and ensure that the DHCP is only offering DHCP via the required interface, and in most cases may be eth0, locate work INTERFACES and add accordingly (on both servers)

#nano /etc/default/isc-dhcp-server

INTERFACES="eth0"

4) Edit the DHCPD config file as per below, change items accordingly (on master only)

#nano /etc/dhcp/dhcpd.conf

authoritative;
option domain-name "customername.internal";
option domain-name-servers 10.10.10.1,10.10.10.2;

key rndckey {
algorithm hmac-md5;
secret "cmFuZG9tZGgK";
}

failover peer "failover" {
primary;
address 10.10.10.1;
port 647;
peer address 10.10.10.2;
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
mclt 3600;
split 128;
load balance max seconds 3;
}

subnet 10.10.10.0 netmask 255.255.255.0
{
pool {
failover peer "failover";
range 10.10.10.20 10.10.10.250;
option dhcp-server-identifier 10.10.10.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
default-lease-time 43200;
max-lease-time 43200;
option routers 10.10.10.254;
deny dynamic bootp clients;
option ntp-servers 10.10.10.1;
}
allow unknown-clients;
ignore client-updates;
}

5) Restart DHCP (on master only)
#/etc/init.d/isc-dhcp-server restart

6) Edit the DHCPD config file as per below, change items in red (on slave only)

#nano /etc/dhcp/dhcpd.conf

authoritative;
option domain-name "customername.internal";
option domain-name-servers 10.10.10.2,10.10.10.1;

key rndckey {
algorithm hmac-md5;
secret "
mydhcprndckey2014";
}

failover peer "failover" {
secondary;
address 10.10.10.2;
port 647;
peer address 10.10.10.1;
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
mclt 3600;
load balance max seconds 3;
}

subnet 10.10.10.0 netmask 255.255.255.0
{
pool {
failover peer "failover";
range
10.10.10.20 10.10.10.250;
option dhcp-server-identifier 10.10.10.2
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
default-lease-time 43200;
max-lease-time 43200;
option routers 10.10.10.254;
deny dynamic bootp clients;
option ntp-servers 10.10.10.2;
}

allow unknown-clients;
ignore client-updates;
}

7) Restart DHCP (on slave only)
#/etc/init.d/isc-dhcp-server restart

Tuesday, October 21, 2014

POODLE SSLv3 Vulnerabilities Fixes on Debian/pfSense for common widely used apps

Systems or apps that enabled SSLv3 is vulnerable and the only way currently is to disable SSLv3 in various software, applications. Whenever you see any cert that says Version V3, it is vulnerable and must be disabled until further notice.
Ref: CVE-2014-3566

IMPORTANT

  • USETHIS GUIDE AT YOUR OWN RISK, i am not responsible for any broken apps/programs etc etc.
  • We do not know the extent of the vulnerability/fixes this is from best knowledge and effort, you are advised to research of your own too and not completely rely on these below. These methods are also described in many many online articles, i put them together mainly for our customers and people using Deb6/7.
  • This article is to be done/performed by those who have sufficient knowledge in these apps/software
  • Please read more articles and follow online security resources for updates should there be any.
  • Until a patch is released, customers are advised to simply disable SSLv3 as part of an enforced or fallback method for providing encryption.

Software that we use/distribute

1) Apache
2) Asterisk
3) Nagios (and related software)
4) pfSense and related software (e.g. OpenVPN)
5) Other related software

There are many guides out there and (i’ve) we have copied some of them for the ease of our clients

Apache fix

#nano /etc/apache2/mods-available/ssl.conf
Locate the value SSLProtocol, if it doesn’t exist, add exactly as below within the </ifmodule> tag
SLProtocol all -SSLv2 –SSLv3
if exist in that file, change as below
SLProtocol all -SSLv2 to  SLProtocol all -SSLv2 –SSLv3

Restart apache
#/etc/init.d/apache2 restart

A simple test for apache would be to run
#openssl s_client -ssl3 -connect localhost:443

It should throw an error like handshake failure, that’s good!, SSLv3 is disabled on Apache!

Asterisk fix

Read stuff here: http://downloads.asterisk.org/pub/security/AST-2014-011.html

For Asterisk 11

Go to your Asterisk 11 source directory
#cd /usr/src/asterisk-11…..
If don't exist, just download from http://downloads.asterisk.org/pub/telephony/asterisk/. NOTE: Asterisk 11.13.1 fixes this so you don’t have to patch as below if you are redownloading.
#wget http://downloads.asterisk.org/pub/security/AST-2014-011-11.diff
#patch –p0 < AST-2014-011-11.diff

For recent installs (2013 onwards):
#make clean && ./configure --with-crypto --with-ssl --with-srtp=/usr/local/lib --prefix=/usr
#make && make install

Older Installs simply run (Skip if the above worked!)
#make clean && ./configure

For Asterisk 1.8

Go to your Asterisk 1.8 source directory
#cd /usr/src/asterisk-1.8…..
If don't exist, just download from http://downloads.asterisk.org/pub/telephony/asterisk/. NOTE: Asterisk 1.8.31.1 fixes this, so you don’t have to patch as below if you are redownloading
#wget http://downloads.asterisk.org/pub/security/AST-2014-011-1.8.diff
#patch –p0 < AST-2014-011-1.8.diff
#make clean && ./configure --with-crypto --with-ssl --with-srtp=/usr/local/lib --prefix=/usr

Older Installs simply run (Skip if the above worked!)
#make clean && ./configure

#make && make install

For both 1.8 and 11, restart Asterisk (FreePBX users!)
#amportal kill
#amportal start

Nagios fix

[Nagios info contributor: Anthony [at..]] Astiostech.com
Nagios itself as a monitoring system doesn't use SSL in the monitoring core itself. With the POODLE SSLv3 Vulnerabilities in mind, so far Nagios itself is not vulnerable to the issue as the following explains.

Nagios Console (Monitoring Core)

Nagios Core monitoring engine doesnt use SSL in itself. It is only used by the Nagios Web Console or any Nagios Web Configuration Editor. These web consoles are very dependant on the running HTTP server in the system. Therefore the POODLE vulnerabilities on the CORE Nagios should be properly handled by the HTTP server itself.

Nagios NRPE

SSL option in NRPE is used to encrypt the monitoring data. When this is switched on Nagios NRPE encrypts the data between the Nagios Core and the remote server. According to the file 'src/nrpe.c' line 256, since January 19th 2004, by default SSLv3 and SSLv2 has been disabled in NRPE and only TLS protocols are used. Therefore it is considered safe if the SSL is enabled in the NRPE agent.

Nagios NDO2DB

SSL option in NDO2DB is used to encrypt the received monitoring data from Nagios. When this is switched on Nagios NDO2DB encrypts the data between the Nagios Core and the NDO2DBserver. According to the file 'src/ndo2db.c' in line 167, since January 19th 2004, by default SSLv3 and SSLv2 has been disabled in ndo2db and only TLS protocols are used. Therefore it is

pfSense fix

The webserver

Go into the shell of pfsense, and run
#openssl s_client -connect localhost:443 -ssl3
If you see a value other than NONE in the cipher then its vulnerable and must be fixed.

Using the WebUI, we will download and install the system patch manager
1) Goto System, go to Packages, click on Available Packages
2) Locate System Patches and add it/install it
3) Go back to System, click on Patches
4) Click on + to add new patch
5) If using 2.2x, enter this “5ff7f58e5903cca4f99edd20f9db402163527fd6” without quotes as the commit ID
6) If using 2.1x, enter “29be59ad8ed25830f4e50a89977aca53ad8a29f4” without quotes as the commit ID
7) Click on Save, then it will bring you out to the main page, click on Fetch. Wait for it to complete. Now, you should see the word test, click on test. Once you can test, it will tell you patch can be applied cleanly. If only so, click Apply. If not, you’ve done something wrong :(
8) Restart the webservice
9) Point your browser to /restart_httpd.php, say if your pfsense IP is https://10.10.10.1 then just point to https://10.10.10.1/restart_httpd.php
10) Run again
#openssl s_client -connect localhost:443 –ssl3
You should now get an error!

The OpenVPN

OpenVPN uses TLS so it is not vulnerable. OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. [src pfsense forum]

Other software that uses SSLv3

If you are aware of any other encrypting software that may use SSLv3, you might need to search for documents online on how to disable SSLv3 within the app’s implementation. If you know of such app and need help from us, do contact us and we will have a look at it.

Saturday, October 11, 2014

Debian 7 (wheezy) based Asterisk 13, Freepbx 12 on VMware / Virtualbox (Asterisk VM/Asterisk Ready Virtual Machine)

Show some love,  do like our FB page www.fb.com/Astiostech |

[UPDATED: 03 FEB 2015]

Here’s a VMDK image to run a full featured Asterisk PaBX with FreePBX as the management UI using our default and secure install practices. No registrations, no username/password, no signing up for newsletter.

Get it from Sourceforge: https://sourceforge.net/projects/debianasterisk/ [Select SWSterisk13 folder, then download the zip file therein]

 

After extracting, You either need VirtualBox or VMPlayer/VMWare or any Virtualization products that supports VMDK files or if you’re using Hypervisor, convert the image to VHD using MVMC from here.  This is to give you a feel of Asterisk with FreePBX without worrying about installation etc., its plug and play, literally. Just start up to your VirtualBox/VMplayer and get it up and running in seconds. Go in to FreePBX and start creating extensions and enable other features.

This image is free from any lockdowns or customizations that you cannot reverse or disable or enable as you wish. It is completely FREE from any personal restrictions.

This image does not trace usage, or “dials home” or anything strange like that. Totally clean, totally lean and totally fast. It is functional and you can hook it up to a real production environment and you almost have a full fledge PBX, just add a Digium VoIP Gateway or another IP based PSTN.

IMPORTANT

  • DISCLAIMER: By using this VIRTUAL MACHINE IMAGE, i disclaim any sorts of liability whatsoever. What you do with this image is purely your choice/actions.
  • This is not "another distros", nothing proprietary, i don't claim any copyrights, just make it look and feel like its mine for fun, but of course any of those customizations can be reversed. All other trademarks are properties of their respective owners. All rights reserved.
Here’s some information about the VM image you just downloaded
  • It’s in ZIP compression, just get WinRAR or 7-ZIP to extract. After extracting, there should be one vmdk just mount the vmdk into VMWare/VMPlayer or Virtualbox and start the image
  • Username/password
  • OS
    - Username: root (the other non root user is support with same password as below)
    - Password: asteriskrocks (change this!)
  • FreePBX(admin), MySQL(root), AMI(admin): usernames and passwords;
    username: admin
    password: @steriskRocks1 (change this, here’s a good guide to start you off withhttp://www.freepbx.org/support/documentation/installation/first-steps-after-installation)
  • REMEMBER REMEMBER REMEMBER: CHANGE PASSWORDS!
  • The network adapter is set to auto on eth0.
  • Image needs at least 384M memory (or more if you have more)
  • All source files except kernel-headers are removed to save disk space for downloading, you need to download them manually (Size before compression ~ 2.2GB, size after compression ~600M)

OS features/settings

  • Debian 7.6.0 64bit (Source AMD64 netinstall) UPDATED, Bash Vulnerability Fixed with latest patch no33, SSLV3 disabled and Ghost Vulnerability fixed.
  • Disks are LVM so you can add more storage
  • The interface, eth0, is set to use DHCP, so be sure to hook up DHCP or manually edit the IP. IPV6 is disabled. In case you can’t bring the interface up, run #ifconfig –a . Then edit the file in /etc/network/interfaces and set all values to correspond to the interface shown when you run ifconfig –a (not loopback of course)
  • Webmin installed but not started (# /etc/init.d/webmin start , then access using https://<ipaddress>:10000) . Use sparingly, has many holes if it doesn’t get updated constantly.
  • Apache as webserver with enforced HTTPS (Port 443)
  • MySQL administration with Adminer in https://<ipaddress>/dbmanage.php
  • Phpsysinfo https://<ipaddress>/phpsysinfo
  • Munin for monitoring in https://<ipaddress>/munin
  • DHCP and TFTP server downloaded, not installed
  • Firewalled with IPTables (be sure to see /bin/wallfire.sh) –UPDATED bug fixes can be stopped and started #wallfire stop #wallfire start
  • Time i.e NTP autosyncs with ntp.org daily, when starting and when stopping
  • Exim4 (mailserver) configured to relay, configure your email appropriately #dpkg-reconfigure exim4-config
  • fail2ban properly set up and ready for ssh and asterisk failed attempts (modify notification email here /etc/fail2ban/jail.conf) - UPDATED
  • Many CLI tools for troubleshooting like tcpdump, ntop, htop…
  • Astribank support [if ever u need it]
  • Removed Virtualbox OSE addons for best compatibility
FreePBX/Asterisk features
  • FreePBX 12 with most basic and extended modules pre-installed – UPDATED to v12.0.36
  • Asterisk 13.1.1 (Dahdi tools/linux 2.10.0.1/LibPRI). NOTE I have set to chan_sip as the default sip driver, not pjssip. Had issues with fail2ban and other things. But all other components will work fine, not to worry. Change as you see fit.
  • Asterisk runs as high priority (Nice = 10)
  • New version of g711 selected
  • H323 Enabled
  • SRTP enabled (GoogleTalk/XMPP/Jingle + Secure RTP)
  • Iksemel for GoogleTalk/XMPP/Jingle
  • Asterisk-CEL logging enabled (in DB/table asteriskcdr/cel)
  • Log rotation enabled for files inside /var/log/asterisk/
  • Extra codecs: Speex (wanted to add SILK and openg729 but they seem to crash Asterisk codec translators)
  • WebRTC ready using FreePBX’s UAC
    • Notes on using this
      • A test user has been created for you to immediately use.
      • Click on UCP.
      • Username: 2000, password 2000 (password can be changed under User Management)
      • When using Chrome, be sure to check and enable “unsafe script” on top right corner in the address bar
      • Be sure ports 80 (or 443), ports 8088 both TCP are opened to this box
      • Here’s me making a test call with that user 2000 inside UCP
      • image 

Tuesday, October 7, 2014

Error 0x0000005d when installing Windows 10 tech preview on Oracle VirtualBox (4.3.x)

Thought of quickly setting a note on this. If you get this error with Windows 10 Tech Preview on Virtual Box, you probably have to set the in the General Setting to Windows 8.1 (32 or 64 bit depending on your version you’ve downloaded).

image

Also be sure to have sufficient video memory > 32M, reboot and start installation. Cheers :-)

Thursday, October 2, 2014

FreePBX RCE vulnerability CVE: 2014-7235

The FreePBX team has been made aware of a security vulnerability affecting one of its modules called the Asterisk Recording Interface (ARI). While many of our users do not use this module on a day to day basis, it is almost available in all our installs. 

Important Notes

  • This vulnerability allows unauthenticated remove execution of code via the web and execute shell commands which are then limited to the rights of the apache process (in our client's cases, that would be low privilege user asterisk). However, this user has rights to manage the Asterisk, FreePBX and other web related software or services.
  • FreePBX versions affected: Any version prior to version 12 (e.g. 2.8,2.9,2.10,2.11). 
  • All OS versions
  • This is a FreePBX only bug, not Asterisk, not OS, etc..
  • It is safe to upgrade during production/live. Restarts or reboots are not required

The fixes are available since 30 Sept 2014 and users are advised to run the following commands and/or run from via the web interface or the module admin page: The following commands may require internet access from the Asterisk/FreePBX console to perform the upgrade.

(Do not copy the '#' when pasting into the putty/CLI interface, they are indicators of command line codes)

#rm -rf /var/www/html/admin/modules/admindashboard
#amportal a ma delete admindashboard

NOTE: You may NOT have the above modules installed, even if in error, ignore and proceed as below;

Now, locate and delete these files like below

#for i in `find / -name 'c2.pl' -print`; do rm -i $i; done
#for i in `find / -name 'c.sh' -print`; do rm -i $i; done

The above command will search through any of the automated hacking scripts (if exists) and ask you to remove, just hit [y]es if you find them. Otherwise, the command will return an empty output.

Finally, and most importantly, get the upgrade;
#amportal a ma upgrade fw_ari
#amportal a r

Alternatively, you can upgrade the module as show above via the FreePBX module admin module too.

Systems that expose the http/https port TCP80 or TCP443 (or FreePBX) interface via the internet is at particularly higher risk, you are advised to immediately close all access from the Internet to your FreePBX webUI and should be doing so anyway for best security practice.

For more detailed understanding, please checkout article: http://goo.gl/6JT3oT

Friday, September 26, 2014

Bash vulnerability possible quick fix for Debian 6 and 7 (squeeze and wheezy) - "CVE-2014-6271" or more CVEs

A bug discovered by Stephane Chazelas

IMPORTANT - MUST READ:

  • USE AT YOUR OWN RISK, i am not responsible for any broken apps/programs etc etc. Don’t sue me, im not rich anyway.
  • We do not know the extent of the vulnerability/fixes this is from best knowledge and effort, you are advised to research of your own too and not completely rely on these below. These methods are also described in many many online articles, i put them together mainly for our customers and people using Deb6/7.
  • This article is to be done/performed by people who know how to use bash and shell codes, not for newbies
  • Please read more articles and follow online security resources for updates should there be any. If you need to reupgrade, just follow steps below again, in case there’s a better fix/newer version.
NOTES
  • Note on command line operations: the # means its a shell code to run, copy paste that in your SSH console

Intro

For immediate fix to possible vulnerable users: e.g. using vulnerable bash with bash codes that may run on publicly exposed protocols such as SSH/HTTP etc where publicly accessible shell codes are possible. 
More reading: (askubuntu has an easy article to understand)

Test and Check Version

Note # denotes copy and paste into shell, don’t copy the # itself, copy after it, everything should be a single line unless said otherwise
1) Logon to your OS using SSH
2) Run the following 
#curl https://shellshocker.net/shellshock_test.sh | bash
If you see the output showing "vulnerable" from 7 out of 7 checks, you need to fix, therefore, proceed to fix as below. 
3) To check bash version, run, you might need this info as you may be upgrading to a higher version of bash as shown in this article. this article for debian 6 will assume bash 4.1;
#dpkg -s bash | grep Ver

Fix

Fix for Squeeze (Deb6)

Following a guide from http://www.tannkost.no/2014/09/compile-bash-from-source-to-remedy-shellshock-on-debian-lenny/
1) Do this in the /usr/src dir
#cd /usr/src
#wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
#tar zxvf bash-4.1.tar.gz
#cd bash-4.1
2) Fetch all patches, including latest ones that patches all related CVEs, note if you are using bash 4.2x then change accordingly, eg change to 4.1 to 4.2 and 41 to 42 so on. Since more and more patches are coming up, i am setting the possible number of patches to 25, at time of writing, there are 17 patches.
#for i in $(seq -f  %03g 0 25); do wget -nv http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-$i; patch -p0 < bash41-$i; done
#./configure && make
#make install
#mv /bin/bash /bin/bash.old
#ln -s /usr/local/bin/bash /bin/bash
3) Check that you're not vulnerable anymore wiith the output of the following
# it should not output vulnerable word anymore
#curl https://shellshocker.net/shellshock_test.sh | bash
4) You can and also should delete the old one that's a problem
#rm /bin/bash.old
5) Rerun Test!, you should not be vulnerable anymore.

Fix for Wheezy (Deb7)

1) Just run below for Wheezy
#apt-get update
#apt-get install --only-upgrade bash
2) Rerun Test!, you should not be vulnerable anymore. Your bash version should also be higher than that specified above in the MUST READ section.
---http://highsecurity.blogspot.com--- ---RSS http://feeds.feedburner.com/highsecurity---






















Friday, August 1, 2014

Fixing magnet links on Google Chrome (and re-associate with uTorrent or <insert.favourite.torrent.program.here>)

NOTE: This post is for education purposes only.

Spent some time trying to fix and after reading/following some resources online like youtube links and others, they still didn't’ seem to work for me. Finally, found this regkey, changed one value and it worked for me. It may help you too..

The association of magnet links on torrent sites (which most of them use instead of a .torrent file) may break if you’ve installed/uninstalled a program that also handles magnet/torrent links and may have override your favorite torrent proggie e.g. uTorrent as your default torrent handler.

And now, Google Chrome won’t associate/open uTorrent when you click the image icon or this type of link image 


So, first do try the following:

1) This Youtube link http://www.youtube.com/watch?v=6nELJpK7B5E

2) This other resource http://www.metserve.com/blog/magnet-links-working-with-chrome

 

If those links still don’t help or the problem isn’t fixed, fear not, there’s one other thing you can do:,

1) Open up the registry (click start, then run, regedit). In Windows 7 or higher, just type in the application bar search box

2) Look for the following key
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\magnet\UserChoice

3) Edit the REG_GZ value for ProgID and enter your favourite program you wish to associate with, e.g. uTorrent
(How to find my program’s progID - http://www.ehow.com/how_6871656_progid.html

 

image

 

And done! IT should work now. Cheers!

Friday, June 20, 2014

Monast – An uber cool FREE web based monitoring for Asterisk (an install guide for Debian users)

I had the chance to install and use Monast (http://monast.sourceforge.net/) by Diego Aguirre and found it extremely useful, simple, fast and FREE to monitor Asterisk 1.4 or higher (this guide uses Asterisk 11.x). Thought i’d share this how to for basic asterisk monitoring needs. Even though the project has not been updated for years, i still find it super useful and works on Asterisk 11 for me just fine.

Important notes:

  • This guide is for users of Debian 32/64, other platforms can adapt, esp the “apt” parts :-)
  • You should already have a running FreePBX (or at least Apache and related libraries) if you do not have FreePBX
  • This guide would likely work for Ubuntu as well

Follow this guide to get it up and running in minutes

  1. Update your apt and get some packages
  2. #apt-get update
  3. #apt-get install python-twisted python-zope.interface php-pear
  4. #pear install HTTP_Client
  5. Get starpy package and install it
  6. #cd /usr/src
  7. #wget -O starpy-1.0.0a13.tar.gz http://downloads.sourceforge.net/project/starpy/starpy/1.0.0a13/starpy-1.0.0a13.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fstarpy%2Ffiles%2Fstarpy%2F1.0.0a13%2F&ts=1402506121&use_mirror=jaist
  8. #tar –zxvf starpy-1.0.0a13.tar.gz
  9. #cd starpy-1.0.0a13/
  10. #./setup.py install
  11. #cd ..
  12. Now download monast
  13. #wget –O monast-3.0b4.tar.gz http://downloads.sourceforge.net/project/monast/Monast%20for%20Asterisk%201.4%2C%201.6%20and%201.8/3.0b4/monast-3.0b4.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fmonast%2Ffiles%2FMonast%2520for%2520Asterisk%25201.4%252C%25201.6%2520and%25201.8%2F3.0b4%2F&ts=1403193094&use_mirror=jaist
  14. #tar -zxvf monast-3.0b4.tar.gz
  15. #cd monast-3.0b4/
  16. At this point below, simply use the defaults, change if you know what you’re doing….
  17. #./install.sh
  18. Now, lets create an AMI user using FreePBX’s
  19. Note, use the module Asterisk Manager Users and its a recommended way to add AMI users
  20. Create a new manager user called monastfpbx with a secret like this “mysecret123”, select ALL for read, and ALL for write

    Example below
    image
  21. Submit and apply
  22. If you do not have/use this module, create you own user like this in [freepbx users] /etc/asterisk/manager_custom.conf or rest of the world /etc/asterisk/manager.conf

    [monastfpbx]
    secret = mysecret123
    deny=0.0.0.0/0.0.0.0
    permit=127.0.0.1/255.255.255.0
    read = system,call,log,verbose,command,agent,user,config,dtmf,reporting,cdr,dialplan,originate
    write = system,call,log,verbose,command,agent,user,config,dtmf,reporting,cdr,dialplan,originate
  23. Then reload the manager module #asterisk –rx “manager reload”
  24. Now, edit the monast config file
  25. #nano /etc/monast.conf
  26. Look for the following and change per suggested here (basic setup, change others if you know what you’re doing)

    auth_required = true

    [server: Server_1] # Server name can not contains space
    hostname = 127.0.0.1
    hostport = 5038
    username = monastfpbx
    password = mysecret123

    default_context = from-internal
    transfer_context = from-internal-xfer

    [user: admin]
    secret  = secret12345
    roles   = originate,queue,command,spy
    servers = ALL
  27. Save and exit
  28. Now, lets test start monast
    #/opt/monast/monast.py
    You should see this at minimum (ignore server_2 errors)
    [Fri Jun 20 19:17:05 2014] NOTICE   :: Initializing Monast AMI Interface...
    [Fri Jun 20 19:17:05 2014] NOTICE   :: Parsing config file /etc/monast.conf
    [Fri Jun 20 19:17:05 2014] NOTICE   :: Server Server_1 :: AMI Connected...
  29. Now, ctrl-c to stop that and run this monast as a daemon instead (runs in background)
    #/opt/monast/monast.py --daemon
    You should see something like this:
    Monast daemonized with pid 6738
  30. That’s about it, now log on to the webUI
  31. http(s)://<yourIP>/html/monast with username admin and password secret12345
  32. Remember, you can right click and do stuff to the tabs you see there such as originate calls…
    image 
    image 
    image
    image
  33. The init.d should be automatically added and should auto start in daemon mode, but do verify yourself
  34. Shout out to Diego Aguirre! awesome software mate :-)
  35. Thanks and as usual do give us feedback

 

Happy weekend folks!

Tuesday, May 13, 2014

OPUS codec with transcoding on Asterisk 11.5.x (or higher, 11.6,11.7,11.8,11.9) with(out) FreePBX

Hi all, this is just a quick and dirty guide to get OPUS and VP8 running on Asterisk 11.9.0 on your Debian box.

  • All credits for the Asterisk patch to meetecho and forked by netaskd for Asterisk 11.5.x or higher support.
  • This guide is intended for Debian 6 - 64bit platform only. Of course, with a little research, you could do it for other platforms as well.
  • Want to know more about why i am so gung-ho about OPUS, see here.
  • If you want a quick and easy access to a fully running Asterisk 11.5.x. From this image, follow the guide below to get it update to Asterisk 11.9 and get OPUS/VP8 enabled and running
  • IMPORTANT: There are some legal implications using OPUS on Asterisk code, read all about it here. REMEMBER, this is for educational use only.

Ok, let’s get down to business.

  1. Get “autoconf”, “automake” “pkg-config”
    # apt-get install autoconf automake pkg-config
  2. Get the latest libopus
    # cd /usr/src
    # wget http://downloads.xiph.org/releases/opus/opus-1.1.tar.gz && tar –zxvf opus-1.1.tar.gz && cd opus-1.1
    # ./configure
    # make all && make install
  3. That should get your opus ready for asterisk installation. Since vp8 is merely passthru, it will not require and libraries.
  4. Now, go to the asterisk source installation directory (if you don’t have it, simply download it from here). If you are running my image, you could overwrite the 11.5 by simply follow the guide below.
  5. Now, lets get started on asterisk side
    # cd /usr/src/asterisk-11.9.0
    # wget https://raw.githubusercontent.com/netaskd/asterisk-opus/master/asterisk-11.5.0_opus+vp8.diff -O asterisk_opus+vp8.diff --no-check-certificate
    # patch –p1 –u < asterisk_opus+vp8.diff
    You should see everything working well so far like below.
    image
    # ./bootstrap.sh
    # make clean && ./configure --with-crypto --with-ssl --with-srtp=/usr/local/lib --prefix=/usr
    IMPORTANT: If you do not have libsrtp, leave only with “--prefix=/usr”, remove the rest in that line. Libcryto and ssl are used for SRTP (for WebRTC mainly)
    # make menuselect
    IMPORANT: Please be sure to select 1) Codec Opus in Codec Translations, 2) Format VP8 in Format Interpreters and for best compatibility, 3) all sounds that’s SLIN16 (not selected by default) in Core Sound Packages, MOH Packages and Extra Sound..
    IMPORANT: If you can’t select Opus something went wrong in your libopus installation!, otherwise it should be preselected for you, but do check nontheless
    FREEPBX USERS! IMPORTANT: FreePBX users, be sure to select format_mp3, res_config_mysql, app_mysql, app_saycountpl and cdr_mysql in Add-ons
    # save and exit
    FREEPBX USERS! IMPORTANT: Run this # contrib/scripts/get_mp3_source.sh
    # make && make install
  6. Now if you use freepbx, simple run #amportal kill && amportal start
  7. Otherwise, simply kill and start back Asterisk
  8. You should see opus in the translation list
    # asterisk -rx "core show translation"
  9. Also, if you go into asterisk cli, you could type opus <tab> and set debug…that all means the patch worked great, now to test!
  10. Be sure to set allow=opus in your sip general setting or per peer/user. For FreePBX users, go to FPBX UX and select Asterisk SIP settings, set allow opus/vp8 like below right at the bottom of that page.
     image
  11. Use a phone that supports OPUS (on Windows you’ve got Phoner, MicroSIP, on mobile you’ve got CCIPSimple or BRIA) and dial away to test
  12. Here’s my BRIA on my Android with Opus at 48Khz, dialing the echo test on FreePBX *43
    ss

Next, i am going to try this on WebRTC with passthru support for VP8 and full transcoding with OPUS!

Cheers and have a good week ahead, do send your feedbacks to sanjay---at@---astiostech.com

Thursday, May 1, 2014

The personal & secret telephone menu – with Asterisk/FreePBX

Have you ever wanted to do some crazy telephony stuff such as call a long distant number using your office PaBX, or call you back and bridge an open channel (so you can call anywhere) or do just about anything with your own Direct Inward Number (or PSTN number) that only you know how to activate?

Here’s in summary what i wanted to achieve

  1. Use back my existing number, e.g. my own DID
  2. Let it do the same thing as before, i.e. ring my extension, forward to my mobile
  3. BUT, enable a “secret” menu option that only i know that can execute different functions of the PaBX such as dial a long distance number

I wanted to do something like this without affecting my existing number when everyone else dials. But the trick is to not let anyone know its an IVR that’s actually “answering” the call. So, its essentially, my own private little menu system that when i dial my own number, i can activate by activating (dialing) the IVR option!

I believe this is a cool feature to enable users to do a multitude of stuff within their Asterisk/FreePBX system;

In an organization, this could be use to;

  1. Check your voicemail from a pstn number
  2. Check calendar appointments (using ICS/Exchange module)
  3. Initiate a call back
  4. Initiate another call (bridging)
  5. Send a voiceblast, …etc.etc.etc

The real trick isn’t a big mystery actually, its actually pretty trivial, here are the steps

  1. Create an IVR, use a ring-ring dialtone as the announcement (like as though it is really ringing but actually its playing an “ivr” message giving you time to key in your “secret” code for different functions”). Use this file here if you don’t have one. Fake ringtone http://goo.gl/AnHpPI
  2. Set different destinations as ivr menu responses using the beautiful web UI brought to you by FreePBX to do loads of stuff. See sample below;
    Be sure to:
    a) Set the announcement to the fake ringtone you just uploaded (using Admin/System Recordings)
    b) Set direct dial to disable
    c) Set timeout to however long you need to dial your secret codes (ensure its no longer than the fakeringtone)
    d) Set both invalid and timeout destination to your actual extension without a retry recording i.e. none
    e) Set invalid and timeout retries to zero
    f) In conclusion, follow like below verbatim, except for relevant changes for you
    image
  3. Create an inbound route to go to that IVR you just created! 
    image
  4. Save and apply configs!
  5. Do two tests, 1 dial and enter 2020 and it will “DialGirlFriend”
  6. Second test, dial without pressing anything…it will sound like a normal ring and eventually call your extension

And there you go, thanks to the intuitive design of FreePBX and of course the backend Asterisk super engine, you can do so much of fun stuff, with just one number :)

Happy Labor Day Folks!

 

Sanjay@astiostech

Monday, April 14, 2014

iSymphony - A super cool unified communications platform and user panel for Asterisk/FreePBX + Install guide for Debian/Asterisk/FreePBX

 
[img src http://www.getisymphony.com/]

 

Some introduction

About iSymphony

For years, i’ve been asked by Asterisk users in many corporations to have a web management page for our much loved Asterisk IPPBX, there has been near complete products out there and some does one thing and doesn’t do others. I’ve been following iSymphony for some time now but before V3, it didn’t quite interest me simply because of the need to install a specific client on user’s desktop. But now, its pure Web which is simply awesome. If you would like to get your Asterisk equipped with this cool tool, let us know, and we will do the install and consultancy/setup for you. We can be reached via www.astiostech.com!

The benefits of iSymphony (most screens and text take of http://www.getisymphony.com/)


iSymphony is the best web-based call management solution for your Asterisk PBX. Thousands of organizations choose iSymphony to organize people and the flow of information from your phone system. Be more productive by communicating on a realtime platform with everyone in your organization.

To summarise, iSymphony is:

  • A centralized directory which enables click to call without touching your actual phone. It reads user info straight off FreePBX! so don’t need to create twice
  • UI to check your voicemails, listen to recordings etc straight off your browser
  • UI to get personalised call logs and see user’s statuses such as busy/free
  • Chat with users within the organization
  • Park calls, jump into conferences, transfer and manage calls to your extension or to a group of extensions you manage (i.e. a real boss secretary module)
  • Integrate into CRMs for popups etc…
  • Drag and drop layout and its also fully customizable to meet each user’s preferences
  • See notifications through the webUI and react to them!
  • Manage everything via its own website or via FreePBX’s module

Everyone should try it, therefore, i am writing this simple guide for initial users who just wanna try it out. Here’s what is covered in this guide

 

Now, lets install!

Pre-requisite using this guide, of course, it supports more platforms and versions (see here)

  1. Debian 6 or higher
  2. Asterisk with FreePBX 2.11 or higher
  3. Sun JRE

Firstly, you must have a working Asterisk+FreePBX. If you don’t get my image from here, simple to use and works straight out.

From your CLI, copy/paste and execute the following in #, change where you know stuff, if you don’t just follow the guide!

  1. Install Sun JRE 7 (thanks to http://www.webupd8.org/ for making it so easy to install JRE)
    #echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list
    #echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
    #apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886
    #apt-get update
    #apt-get install oracle-java7-installer
    NOTE: If you get timeout errors or etc, please retry that last command again until you see “Oracle JDK 7 installed”
  2. Get iSymphony, install and start the daemon
    #cd /usr/src
    #wget http://www.getisymphony.com/files/builds/isymphony/3.0.1_5238/iSymphonyServerV3-3.0.1.5238.tar.gz
    #tar -zxvf iSymphonyServerV3-3.0.1.5238.tar.gz
    #cd iSymphonyServerV3-3.0.1.5238
    #chmod +x install.sh
    #./install.sh [Note, when asked for the location of SUN JRE enter /usr/lib/jvm/java-7-oracle leave default path for install location of iSymphony, i.e. /opt/isymphony3/server]
    #/opt/isymphony3/server/startup.sh [this will start the iSymphony server instance]
    To check if its running, you should see ports tcp 58080 listening
    #netstat -an | grep 58080
  3. Setup AMI (manager)
    If you have the module, use the FreePBX’s Asterisk API module, otherwise, simply edit
    #nano /etc/asterisk/manager_custom.conf
    Paste something like this below

    [cxpanel]
    secret = cxpSecure123
    deny = 0.0.0.0/0.0.0.0
    permit=127.0.0.1/255.255.255.0
    read = all
    write = all


    Now, reload manager like below

    #asterisk –rx “manager reload”
    Note: If you get “Privilege escalation protection disabled!” the setting “live_dangerously” is turned on in asterisk.conf. If this is the case, simply run that “manager reload” command inside asterisk shell (asterisk –r)

Now, by using the admin page of iSymphony (e.g. http://192.168.2.55:58080/administrator/admin where 192.168.2.55 is your own IP address), login using the FreePBX’s admin user and password (as default used by iSymphony as the admin user). Navigate to Phone System, click on PBX Connection, “edit” the localhost connection setting. In there, modify the username/password as set above. In the example above the username is cxpanel and the password is cxpSecure123. Click save. This will allow iSymphony to originate and control calls using the AMI protocol from Asterisk.

 

OPTIONAL: Autostart at boot
To enable it to autostart, edit the file  /opt/isymphony3/server/config-vars.sh
Change the JAVA_HOME location to /usr/lib/jvm/java-7-oracle

#nano /etc/init.d/isymphony.sh [then paste the content below ]

#startup script for iSymphony for Debian installations
#!/bin/sh
### BEGIN INIT INFO
# Provides:          isymphony
# Required-Start:    $all
# Required-Stop:     $local_fs $syslog $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start isymphony at boot time
# Description:       Starts isymphony services at bootime
### END INIT INFO
#
case "$1" in
'start')
        /opt/isymphony3/server/startup.sh
       
RETVAL=0
        ;;

'stop')
        /opt/isymphony3/server/shutdown.sh
        RETVAL=0
        ;;

*)      echo "Usage: $0 { start | stop }"
        RETVAL=1
        ;;
esac
exit $RETVAL

    1. #chmod +x /etc/init.d/isymphony.sh
      #update-rc.d isymphony.sh defaults

    2. Install and enable the FreePBX iSymphony module
      Download the FreePBX module here [Download the “FreePBX Module” tar.gz file]
      Now, head on to FreePBX, click on Admin | Module Admin and click on Upload Modules. Then upload the FreePBX module (should look something like cxpanel-3.0.5238.tar.gz). Choose file and click “Upload”
      Then, click on Manage Local Modules, and ensure that iSymphony V3 is selected and set to install!
      Click on Process, Confirm and then “Apply Config”
    3. Be sure if you have iptables or any types of firewalls behind your box (or inside it) it allows TCP 58080!
    4. Now, see the notes below

NOTES:

  1. The default admin page can be accessed via http://192.168.2.55:58080/administrator/admin where 192.168.2.55 is your own IP address
    Here’s my screenshot of the admin page:
    image
  2. The default admin access is admin/<your freepbx admin password>, mine was @steriskRocks1, per my Asterisk image
  3. Users, are created in FreePBX 2.11 (be sure to update to latest freepbx versions online) where now it combines/manages users under “User Management” and the usual extension/users module, that will have an iSymphony account tied to it, as shown below. It is optional to enable or not.
    This below is my user 10000 i created:
    image
  4. Now, that user 10000 has access to iSymphony, via http://192.168.2.55:58080/client/client where 192.168.2.55 is your own IP Address
  5. Simply login and you can see the wonderful features/interface as below
    image
  6. Enjoy and do let me know if you need help or let us help you install in your company

Friday, February 7, 2014

IMPORTANT: Security Vulnerability Notice for FreePBX 2.9 or higher systems

Earlier today, an important security update and notice has been released to address a potentially dangerous vulnerability for remote code execution without proper authentication. Please take some time to update your systems or your clients’.

Link to the article:

http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice

Taken off the link for a summary:

"We are blogging to inform you of a recently discovered security vulnerability reported yesterday in FreePBX Ticket 7123 (originally reported in ticket 7117 which is locked because of sensitive information). All FreePBX versions 2.9 and above are affected. You should immediately update your FreePBX Framework Module to secure your system from a potential attack."

Thank you FreePBX/Schmooze team for responsibly disclosing and keeping our systems safe.

 

Thank you and have a wonderful weekend.